Vulnerabilities > CVE-2019-11336 - Information Exposure Through Log Files vulnerability in Sony Photo Sharing Plus 6.5830

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

sony

CWE-532

NVD

Published: 2019-05-14

Updated: 2019-05-21

Summary

Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.

Vulnerable Configurations

Part	Description	Count
Application	Sony Sony Photo Sharing Plus 6.5830	1
Hardware	Sony Sony KDL 50W800C - Sony KDL 50W805C - Sony KDL 50W807C - Sony KDL 50W809C - Sony KDL 50W820C - Sony KDL 55W800C - Sony KDL 55W805C - Sony KDL 65W850C - Sony KDL 65W855C - Sony KDL 65W857C - Sony KDL 75W850C - Sony KDL 75W855C - Sony X7500D - Sony XBR 100Z9D - Sony XBR 43X800D - Sony XBR 43X800E - Sony XBR 43X830C - Sony XBR 49X700D - Sony XBR 49X800C - Sony XBR 49X800D - Sony XBR 49X800E - Sony XBR 49X830C - Sony XBR 49X835C - Sony XBR 49X835D - Sony XBR 49X837C - Sony XBR 49X839C - Sony XBR 49X900E - Sony XBR 55A1E - Sony XBR 55X700D - Sony XBR 55X800E - Sony XBR 55X805C - Sony XBR 55X806E - Sony XBR 55X807C - Sony XBR 55X809C - Sony XBR 55X810C - Sony XBR 55X850C - Sony XBR 55X850D - Sony XBR 55X855C - Sony XBR 55X855D - Sony XBR 55X857C - Sony XBR 55X857D - Sony XBR 55X900C - Sony XBR 55X900E - Sony XBR 55X905C - Sony XBR 55X907C - Sony XBR 55X930D - Sony XBR 55X930E - Sony XBR 65A1E - Sony XBR 65X750D - Sony XBR 65X800C - Sony XBR 65X805C - Sony XBR 65X807C - Sony XBR 65X809C - Sony XBR 65X810C - Sony XBR 65X850C - Sony XBR 65X850D - Sony XBR 65X850E - Sony XBR 65X855C - Sony XBR 65X855D - Sony XBR 65X857C - Sony XBR 65X857D - Sony XBR 65X900C - Sony XBR 65X900E - Sony XBR 65X905C - Sony XBR 65X907C - Sony XBR 65X930C - Sony XBR 65X930D - Sony XBR 65X930E - Sony XBR 65X935D - Sony XBR 65X937D - Sony XBR 65Z9D - Sony XBR 75X850C - Sony XBR 75X850D - Sony XBR 75X850E - Sony XBR 75X855C - Sony XBR 75X855D - Sony XBR 75X857D - Sony XBR 75X900E - Sony XBR 75X910C - Sony XBR 75X940C - Sony XBR 75X940D - Sony XBR 75X940E - Sony XBR 75X945C - Sony XBR 75Z9D - Sony XBR 77A1E - Sony XBR 85X850D - Sony XBR 85X855D - Sony XBR 85X857D -	88

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Packetstorm

data source	https://packetstormsecurity.com/files/download/152612/sonysmarttvs-fileread.txt
id	PACKETSTORM:152612
last seen	2019-04-24
published	2019-04-24
reporter	xen1thLabs
source	https://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-Disclosure-File-Read.html
title	Sony Smart TV Information Disclosure / File Read

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Packetstorm

References