CVE-2015-2291
Published: 09 August 2017
Summary
CVE-2015-2291 is a high-severity Improper Input Validation (CWE-20) vulnerability in Intel Ethernet Diagnostics Driver Iqvw32.Sys. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an input validation flaw (CWE-20) in the Intel Ethernet diagnostics driver for Windows, specifically affecting IQVW32.sys and IQVW64.sys versions prior to 1.3.1.0. It is triggered by specially crafted IOCTL requests using the codes 0x80862013, 0x8086200B, 0x8086200F, or 0x80862007, which the driver fails to handle safely.
Local authenticated users can exploit the issue by issuing these IOCTL calls from user mode. Successful exploitation can result in denial of service or arbitrary code execution with kernel-level privileges on the affected system, corresponding to a CVSS 3.1 base score of 7.8.
Intel published advisory INTEL-SA-00051 describing the affected driver components and directing users to updated versions 1.3.1.0 or later. Public proof-of-concept code demonstrating the IOCTL-based denial-of-service condition has been released on Exploit-DB and PacketStorm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-2389
Vulnerability details
(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b)…
more
0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.
- CWE(s)
- KEV Date Added
- 10 February 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs to system interfaces, which would have blocked the malformed IOCTL codes 0x80862013 etc. that trigger the CWE-20 flaw.
Mandates timely installation of vendor patches; Intel's update to IQVW32/64.sys 1.3.1.0 eliminates the vulnerable driver code.
Limits privileges of local users and processes so that even a successful IOCTL exploit cannot immediately obtain kernel-level code execution.