Potential security vulnerabilities in some Intel® NUC Laptop Element software may allow escalation of privilege. Intel is releasing software updates to mitigate these potential vulnerabilities.
CVEID: CVE-2022-41687
Description: Insecure inherited permissions in the HotKey Services for some Intel® NUC P14E Laptop Element software for Windows 10 before version 1.1.44 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-41628
Description: Uncontrolled search path element in the HotKey Services for some Intel® NUC P14E Laptop Element software for Windows 10 before version 1.1.44 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-27382
Description: Incorrect default permissions in the Audio Service for some Intel® NUC P14E Laptop Element software for Windows 10 before version 1.0.0.156 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Intel® NUC P14E Laptop Element software.
Intel recommends updating the Intel® NUC P14E Laptop Element software to the latest versions. Updates are available for download at these locations:
Intel recommends updating the Audio Install Package for Windows® 10 for some Intel® NUC P14E Laptop Element software to version 1.0.0.156 or later. <https://www.intel.com/content/www/us/en/download/19823/audio-install-package-for-windows-10-for-intel-nuc-p14e-laptop-element.html>
Intel recommends updating the HotKey Services for Windows® 10 for some Intel® NUC P14E Laptop Element software to version 1.1.44 or later.
These issues where found externally.
Intel would like to thank FalconCorruption (CVE-2022-41628, CVE-2023-27382) for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.