Multiple vulnerabilities in Intel oneAPI Toolkit and Component software installers



Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-27391
CVE-2023-28823
CWE-ID CWE-284
CWE-426
Exploitation vector Local
Public exploit N/A
Vulnerable software
Intel Advisor for oneAPI
Universal components / Libraries / Software for developers

Intel CPU Runtime for OpenCL Applications
Universal components / Libraries / Software for developers

Intel DPC++ Compatibility Tool
Universal components / Libraries / Software for developers

Intel Embree Ray Tracing Kernel Library
Universal components / Libraries / Software for developers

Intel Fortran Compiler
Universal components / Libraries / Software for developers

Intel Implicit SPMD Program Compiler
Universal components / Libraries / Software for developers

Intel Inspector for oneAPI
Universal components / Libraries / Software for developers

Intel IPP Cryptography
Universal components / Libraries / Software for developers

Intel oneAPI Base Toolkit
Universal components / Libraries / Software for developers

Intel oneAPI Data Analytics Library
Universal components / Libraries / Software for developers

Intel oneAPI Deep Neural Network Library
Universal components / Libraries / Software for developers

Intel oneAPI DPC++/C++ Compiler
Universal components / Libraries / Software for developers

Intel oneAPI DPC++ Library (oneDPL)
Universal components / Libraries / Software for developers

Intel oneAPI HPC Toolkit
Universal components / Libraries / Software for developers

Intel oneAPI IoT Toolkit
Universal components / Libraries / Software for developers

Intel oneAPI Rendering Toolkit
Universal components / Libraries / Software for developers

Intel oneAPI Threading Building Blocks
Universal components / Libraries / Software for developers

Intel oneAPI Video Processing Library
Universal components / Libraries / Software for developers

Intel Open Image Denoise
Universal components / Libraries / Software for developers

Intel Open Volume Kernel Library
Universal components / Libraries / Software for developers

Intel OSPRay
Universal components / Libraries / Software for developers

Intel OSPRay Studio
Universal components / Libraries / Software for developers

Intel Trace Analyzer and Collector
Universal components / Libraries / Software for developers

Intel VTune Profiler for oneAPI
Universal components / Libraries / Software for developers

Intel Distribution for Python programming language
Universal components / Libraries / Programming Languages & Components

Intel Integrated Performance Primitives
Universal components / Libraries / Libraries used by multiple products

MPI Library
Universal components / Libraries / Libraries used by multiple products

Intel oneAPI Math Kernel Library
Hardware solutions / Firmware

Intel oneAPI Toolkits
Hardware solutions / Firmware

Vendor Intel

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU79531

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-27391

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions. A local user can escalate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Advisor for oneAPI: before 2023.1

Intel CPU Runtime for OpenCL Applications: before 2023.1

Intel Distribution for Python programming language: before 2023.1

Intel DPC++ Compatibility Tool: before 2023.1

Intel Embree Ray Tracing Kernel Library: before 2023.1

Intel Fortran Compiler: before 2023.1

Intel Implicit SPMD Program Compiler: before 1.19.1

Intel Inspector for oneAPI: before 2023.1

Intel Integrated Performance Primitives: before 2021.8

Intel IPP Cryptography: before 2021.7.0

MPI Library: before 2021.9

Intel oneAPI Base Toolkit: before 2023.1

Intel oneAPI Data Analytics Library: before 2023.1

Intel oneAPI Deep Neural Network Library: before 2023.1

Intel oneAPI DPC++/C++ Compiler: before 2023.1

Intel oneAPI DPC++ Library (oneDPL): before 2022.1

Intel oneAPI HPC Toolkit: before 2023.1

Intel oneAPI IoT Toolkit: before 2023.1

Intel oneAPI Math Kernel Library: before 2023.1

Intel oneAPI Rendering Toolkit: before 2023.1

Intel oneAPI Threading Building Blocks: before 2021.9.0

Intel oneAPI Video Processing Library: before 2023.1

Intel Open Image Denoise: before 1.4.3

Intel Open Volume Kernel Library: before 2023.1

Intel OSPRay: before 2023.1

Intel OSPRay Studio: before 2023.1

Intel Trace Analyzer and Collector: before 2021.9.0

Intel VTune Profiler for oneAPI: before 2023.1

Intel oneAPI Toolkits: before 2023.1.0

CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00890.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Untrusted search path

EUVDB-ID: #VU79532

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28823

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an untrusted search path. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Advisor for oneAPI: before 2023.1

Intel CPU Runtime for OpenCL Applications: before 2023.1

Intel Distribution for Python programming language: before 2023.1

Intel DPC++ Compatibility Tool: before 2023.1

Intel Embree Ray Tracing Kernel Library: before 2023.1

Intel Fortran Compiler: before 2023.1

Intel Implicit SPMD Program Compiler: before 1.19.1

Intel Inspector for oneAPI: before 2023.1

Intel Integrated Performance Primitives: before 2021.8

Intel IPP Cryptography: before 2021.7.0

MPI Library: before 2021.9

Intel oneAPI Base Toolkit: before 2023.1

Intel oneAPI Data Analytics Library: before 2023.1

Intel oneAPI Deep Neural Network Library: before 2023.1

Intel oneAPI DPC++/C++ Compiler: before 2023.1

Intel oneAPI DPC++ Library (oneDPL): before 2022.1

Intel oneAPI HPC Toolkit: before 2023.1

Intel oneAPI IoT Toolkit: before 2023.1

Intel oneAPI Math Kernel Library: before 2023.1

Intel oneAPI Rendering Toolkit: before 2023.1

Intel oneAPI Threading Building Blocks: before 2021.9.0

Intel oneAPI Video Processing Library: before 2023.1

Intel Open Image Denoise: before 1.4.3

Intel Open Volume Kernel Library: before 2023.1

Intel OSPRay: before 2023.1

Intel OSPRay Studio: before 2023.1

Intel Trace Analyzer and Collector: before 2021.9.0

Intel VTune Profiler for oneAPI: before 2023.1

Intel oneAPI Toolkits: before 2023.1.0

CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00890.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###