Intel’s patented Smart Sound Technology uses integrated digital signal processors to facilitate and enhance audio, voice, and speech interactions. The DSP works hand in hand with the latest Intel Core and Intel Atom processors to improve voice recognition and feedback as well as deliver immaculate playback sound through the system’s speakers without negatively impacting the computer’s performance or battery life. In an advisory released by the Intel Corporation, INTEL-SA-00163, the company has published information on three high risk vulnerabilities that have impacted the Intel Smart Sound Technology by rendering it vulnerable to escalating of privileges exploits and consequent arbitrary code execution through three channels. The vulnerabilities affect Intel Smart Sound Technology integrations before its version 9.21.00.3541.
The first vulnerability, labelled CVE-2018-3666, impacts the driver module in the technology. It creates a non-paged pool overflow, allowing local access to execute arbitrary code with administrator privileges. This vulnerability has been graded as 7.5 on the CVSS 3.0 scale and is considered high risk for exploit. This particular channel of kernel pool corruption exploit is most likely abused by arbitrary memory write or n-byte corruption in ring 0. The second vulnerability, labelled CVE-2018-3670, also impacts the driver module in the technology, but this time allowing the local access to carry out the same due to a buffer overflow flaw. This vulnerability is also graded 7.5 on the CVSS 3.0. The third vulnerability, labelled CVE-2018-3672, yet again impacts the driver module in the technology to allow a local access to compromise the system in the very same way, however this vulnerability exists due to a system calls flaw that is exploited. Just as the first two, this vulnerability is also graded 7.5 on the CVSS 3.0.
Due to the cumulatively high risk of exploit in the technology, Intel has recommended that its users ensure with manufacturers that the Intel Smart Sound Technologies used in their computer systems are of the version 9.21.00.3541 or later to mitigate the security risks posed.