Quartus® Prime Pro Security Advisory
ASA-0001
A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege
CVE ID: NA
Vulnerability Details:
Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists. The Linux version is not affected.
Mitigations and Recommendations:
Altera recommends using Quartus 25.1 or later. Before launching the installer, ensure that the target installation directory does not exist or that any preexisting target installation directory has the proper administrative-level permissions.
Description/CWE: CWE-279: Incorrect Execution-Assigned Permissions
CVSS Base Score 6.7 Severity Medium
CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score 4.0: 5.4 Medium CVSS
Vector 4.0: 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE ID: NA
Vulnerability Details:
A Current Working Directory (CWD) DLL planting vulnerability exists in a .BAT file used in the Original Design Space Explorer. Design Space Explorer II is not affected. Only the Windows Version is affected. The Linux version is not affected.
Mitigations and Recommendations:
Install Quartus Prime Pro Edition 25.1 or later, or delete the file quartus\bin64\qcmd.bat. The qcmd.bat file is obsolete, used by the original Design Space Explorer. Since the introduction of Design Space Explorer II in Quartus 15.0, that file is no longer used and can safely be deleted.
Description/CWE: CWE-427: Uncontrolled Search Path Element
CVSS Base Score 6.7 Severity Medium
CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score 4.0: 5.4 Medium CVSS
Vector 4.0: 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
| CVE | Affected Products | Affected Versions | Fixed Version |
|---|---|---|---|
| NA | Quartus Prime Pro | Up to 24.3.1 | 25.1 |
| NA | Quartus Prime Pro | Up to 24.3.1 | 25.1 |
Acknowledgements:
Altera would like to thank sim0nleehkhk (NA) for reporting this issue.
Revision History:
| Revision | Date | Affected Versions |
|---|---|---|
| 1.0 | 05/13/2025 | Initial Release |
Legal Notices and Disclaimers:
Altera provides these materials as-is, with no express or implied warranties. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.
Altera products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Altera products that have met their End of Servicing Updates may no longer receive functional and security updates.
Altera technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://www.altera.com.
Some results may have been estimated or simulated using internal Altera analysis or architecture simulation or modeling and are provided to you solely for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance. © Altera Corporation.
Altera, the Altera logo, and other Altera marks are trademarks of Altera Corporation in the United States and other countries. Other names and brands may be claimed as the property of others.