#VU79532 Untrusted search path in Intel products - CVE-2023-28823

Vulnerability identifier: #VU79532

Vulnerability risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-28823

CWE-ID: CWE-426

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Intel Advisor for oneAPI
Universal components / Libraries / Software for developers
Intel CPU Runtime for OpenCL Applications
Universal components / Libraries / Software for developers
Intel DPC++ Compatibility Tool
Universal components / Libraries / Software for developers
Intel Embree Ray Tracing Kernel Library
Universal components / Libraries / Software for developers
Intel Fortran Compiler
Universal components / Libraries / Software for developers
Intel Implicit SPMD Program Compiler
Universal components / Libraries / Software for developers
Intel Inspector for oneAPI
Universal components / Libraries / Software for developers
Intel IPP Cryptography
Universal components / Libraries / Software for developers
Intel oneAPI Base Toolkit
Universal components / Libraries / Software for developers
Intel oneAPI Data Analytics Library
Universal components / Libraries / Software for developers
Intel oneAPI Deep Neural Network Library
Universal components / Libraries / Software for developers
Intel oneAPI DPC++/C++ Compiler
Universal components / Libraries / Software for developers
Intel oneAPI DPC++ Library (oneDPL)
Universal components / Libraries / Software for developers
Intel oneAPI HPC Toolkit
Universal components / Libraries / Software for developers
Intel oneAPI IoT Toolkit
Universal components / Libraries / Software for developers
Intel oneAPI Rendering Toolkit
Universal components / Libraries / Software for developers
Intel oneAPI Threading Building Blocks
Universal components / Libraries / Software for developers
Intel oneAPI Video Processing Library
Universal components / Libraries / Software for developers
Intel Open Image Denoise
Universal components / Libraries / Software for developers
Intel Open Volume Kernel Library
Universal components / Libraries / Software for developers
Intel OSPRay
Universal components / Libraries / Software for developers
Intel OSPRay Studio
Universal components / Libraries / Software for developers
Intel Trace Analyzer and Collector
Universal components / Libraries / Software for developers
Intel VTune Profiler for oneAPI
Universal components / Libraries / Software for developers
Intel Distribution for Python programming language
Universal components / Libraries / Programming Languages & Components
Intel Integrated Performance Primitives
Universal components / Libraries / Libraries used by multiple products
MPI Library
Universal components / Libraries / Libraries used by multiple products
Intel oneAPI Math Kernel Library
Hardware solutions / Firmware
Intel oneAPI Toolkits
Hardware solutions / Firmware

Vendor: Intel

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an untrusted search path. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Intel Advisor for oneAPI: before 2023.1

Intel CPU Runtime for OpenCL Applications: before 2023.1

Intel Distribution for Python programming language: before 2023.1

Intel DPC++ Compatibility Tool: before 2023.1

Intel Embree Ray Tracing Kernel Library: before 2023.1

Intel Fortran Compiler: before 2023.1

Intel Implicit SPMD Program Compiler: before 1.19.1

Intel Inspector for oneAPI: before 2023.1

Intel Integrated Performance Primitives: before 2021.8

Intel IPP Cryptography: before 2021.7.0

MPI Library: before 2021.9

Intel oneAPI Base Toolkit: before 2023.1

Intel oneAPI Data Analytics Library: before 2023.1

Intel oneAPI Deep Neural Network Library: before 2023.1

Intel oneAPI DPC++/C++ Compiler: before 2023.1

Intel oneAPI DPC++ Library (oneDPL): before 2022.1

Intel oneAPI HPC Toolkit: before 2023.1

Intel oneAPI IoT Toolkit: before 2023.1

Intel oneAPI Math Kernel Library: before 2023.1

Intel oneAPI Rendering Toolkit: before 2023.1

Intel oneAPI Threading Building Blocks: before 2021.9.0

Intel oneAPI Video Processing Library: before 2023.1

Intel Open Image Denoise: before 1.4.3

Intel Open Volume Kernel Library: before 2023.1

Intel OSPRay: before 2023.1

Intel OSPRay Studio: before 2023.1

Intel Trace Analyzer and Collector: before 2021.9.0

Intel VTune Profiler for oneAPI: before 2023.1

Intel oneAPI Toolkits: before 2023.1.0

---

External links
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00890.html

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.