CVE-2022-36397
📋 TL;DR
This vulnerability allows authenticated users on Linux systems with affected Intel QAT drivers to escalate privileges via local access due to incorrect default permissions in the software installer. It affects systems running Intel QuickAssist Technology drivers for Linux before version 4.17. The issue stems from improper file permissions that could allow local users to gain elevated privileges.
💻 Affected Systems
- Intel QuickAssist Technology (QAT) drivers for Linux
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated local attacker gains root privileges on the system, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Privileged local users or attackers with initial access escalate to root privileges to install malware, modify system configurations, or access sensitive data.
If Mitigated
With proper access controls and least privilege principles, impact is limited to authorized users only, though privilege escalation risk remains for authenticated users.
🎯 Exploit Status
Exploitation requires authenticated local access. The vulnerability involves incorrect file permissions that could be leveraged through standard privilege escalation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.17 and later
Vendor Advisory: http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00751.html
Restart Required: Yes
Instructions:
1. Download Intel QAT driver version 4.17 or later from Intel's website. 2. Uninstall current QAT driver. 3. Install the updated driver. 4. Reboot the system to ensure changes take effect.
🔧 Temporary Workarounds
Manual permission correction
linuxManually adjust file permissions on QAT driver files to restrict write access to privileged users only
chmod 755 /path/to/qat/files
chown root:root /path/to/qat/files
Access restriction
allRestrict local access to systems with QAT drivers to only necessary privileged users
🧯 If You Can't Patch
- Restrict local user access to only trusted administrators
- Implement strict file integrity monitoring on QAT driver files and directories
🔍 How to Verify
Check if Vulnerable:
Check QAT driver version: 'modinfo qat' or check installed package version. If version is earlier than 4.17, system is vulnerable.Check Version:
modinfo qat | grep versionVerify Fix Applied:
Verify QAT driver version is 4.17 or later: 'modinfo qat | grep version' should show version 4.17 or higher.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation attempts
- Unauthorized access to QAT driver files
- Changes to QAT driver permissions or ownership
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
source="linux_audit" AND (event_type="file_permission_change" AND file_path="/path/to/qat/*") OR (event_type="privilege_escalation" AND process_name="qat*")