High Level Synthesis Compiler Security Advisory
ASA-0003
A potential security vulnerability in High Level Synthesis Compiler Software may allow escalation of privilege.
CVE ID: NA
Vulnerability Details:
A Current Working Directory (CWD) DLL planting vulnerability exists in a batch file in a design example.
Mitigations and Recommendations:
Altera recommends replacing the build.bat with the file located here. This is a Windows Issue. The Linux version is not affected.
Description/CWE: CWE-427: Uncontrolled Search Path Element
CVSS Base Score 6.7 Severity Medium
CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score 4.0: 5.4 Medium CVSS
Vector 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE ID: NA
Vulnerability Details:
The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability. The Linux version is not affected.
Mitigations and Recommendations:
To mitigate the issue, Altera recommends restricting write access to the directory “C:\quartus\bin64" to system administrators only
Description/CWE: CWE-427: Uncontrolled Search Path Element
CVSS Base Score 6.7 Severity Medium
CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score 4.0: 5.4 Medium CVSS
Vector 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
| CVE | Affected Products | Affected Versions | Fixed Version |
|---|---|---|---|
| NA | High Level Synthesis Compiler | Up to 24.3 | N/A |
| NA | High Level Synthesis Compiler | Up to 24.3 | N/A |
Acknowledgements:
Altera would like to thank ycdxsb for reporting these issues
Revision History:
| Revision | Date | Affected Versions |
|---|---|---|
| 1.0 | 05/13/2025 | Initial Release |
Legal Notices and Disclaimers:
Altera provides these materials as-is, with no express or implied warranties. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.
Altera products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Altera products that have met their End of Servicing Updates may no longer receive functional and security updates.
Altera technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://www.altera.com.
Some results may have been estimated or simulated using internal Altera analysis or architecture simulation or modeling and are provided to you solely for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance. © Altera Corporation.
Altera, the Altera logo, and other Altera marks are trademarks of Altera Corporation in the United States and other countries. Other names and brands may be claimed as the property of others.