CVE-2024-29223
📋 TL;DR
This vulnerability in Intel QuickAssist Technology software allows authenticated local users to escalate privileges by manipulating the search path for DLL files. It affects systems running Intel QAT software versions before 2.2.0 with local user access.
💻 Affected Systems
- Intel QuickAssist Technology (QAT) software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker gains SYSTEM/root privileges, enabling complete system compromise, data theft, and persistence establishment.
Likely Case
Local authenticated user elevates to administrator privileges to install malware, modify system configurations, or access restricted data.
If Mitigated
With proper access controls and patching, impact limited to failed privilege escalation attempts with audit logging.
🎯 Exploit Status
Requires local authenticated access and ability to place malicious DLL in search path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.0 or later
Vendor Advisory: https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01124.html
Restart Required: Yes
Instructions:
1. Download Intel QAT software version 2.2.0 or later from Intel website. 2. Uninstall previous QAT software. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict DLL search path permissions
allSet strict permissions on directories in DLL search path to prevent unauthorized DLL placement
Windows: icacls "C:\Program Files\Intel\QAT" /deny Users:(OI)(CI)W
Linux: chmod 755 /usr/lib64/libqat.so && chown root:root /usr/lib64/libqat.so
Enable Safe DLL Search Mode
allConfigure system to search system directories first before current directory
Windows: Set registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to 1
Linux: Ensure LD_LIBRARY_PATH is properly secured
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges
- Monitor for suspicious DLL loading events and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Intel QAT software version: Windows - Check Programs and Features; Linux - rpm -qa | grep qat or dpkg -l | grep qatCheck Version:
Windows: wmic product where "name like '%Intel%QuickAssist%'" get version; Linux: qat_service -v 2>/dev/null || echo "Check package manager"Verify Fix Applied:
Confirm Intel QAT version is 2.2.0 or later using version check command📡 Detection & Monitoring
Log Indicators:
- Failed privilege escalation attempts
- Unauthorized DLL loading from non-system paths
- Process execution with unexpected parent/child relationships
Network Indicators:
- Not network exploitable - focus on host-based detection
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%qat%' OR ParentProcessName LIKE '%qat%') AND NewProcessName NOT IN ('expected_qat_processes')