Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability

Vulnerability

This vulnerability affects Intel Driver & Support Assistant (DSA). The specific flaw exists within the DSA Service, which improperly follows symbolic links. A local attacker who can execute low-privileged code on the target system can create a symbolic link to abuse the service into deleting an attacker-controlled file. The affected versions are not explicitly listed in the available references, but the vulnerability was reported as a 0-day in September 2023.

Exploitation

The attacker must first have the ability to execute low-privileged code on the system. Exploitation involves creating a symbolic link that the DSA Service follows, causing it to delete a file of the attacker's choice. No user interaction or network access is required; the attack is local. The exact sequence: the attacker creates a symbolic link pointing to a file they want the service to delete, then triggers the vulnerable code path in DSA Service.

Impact

Successful exploitation allows the attacker to delete arbitrary files on the system. By carefully choosing the file to delete, the attacker can leverage this to escalate privileges to SYSTEM and execute arbitrary code in the SYSTEM context. This results in a full compromise of the confidentiality, integrity, and availability of the affected system [1].

Mitigation

Intel released a fix for this vulnerability in an updated version of Intel Driver & Support Assistant. Users should update to the latest version as provided by Intel. The vulnerability was disclosed as a 0-day by ZDI in September 2023, and a patch is expected to be included in DSA updates. No workarounds are documented. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing. [1]