Login Sign Up

CVE-2018-3641

9.8 CRITICAL

📋 TL;DR

CVE-2018-3641 is a critical privilege escalation vulnerability in Intel Remote Keyboard software that allows network attackers to inject keystrokes as local users. This affects all versions of Intel Remote Keyboard software, enabling attackers to execute arbitrary commands on vulnerable systems. The vulnerability requires the software to be installed and running on the target system.

💻 Affected Systems

Products:
  • Intel Remote Keyboard
Versions: All versions prior to 3.0.0.106
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Intel Remote Keyboard software to be installed and running. Typically affects systems where this software is used for remote control functionality.

📦 What is this software?

Remote Keyboard Mobile App by Intel

View all CVEs affecting Remote Keyboard Mobile App →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive systems, credential theft, lateral movement within networks, and data exfiltration.

🟢

If Mitigated

Limited impact if software is disabled or network segmentation prevents access to vulnerable systems.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication if vulnerable systems are internet-accessible.
🏢 Internal Only: HIGH - Even internally, attackers on the same network can exploit this vulnerability to gain unauthorized access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability allows network-based attackers to inject keystrokes without authentication. Exploitation is straightforward once network access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0.106 or later

Vendor Advisory: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00122&languageid=en-fr

Restart Required: Yes

Instructions:

1. Download Intel Remote Keyboard version 3.0.0.106 or later from Intel's website. 2. Uninstall the current version. 3. Install the updated version. 4. Restart the system.

🔧 Temporary Workarounds

Disable Intel Remote Keyboard Service

windows

Stop and disable the Intel Remote Keyboard service to prevent exploitation.

sc stop "Intel(R) Remote Keyboard"
sc config "Intel(R) Remote Keyboard" start= disabled

Uninstall Intel Remote Keyboard

windows

Completely remove the vulnerable software from the system.

appwiz.cpl
Select 'Intel Remote Keyboard' and click Uninstall

Network Segmentation

all

Isolate systems with Intel Remote Keyboard from untrusted networks.

🧯 If You Can't Patch

  • Disable or uninstall Intel Remote Keyboard software immediately
  • Implement strict network segmentation and firewall rules to block access to vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check if Intel Remote Keyboard is installed and running. On Windows: Open Services (services.msc) and look for 'Intel(R) Remote Keyboard' service.

Check Version:

wmic product where name="Intel Remote Keyboard" get version

Verify Fix Applied:

Verify Intel Remote Keyboard version is 3.0.0.106 or later. Check program version in Control Panel > Programs and Features.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected network connections to Intel Remote Keyboard service (default port 59797)
  • Service start/stop events for Intel Remote Keyboard
  • Unusual keystroke injection patterns

Network Indicators:

  • Traffic to/from port 59797 (default Intel Remote Keyboard port)
  • Unexpected network connections to systems running Intel Remote Keyboard

SIEM Query:

source="*" ("Intel Remote Keyboard" OR port=59797) AND (event_type="connection" OR event_type="service_start")

📊 Metadata

CVE ID: CVE-2018-3641
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 3, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON