CVE-2021-33092 – This vulnerability allows authenticated local u... (How to Fix)

Q: What is the severity of CVE-2021-33092?

CVE-2021-33092 has a CVSS score of 7.8 (HIGH). This vulnerability allows authenticated local users to escalate privileges on Intel NUC M15 Laptop Kit systems due to incorrect default permissions in the HID Event Filter driver installer. Attackers could gain SYSTEM-level access by exploiting overly permissive file permissions. Only systems with the vulnerable driver pack installed are affected.

📋 TL;DR

This vulnerability allows authenticated local users to escalate privileges on Intel NUC M15 Laptop Kit systems due to incorrect default permissions in the HID Event Filter driver installer. Attackers could gain SYSTEM-level access by exploiting overly permissive file permissions. Only systems with the vulnerable driver pack installed are affected.

💻 Affected Systems

Products:

Intel NUC M15 Laptop Kit HID Event Filter driver pack

Versions: Versions before 2.2.1.383

Operating Systems: Windows 10, Windows 11

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where the vulnerable driver pack is installed. The vulnerability is in the installer permissions, not the driver itself.

📦 What is this software?

Nuc M15 Laptop Kit Hid Event Filter Driver Pack by Intel

View all CVEs affecting Nuc M15 Laptop Kit Hid Event Filter Driver Pack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local authenticated attacker gains SYSTEM privileges, enabling complete system compromise, persistence installation, credential theft, and lateral movement.

🟠

Likely Case

Malicious insider or compromised user account escalates to administrative privileges to install malware, disable security controls, or access sensitive data.

🟢

If Mitigated

With proper access controls and least privilege principles, impact is limited to users who already have local access to vulnerable systems.

🌐 Internet-Facing: LOW - Requires local authenticated access, not remotely exploitable.

🏢 Internal Only: HIGH - Local privilege escalation vulnerabilities are valuable for attackers who gain initial access through other means.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local authenticated access and knowledge of the vulnerable file locations. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1.383 or later

Vendor Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00569.html

Restart Required: Yes

Instructions:

1. Download updated driver pack from Intel Driver & Support Assistant or Intel website. 2. Run installer with administrative privileges. 3. Follow on-screen instructions. 4. Restart system when prompted.

🔧 Temporary Workarounds

Remove vulnerable driver

windows

Uninstall the HID Event Filter driver if not required for system functionality

Control Panel > Programs > Uninstall a program > Intel HID Event Filter Driver > Uninstall

Adjust file permissions

windows

Manually set restrictive permissions on driver files and directories

icacls "C:\Windows\System32\drivers\IntelHIDEventFilter.sys" /inheritance:r /grant:r "SYSTEM:(F)" "Administrators:(F)" "Users:(RX)"

🧯 If You Can't Patch

Implement strict least privilege access controls to limit local user permissions
Monitor for suspicious privilege escalation attempts using endpoint detection tools

🔍 How to Verify

Check if Vulnerable:

Check driver version in Device Manager under Human Interface Devices > Intel HID Event Filter, or check file properties of C:\Windows\System32\drivers\IntelHIDEventFilter.sys

Check Version:

powershell Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*Intel HID Event Filter*'} | Select-Object DeviceName, DriverVersion

Verify Fix Applied:

Verify driver version is 2.2.1.383 or higher and check file permissions show proper restrictive settings

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) showing privilege escalation attempts
Sysmon Event ID 1 showing execution of privileged processes from user accounts

Network Indicators:

No network indicators - local privilege escalation only

SIEM Query:

source="windows_security" event_id=4688 AND (process_name="cmd.exe" OR process_name="powershell.exe") AND integrity_level="System" AND user!="SYSTEM"

📊 Metadata

CVE ID: CVE-2021-33092

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: November 17, 2021

Last Updated: November 21, 2024

🔗 References

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00569.html Vendor Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00569.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33092, you might also want to check these: