[ad_1]
A number of safety flaws uncovered in Sonos One wi-fi audio system may very well be probably exploited to realize info disclosure and distant code execution, the Zero Day Initiative (ZDI) stated in a report printed final week.
The vulnerabilities had been demonstrated by three completely different groups from Qrious Safe, STAR Labs, and DEVCORE on the Pwn2Own hacking contest held in Toronto late final yr, netting them $105,000 in financial rewards.
The listing of 4 flaws, which impression Sonos One Speaker 70.3-35220, is beneath –
- CVE-2023-27352 and CVE-2023-27355 (CVSS scores: 8.8) – Unauthenticated flaws that permit network-adjacent attackers to execute arbitrary code on affected installations.
- CVE-2023-27353 and CVE-2023-27354 (CVSS rating: 6.5) – Unauthenticated flaws that permit network-adjacent attackers to reveal delicate info on affected installations.
Whereas CVE-2023-27352 stems from when processing SMB listing question instructions, CVE-2023-27355 exists inside the MPEG-TS parser.
Zero Belief + Deception: Be taught How one can Outsmart Attackers!
Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be part of our insightful webinar!
Profitable exploitation of each shortcomings may allow an attacker to execute arbitrary code within the context of the basis consumer.
Each the knowledge disclosure flaws might be mixed individually with different flaws within the techniques to realize code execution with elevated privileges.
Following accountable disclosure on December 29, 2022, the failings had been addressed by Sonos as a part of Sonos S2 and S1 software program variations 15.1 and 11.7.1, respectively. Customers are really useful to use the most recent patches to mitigate potential dangers.
[ad_2]