CVE-2021-0112
📋 TL;DR
This vulnerability allows an authenticated Windows user to escalate privileges by exploiting an unquoted service path in Intel Unite Client. Attackers could place malicious executables in paths with spaces that Windows searches before the legitimate service executable. Only affects Windows systems running vulnerable Intel Unite Client versions.
💻 Affected Systems
- Intel Unite Client for Windows
📦 What is this software?
Unite by Intel
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker gains SYSTEM-level privileges, enabling complete system compromise, installation of persistent malware, credential theft, and lateral movement.
Likely Case
Authenticated user with limited privileges escalates to administrator rights, potentially installing unauthorized software or accessing sensitive data.
If Mitigated
With proper access controls and monitoring, impact limited to isolated systems with minimal data exposure.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of unquoted service path vulnerabilities. Similar techniques are well-documented for Windows privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.25031 and later
Vendor Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00506.html
Restart Required: Yes
Instructions:
1. Download Intel Unite Client version 4.2.25031 or later from Intel's official site. 2. Run the installer with administrative privileges. 3. Restart the system to ensure service updates take effect.
🔧 Temporary Workarounds
Manually quote service path
windowsModify the Intel Unite service to use quoted paths in Windows Registry
sc config "Intel Unite Client" binPath="\"C:\Program Files\Intel\Unite Client\unite-service.exe\""
Restrict write permissions
windowsRemove write permissions from directories in the service path that could be exploited
icacls "C:\Program Files\Intel" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to limit who can authenticate to affected systems
- Monitor for suspicious file creation in directories like C:\Program, C:\Program Files, and C:\Program Files\Intel
🔍 How to Verify
Check if Vulnerable:
Check Intel Unite Client version in Programs and Features or run: sc qc "Intel Unite Client" to see if path is unquotedCheck Version:
wmic product where name="Intel Unite Client" get versionVerify Fix Applied:
Verify version is 4.2.25031 or higher and service path is properly quoted in Windows Registry📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) showing execution from unexpected paths
- Security logs showing privilege escalation attempts
Network Indicators:
- Unusual outbound connections from systems running Intel Unite Client
SIEM Query:
source="windows_security" EventID=4688 (Image="*Program Files*Intel*" OR Image="*Program*Intel*")