Serious vulnerabilities have been found in Intel’s Remote Keyboard application, but the company will not release any patches and instead advised users to uninstall the app.
Introduced in June 2015, the Intel Remote Keyboard apps for Android and iOS allow users to wirelessly control their Intel NUC and Compute Stick devices from a smartphone or tablet. The Android application has been installed more than 500,000 times.
Researchers discovered recently that all versions of Intel Remote Keyboard are affected by three severe privilege escalation flaws.
The most serious of them, rated “critical” and identified as CVE-2018-3641, allows a network attacker to inject keystrokes as a local user. The vulnerability was reported to Intel by a UK-based researcher who uses the online moniker trotmaster.
Another vulnerability, tracked as CVE-2018-3645 and rated “high severity,” was reported to Intel by Mark Barnes. The researcher discovered that Intel Remote Keyboard is affected by a privilege escalation flaw that allows a local attacker to inject keystrokes into another keyboard session.
The third security hole is CVE-2018-3638, which allows an authenticated, local attacker to execute arbitrary code with elevated privileges. Intel has credited Marius Gabriel Mihai for finding this vulnerability.
Intel does not plan on releasing patches for these vulnerabilities. The company has decided to discontinue the product and advised users to uninstall the apps at their earliest convenience. Intel Remote Keyboard has been removed from both Google Play and the Apple App Store.
Intel also published a security advisory this week to warn customers of an important denial-of-service (DoS) vulnerability affecting the SPI Flash component in multiple processors. The flaw was discovered by Intel itself and mitigations are available.
The company also informed users of a privilege escalation flaw in 2G modems, including XMM71xx, XMM72xx, XMM73xx, XMM74xx, Sofia 3G, Sofia 3G-R, and Sofia 3G-RW. The issue impacts devices that have the Earthquake Tsunami Warning System (ETWS) feature enabled.
A network attacker can exploit the vulnerability to execute arbitrary code. “Devices equipped with an affected modem, when connected to a rogue 2G base station where non-compliant 3GPP software may be operational, are potentially at risk,” Intel said.
The company says it has developed patches for this vulnerability.
“External researchers reported a potential security vulnerability in the implementation of the Earthquake and Tsunami Warning System (ETWS) in certain Intel 2G modem firmware implementations. Intel has developed firmware updates that address the issue, and we have been working closely with our customers and partners to deploy the updates to affected products as soon as possible,” Intel told SecurityWeek in an emailed statement.
*Updated with statement from Intel on 2G modem flaws