Intel® FPGA OPAE Driver Advisory

Summary:

A potential security vulnerability in the Intel® Field Programmable Gate Array (FPGA) Open Programmable Acceleration Engine (OPAE) driver for Linux may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2020-24485

Description: Improper conditions check in the Intel® FPGA OPAE Driver for Linux before kernel version 4.17 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

Intel® FPGA OPAE drivers found in the Linux Kernel before version 4.17. The following products are impacted:

• Intel® FPGA PAC D5005, Intel® Acceleration Stack v2.0.1
• Intel® PAC with Arria® 10 GX FPGA, Intel® Acceleration Stack v1.2.1
• Intel® Acceleration Stack Version 1.1 for the Intel® FPGA Pac N3000-N
• Intel® Acceleration Stack Version 1.3 for the Intel® FPGA PAC N3000
• Intel® Acceleration Stack Version 1.2 for the Intel® FPGA PAC N3000-V

Recommendations:

Intel recommends updating the Intel® FPGA OPAE driver for Linux to the versions indicated below or later:

• Intel® FPGA PAC D5005, Intel® Acceleration Stack v2.0.1
• Intel® FPGA Programmable Acceleration Card D5005 - Getting Started, See Update 2.
• opae-intel-fpga-driver-2.0.2-2.x86_64.rpm
• Intel® PAC with Arria® 10 GX FPGA, Intel® Acceleration Stack v1.2.1
• Intel® Programmable Acceleration Card with Intel Arria® 10 GX FPGA - Getting Started, See Update 1.
• opae-intel-fpga-driver-2.0.3-4.x86_64.rpm
• Intel® Acceleration Stack Version 1.1 for the Intel® FPGA Pac N3000-N
• Update for 1.1
• n3000_patch_1.1.2.tar.gz
• Intel® Acceleration Stack Version 1.3 for the Intel® FPGA PAC N3000
• Update for 1.3
• N3000_1.2.0.2 Patch
• Intel® Acceleration Stack Version 1.2 for the Intel® FPGA PAC N3000-V
• AFU Developers update.
• n3000/n3000_ias_1_3_1_pv_dev_centos_installer.tar.gz
• Non-AFU Development CentOS 7.6 update.
• n3000_ias_1_3_1_pv_rte_centos_installer.tar.gz
• Non-AFU Development RHEL 8.2 update.
• n3000_ias_1_3_1_pv_rte_RHEL_installer.tar.gz

Acknowledgements:

The following issue was found internally by Intel employees. Intel would like to thank Thierry Fernandes Faria and Chun Feng.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.