CVE-2024-28887
📋 TL;DR
This vulnerability in Intel IPP software allows authenticated local users to escalate privileges by exploiting an uncontrolled search path (DLL hijacking). It affects systems running vulnerable versions of Intel IPP software before version 2021.11.
💻 Affected Systems
- Intel Integrated Performance Primitives (IPP) software
📦 What is this software?
Integrated Performance Primitives by Intel
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain SYSTEM/root privileges on the affected system, enabling complete system compromise, data theft, and persistence.
Likely Case
Local authenticated users could elevate their privileges to administrator/root level, allowing them to install malware, modify system configurations, or access restricted data.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the user's own account scope.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity once the vulnerable path is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.11 or later
Vendor Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01129.html
Restart Required: Yes
Instructions:
1. Download Intel IPP version 2021.11 or later from Intel's website. 2. Uninstall the vulnerable version. 3. Install the updated version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict DLL search path
windowsSet DLL search order to prioritize system directories over current directory
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'SafeDllSearchMode' -Value 1
Remove write permissions from IPP directories
linuxPrevent users from placing malicious DLLs in IPP search paths
chmod -R o-w /opt/intel/ipp/
chmod -R g-w /opt/intel/ipp/
🧯 If You Can't Patch
- Implement strict access controls to limit who has local authenticated access to affected systems
- Apply the principle of least privilege to ensure users don't have unnecessary permissions
🔍 How to Verify
Check if Vulnerable:
Check Intel IPP version: On Windows, check Programs and Features; On Linux, check /opt/intel/ipp/version.txt or run 'ippversion' commandCheck Version:
On Linux: cat /opt/intel/ipp/version.txt || ippversion; On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Intel\IPP\VersionVerify Fix Applied:
Verify installed version is 2021.11 or later using the same methods as checking vulnerability📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from IPP directories
- Failed DLL loading attempts from IPP paths
- Privilege escalation events
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
Process creation where parent process is from IPP directory AND new process has higher privileges