CVE-2022-21804
📋 TL;DR
This vulnerability is an out-of-bounds write in Intel's QAT Driver for Windows that allows authenticated users to potentially escalate privileges via local access. It affects systems running vulnerable versions of the Intel QAT Driver on Windows. Successful exploitation could give attackers elevated system privileges.
💻 Affected Systems
- Intel QuickAssist Technology (QAT) Driver for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Authenticated users (including low-privilege accounts) escalate to administrative privileges, allowing installation of malware, configuration changes, and credential harvesting.
If Mitigated
With proper access controls and patching, impact is limited to denial of service or driver crashes without privilege escalation.
🎯 Exploit Status
Requires authenticated access and knowledge of driver interaction. No public exploit code available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.0-0008 or later
Vendor Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00809.html
Restart Required: Yes
Instructions:
1. Download Intel QAT Driver version 1.9.0-0008 or later from Intel's website. 2. Uninstall current QAT driver. 3. Install updated driver. 4. Restart system.
🔧 Temporary Workarounds
Restrict Driver Access
windowsLimit which users can interact with the QAT driver through Windows security settings
Use Windows Group Policy or local security policy to restrict access to QAT driver files and services
Disable QAT if Not Required
windowsTemporarily disable Intel QAT functionality if not essential for operations
Disable-QATService (if available) or use Device Manager to disable QAT hardware
🧯 If You Can't Patch
- Implement strict least-privilege access controls to limit which users can log into affected systems
- Monitor for unusual privilege escalation attempts and driver-related crashes in system logs
🔍 How to Verify
Check if Vulnerable:
Check QAT driver version in Device Manager under System devices or run: Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*QAT*'} | Select-Object DeviceName, DriverVersionCheck Version:
Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*QAT*'} | Select-Object DriverVersionVerify Fix Applied:
Verify driver version is 1.9.0-0008 or higher using same command as above📡 Detection & Monitoring
Log Indicators:
- Unexpected driver crashes (Event ID 1001)
- Privilege escalation attempts in security logs
- Unusual QAT driver activity
Network Indicators:
- None - local exploit only
SIEM Query:
EventID=1001 AND Source="Windows Error Reporting" AND Description="*qat*" OR EventID=4688 AND NewProcessName="*qat*"