CVE CyberSecurity Database News

CVE-2021-33162 - Exploiting Improper Access Control in Intel(R) Ethernet Adapter Manageability Firmware

Poster -

In this post, we’re going to dive into CVE-2021-33162—a security vulnerability that affects some Intel(R) Ethernet Adapters and Controllers, specifically the I225 Manageability Firmware. If you run servers using Intel’s popular network cards or have enterprise hardware, you could be at risk.

We'll cover what this vulnerability is, how it works, show some code snippets for better understanding, and give you links to the official resources. Let’s break it all down in simple terms.

What is CVE-2021-33162?

CVE-2021-33162 is an “improper access control” issue found in certain Intel(R) network adapters and controllers. With a CVSS base score of 7.8 (high severity), this bug allows a *local* and *authenticated* attacker to escalate their privileges—for example, getting admin rights on a vulnerable system.

Here’s the summary from Intel

> Improper access control in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware before version 1.5.1. may allow an authenticated user to potentially enable escalation of privilege via local access.

Links:
- Intel Security Advisory INTEL-SA-00556
- NIST NVD entry

You are at risk if

- You have an Intel network adapter with manageability features (like AMT, iAMT, or I225 controller), _and_

Manageability firmware versions are lower than 1.5.1..

Note: This is not a remote exploit—you already need to be logged in on the system to take advantage of it. But it does mean a regular user account can potentially get root/admin access.

The Technical Problem

The key issue is *improper access control* in the firmware’s manageability interface. Firmware should limit what a regular user can do, but here it fails, letting a local user run privileged operations.

In Simple Terms

Imagine your network card has a back door for IT admins—it should check who’s knocking before opening. In older firmware, it doesn’t check well enough. If you’re already logged onto the computer, you can use this back door and get full control.

Real-World Scenario

Let’s say you’re a regular user on a company PC. Normally, some system management functions of the network card (like resetting, reconfiguring, or flashing firmware) are locked down to privileged users only. But with this bug, you could call those functions yourself via a crafted utility or command.

Example: Using the DeviceIoControl Call

When a Windows user program uses the DeviceIoControl() function to interact with the hardware driver, it often needs privilege. With this vulnerability, regular users' processes could abuse these IOCTLs to trigger firmware routines, bypassing driver security checks.

Pseudo-Code Example

#include <windows.h>
#include <stdio.h>

#define IOCTL_MANAGE_FIRMWARE x222004 // Example IOCTL code

int main() {
    HANDLE hDevice = CreateFile("\\\\.\\IntelEth", GENERIC_READ | GENERIC_WRITE,
                               , NULL, OPEN_EXISTING, , NULL);
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Cannot open device: %d\n", GetLastError());
        return 1;
    }

    DWORD bytesReturned;
    char inputBuffer[64] = {  };  // Some crafted buffer
    char outputBuffer[256] = {  };

    // Attempt to abuse firmware management interface
    BOOL result = DeviceIoControl(
        hDevice,
        IOCTL_MANAGE_FIRMWARE,
        inputBuffer, sizeof(inputBuffer),
        outputBuffer, sizeof(outputBuffer),
        &bytesReturned,
        NULL
    );
    if (result) {
        printf("Exploit succeeded. Output: %s\n", outputBuffer);
    } else {
        printf("Exploit failed: %d\n", GetLastError());
    }

    CloseHandle(hDevice);
    return ;
}

> Note: This is a simplified illustration. The actual exploit may require insider knowledge of the IOCTL codes and payloads specific to Intel’s driver and firmware, which can sometimes be reverse engineered from official tool binaries using utilities like IDA Pro or Ghidra.

How Attackers Might Use It

- Privilege Escalation: A malicious user on a shared or multi-user machine can gain SYSTEM/root access, then do anything on the computer.

Persistence: Attackers might tamper with firmware or hide a backdoor in the network hardware.

- Bypassing Security Tools: Because firmware runs “under” the OS, some security tools can’t see what’s happening.

How to Protect Yourself

Fix:
Intel released a new firmware version (1.5.1.) that closes this gap.

Update Manageability Firmware:

Download the latest firmware updates for your Intel I225 or similar Ethernet Controller from Intel’s support site.

Apply Latest Driver Updates:

Make sure your network driver is also up to date, as some drivers check firmware versions before allowing access.

More Details & References

- Intel Product Security Advisory INTEL-SA-00556
- CVSS Scoring Detail
- NVD Entry for CVE-2021-33162

Summary

CVE-2021-33162 shows how even “unseen” parts of a computer, like the network card’s firmware, can have serious security issues. If you use affected Intel network adapters, check your firmware version and update as soon as possible!

Got questions or need more details? Check out the Intel links above or ask below.

Timeline

Published on: 02/23/2024 21:15:09 UTC
Last modified on: 05/16/2024 21:15:49 UTC