- Some Intel projects (TBD)
- The RSX Graphics Library
- Libva
- Gallium3D
- KolibriOS
- DRM Gralloc
- Mesa and all projects using affected mesa versions
- More projects tbd...
Applications may be vulnerable to attacks where a local attacker could execute arbitrary code through a maliciously crafted library, loaded via the dlopen() function. This could potentially lead to privilege escalation.
The application reads unsanitized data from the environment variable. This tainted path is subsequently used directly by dlopen() without sufficient validation, allowing directory traversal and possibly loading external malicious libraries.
The security check currently implemented using [specific security check, e.g., geteuid() == getuid()] does not adequately protect against this vulnerability.
1. Set the affected environment variable to a path containing a maliciously crafted library.
2. Run the application or initiate the specific function that calls dlopen().
3. Observe that the malicious code within the library gets executed.
Attackers with local access can load and execute arbitrary code in systems using the affected application. This can lead to data corruption, data theft, and potentially complete system compromise depending on the application's privileges.
• Implement thorough input validation for the paths loaded via the environment variables.
• Use a whitelist of allowed paths or directory names to mitigate the risk of arbitrary directory traversal.
• Drop elevated privileges immediately after they are no longer required.
• Regularly audit and review the code to ensure that all paths from which libraries or other external resources are loaded are properly validated.
• Check and compare the real group ID and the effective group ID with getgid() and getegid()
- 15/11/2022 - Initial bug discovered
- 12/12/2022 - Report sent to Intel
- 3/30/2023 - Intel confirmed vulnerabilities
- ?/02/2024 - Intel public advisory to be published