Intel ID: INTEL-SA-00151
Product family: Intel® Quartus family of tools
Impact of vulnerability: Escalation of Privilege
Severity rating: Moderate
Original release: 07/10/2018
Last revised: 07/10/2018

Summary:
Unquoted service paths in the Intel® Quartus family of tools allows a local attacker to potentially execute arbitrary code.

Description:
The Joint Test Action Group (JTAG) server is vulnerable to replacement of required executables, which on reboot may be run with elevated privileges.
Affected products:

• Quartus II v11.0 – 15.0 (CVE-2018-3683)
• Quartus Prime v15.1 – 18.0 (CVE-2018-3684)
• Intel Quartus II Programmer and Tools v11.0 – 15.0 (CVE-2018-3687)
• Intel Quartus Prime Programmer and Tools v15.1 – 18.0 (CVE-2018-3688)

Recommendations:
Intel recommends for the affected products listed in this report, to run the patch found here: https://www.altera.com/support/suppo...-attacker.html

Or install Quartus Prime release v18.1 or later (when released; check availability here: http://dl.altera.com/), which already includes the update.

Acknowledgements:
Intel would like to thank Stefan Kanthak (@Skanthak) for reporting this issue and working with us on coordinated disclosure.

Revision History

Revision Date Description
1.0 07/10/2018 Initial Release

CVE Name: CVE-2018-3683, CVE-2018-3684, CVE-2018-3687, CVE-2018-3688


Source: INTEL-SA-00151