CVE-2024-21837

Vulnerability

An uncontrolled search path vulnerability (CWE-427) exists in Intel(R) Quartus(R) Prime Lite Edition Design software before version 23.1. The affected component dynamically loads libraries from untrusted search paths, potentially allowing a malicious binary placed in the search order to be loaded instead of the intended one. The vulnerability requires an authenticated user to have local access to the system.

Exploitation

An authenticated user with local access must be able to place a crafted dynamic-link library (DLL) or executable into a directory that is searched before the legitimate system directory. When the affected software attempts to load a required component, the malicious payload is loaded instead. No additional network access or special privileges beyond standard user access are needed.

Impact

Successful exploitation allows the attacker to escalate privileges, executing arbitrary code with the privileges of the vulnerable application. This can lead to full compromise of the user's session, data access, and potentially further system control depending on the application's runtime context.

Mitigation

Intel released version 23.1 of Quartus Prime Lite Edition Design software, which addresses the uncontrolled search path issue. Users should update to version 23.1 or later. No workaround is detailed in the available references [1].