CVE-2020-0557 Overview
CVE-2020-0557 is a local privilege escalation vulnerability affecting Intel PROSet/Wireless WiFi software on Windows 10. The flaw stems from insecure inherited permissions [CWE-732] in installations prior to version 21.70. An authenticated local user can leverage these weak permissions to escalate privileges on the affected system. The issue impacts a wide range of Intel wireless adapters, including the Wi-Fi 6 AX200/AX201, Wireless-AC 9260/9461/9462/9560, and Dual Band Wireless-AC 8260/8265/3165/3168/7265 (Rev D) modules.
Critical Impact
A locally authenticated attacker can abuse insecure file or directory permissions inherited by the PROSet/Wireless WiFi installation to execute code or modify resources with elevated privileges, leading to full compromise of confidentiality, integrity, and availability on the host.
Affected Products
- Intel PROSet/Wireless WiFi software prior to version 21.70 on Windows 10
- Intel Wi-Fi 6 AX200, AX201; Wireless-AC 9260, 9461, 9462, 9560
- Intel Dual Band Wireless-AC 8260, 8265, 3165, 3168, 7265 (Rev D)
Discovery Timeline
- 2020-04-15 - CVE-2020-0557 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-0557
Vulnerability Analysis
The vulnerability is classified as Incorrect Permission Assignment for Critical Resource [CWE-732]. The Intel PROSet/Wireless WiFi installer creates files, directories, or registry objects whose Access Control Lists (ACLs) inherit overly permissive entries. Standard authenticated users on Windows 10 can therefore modify resources that are later loaded or executed by a privileged process.
Exploitation requires only local access and low privileges, with no user interaction. Successful abuse yields elevation of privilege, typically to NT AUTHORITY\SYSTEM, because Intel wireless services and helper utilities run with elevated rights. The result is high impact to confidentiality, integrity, and availability of the affected host.
Root Cause
The root cause is improper assignment of inherited permissions on files or directories within the PROSet/Wireless WiFi installation path. When parent objects grant write or modify rights to non-administrative groups, child executables, DLLs, or configuration files inherit those rights. A standard user can then replace or tamper with binaries that the wireless service later loads under a privileged context.
Attack Vector
The attack requires local, authenticated access. An attacker overwrites a writable binary or configuration consumed by an Intel PROSet/Wireless service running as SYSTEM. When the service starts, restarts, or reloads the resource, the attacker-controlled payload executes with elevated privileges. No network access, no user interaction, and no administrative credentials are required. Detailed technical specifics are described in the Intel Security Advisory SA-00338.
Detection Methods for CVE-2020-0557
Indicators of Compromise
- Unexpected modifications to files within the Intel PROSet/Wireless WiFi installation directory, particularly executables and DLLs loaded by Intel wireless services.
- Intel wireless service processes spawning unexpected child processes such as cmd.exe, powershell.exe, or other interactive shells.
- New or modified scheduled tasks, services, or auto-run entries created shortly after tampering with PROSet/Wireless files.
Detection Strategies
- Audit ACLs on the Intel PROSet/Wireless WiFi installation directory and flag any entries granting write or modify rights to non-administrative principals such as Users, Authenticated Users, or Everyone.
- Monitor for write operations to Intel wireless binaries by non-SYSTEM, non-Administrator accounts using file integrity monitoring or EDR telemetry.
- Correlate file modifications in the install path with subsequent privileged process executions originating from Intel wireless services.
Monitoring Recommendations
- Enable Windows Security event logging for object access (Event IDs 4663, 4670) on the PROSet/Wireless install directory.
- Track process creation events (Event ID 4688 or Sysmon Event ID 1) where the parent is an Intel wireless service and the child is an uncommon binary.
- Inventory hosts running Intel PROSet/Wireless WiFi software below version 21.70 and prioritize them for patching and continuous monitoring.
How to Mitigate CVE-2020-0557
Immediate Actions Required
- Upgrade Intel PROSet/Wireless WiFi software to version 21.70 or later on all affected Windows 10 endpoints.
- Identify all systems running vulnerable Intel wireless drivers and software using endpoint inventory tools, prioritizing laptops and mobile workstations.
- Restrict local logon rights on shared or kiosk systems until patching is complete.
Patch Information
Intel addressed CVE-2020-0557 by correcting the permissions assigned during installation. The fix is available in Intel PROSet/Wireless WiFi version 21.70 and later. Patch details and download links are provided in the Intel Security Advisory SA-00338.
Workarounds
- Manually harden ACLs on the Intel PROSet/Wireless WiFi installation directory so that only SYSTEM and Administrators retain write or modify permissions.
- Remove or disable unused Intel wireless management utilities on systems that do not require them, reducing the attack surface until the patch is deployed.
- Enforce least privilege on Windows 10 endpoints and restrict membership of local administrator groups to limit lateral impact if escalation occurs.
# Configuration example: audit and harden permissions on the install path
icacls "C:\Program Files\Intel\WiFi" /T /C
icacls "C:\Program Files\Intel\WiFi" /inheritance:r
icacls "C:\Program Files\Intel\WiFi" /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
