CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4) feature image

Intel Driver & Support Assistant allows users to manage and update their drivers from Intel’s website.

It runs locally an API server available on dsalocal.intel.com which resolves to 127.0.0.1. Intel website requests this API and the CORS mechanism mandates that the Origin header is added to the request so the server can verify it, and allow or deny the request.

The Origin value was not properly checked therefore some unauthorized websites could request the API nevertheless.

External references 🔗