CVE-2024-21777

Vulnerability

An uncontrolled search path vulnerability exists in Intel(R) Quartus(R) Prime Pro Edition Design software prior to version 23.4 [1]. The software does not properly control the order in which directories are searched for dynamic libraries or executables, potentially allowing an attacker to place a malicious file in a directory that is searched before the legitimate system location. This requires an authenticated user on the local system to trigger the vulnerable code path.

Exploitation

An attacker needs local access to the system and valid credentials as an authenticated user. The attacker must place a crafted malicious DLL or executable in a directory that is part of the search path and that will be loaded by the Quartus Prime Pro Edition software before the intended legitimate file. When the authenticated user launches the software or performs a specific operation, the attacker's code is loaded and executed in the context of the user running the software.

Impact

Successful exploitation allows the attacker to gain escalation of privilege [1]. The attacker can execute arbitrary code with the privileges of the authenticated user running the Quartus software. Depending on the user's rights, this could lead to local privilege escalation, potentially granting the attacker access to additional resources or enabling further compromise of the system.

Mitigation

Intel released version 23.4 of Intel Quartus Prime Pro Edition Design software, which addresses this vulnerability [1]. Users should update to version 23.4 or later. No workaround is explicitly provided in the reference. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities catalog.