Many security flaws uncovered in Sonos One particular wi-fi speakers could be possibly exploited to reach facts disclosure and distant code execution, the Zero Day Initiative (ZDI) mentioned in a report revealed very last week.
The vulnerabilities were being demonstrated by three different groups from Qrious Protected, STAR Labs, and DEVCORE at the Pwn2Very own hacking contest held in Toronto late final 12 months, netting them $105,000 in financial rewards.
The list of four flaws, which effects Sonos Just one Speaker 70.3-35220, is below –
- CVE-2023-27352 and CVE-2023-27355 (CVSS scores: 8.8) – Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on influenced installations.
- CVE-2023-27353 and CVE-2023-27354 (CVSS score: 6.5) – Unauthenticated flaws that allow for network-adjacent attackers to disclose sensitive data on affected installations.
Although CVE-2023-27352 stems from when processing SMB listing query commands, CVE-2023-27355 exists inside the MPEG-TS parser.
Future WEBINAR Zero Have confidence in + Deception: Discover How to Outsmart Attackers!
Learn how Deception can detect state-of-the-art threats, stop lateral motion, and improve your Zero Trust approach. Sign up for our insightful webinar!
Help you save My Seat!.advert-button,.advert-label,.advertisement-label:followingexhibit:inline-block.ad_two_webinarmargin:20px 10px 30px 0background:#f9fbffcolor:#160755padding: 5%border:2px good #d9deffborder-radius:10pxtext-align:leftbox-shadow:10px 10px #e2ebff-webkit-border-prime-still left-radius:25px-moz-border-radius-topleft:25px-webkit-border-base-right-radius:25px-moz-border-radius-bottomright:25px.advert-labelfont-dimensions:13pxmargin:20px 0font-pounds:600letter-spacing:.6pxcolor:#596cec.ad-label:right afterwidth:50pxheight:6pxcontent:”border-prime:2px strong #d9deffmargin: 8px.ad-titlefont-sizing:21pxpadding:10px 0font-weight:900textual content-align:leftline-height:33px.ad-descriptiontextual content-align:leftfont-size:15.6pxline-peak:26pxmargin:5px !importantcolor:#4e6a8d.advertisement-buttonpadding:6px 12pxborder-radius:5pxbackground-coloration:#4469f5font-dimension:15pxcolor:#fff!importantborder:0line-top:inherittext-decoration:none!importantcursor:pointermargin:15px 20pxfloat:leftfont-pounds:500letter-spacing:.2px
Effective exploitation of both equally shortcomings could permit an attacker to execute arbitrary code in the context of the root consumer.
Equally the info disclosure flaws can be combined individually with other flaws in the methods to achieve code execution with elevated privileges.
Next liable disclosure on December 29, 2022, the flaws were tackled by Sonos as part of Sonos S2 and S1 software program variations 15.1 and 11.7.1, respectively. Consumers are suggested to utilize the most up-to-date patches to mitigate opportunity risks.
Located this short article intriguing? Follow us on Twitter and LinkedIn to examine far more exclusive content we submit.
Some parts of this article are sourced from:
thehackernews.com