Security News > 2023 > May > Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative said in a report published last week.
The list of four flaws, which impact Sonos One Speaker 70.3-35220, is below -.
While CVE-2023-27352 stems from when processing SMB directory query commands, CVE-2023-27355 exists within the MPEG-TS parser.
Successful exploitation of both shortcomings could permit an attacker to execute arbitrary code in the context of the root user.
Both the information disclosure flaws can be combined separately with other flaws in the systems to achieve code execution with elevated privileges.
Following responsible disclosure on December 29, 2022, the flaws were addressed by Sonos as part of Sonos S2 and S1 software versions 15.1 and 11.7.1, respectively.
News URL
https://thehackernews.com/2023/05/hackers-win-105000-for-reporting.html
Related news
- CISA shares critical infrastructure defense tips against Chinese hackers (source)
- US sanctions APT31 hackers behind critical infrastructure attacks (source)
- Critical Security Flaw Found in Popular LayerSlider WordPress Plugin (source)
- Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- Russian Sandworm hackers targeted 20 critical orgs in Ukraine (source)
- 73% of SME security pros missed or ignored critical alerts (source)
- 10 Critical Endpoint Security Tips You Should Know (source)
- DHS establishes AI Safety and Security Board to protect critical infrastructure (source)
- U.S. Government Releases New AI Security Guidelines for Critical Infrastructure (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-04-20 | CVE-2023-27355 | Stack-based Buffer Overflow vulnerability in Sonos ONE Firmware, S1 and S2 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker 70.3-35220. | 8.8 |
2023-04-20 | CVE-2023-27352 | Use After Free vulnerability in Sonos ONE Firmware, S1 and S2 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker 70.3-35220. | 8.8 |