Intel ID: INTEL-SA-00151
Product family: Intel® Quartus family of tools
Impact of vulnerability: Escalation of Privilege
Severity rating: Moderate
Original release: 07/10/2018
Last revised: 07/10/2018

Unquoted service paths in the Intel® Quartus family of tools allows a local attacker to potentially execute arbitrary code.

The Joint Test Action Group (JTAG) server is vulnerable to replacement of required executables, which on reboot may be run with elevated privileges.
Affected products:

• Quartus II v11.0 – 15.0 (CVE-2018-3683)
• Quartus Prime v15.1 – 18.0 (CVE-2018-3684)
• Intel Quartus II Programmer and Tools v11.0 – 15.0 (CVE-2018-3687)
• Intel Quartus Prime Programmer and Tools v15.1 – 18.0 (CVE-2018-3688)

Intel recommends for the affected products listed in this report, to run the patch found here:

Or install Quartus Prime release v18.1 or later (when released; check availability here:, which already includes the update.

Intel would like to thank Stefan Kanthak (@Skanthak) for reporting this issue and working with us on coordinated disclosure.

Revision History

Revision Date Description
1.0 07/10/2018 Initial Release

CVE Name: CVE-2018-3683, CVE-2018-3684, CVE-2018-3687, CVE-2018-3688

Source: INTEL-SA-00151