What vulnerabilities were addressed in the latest Sonos security updates?

Sonos released security updates to address two critical vulnerabilities, CVE-2023-50809 and CVE-2023-50810. These vulnerabilities affect Sonos Smart Speakers S1 and S2, potentially allowing attackers to execute arbitrary code on the devices, take complete control, covertly record audio, and exfiltrate the recordings to a remote server.

Which Sonos product versions are affected by these vulnerabilities?

The vulnerabilities affect Sonos S1 versions up to and including 11.12, and Sonos S2 versions up to and including 15.9.

What is CVE-2023-50809?

CVE-2023-50809 is a critical vulnerability (CVSS score 9.8) related to a flaw in the WPA2 handshake process used by Sonos devices. The vulnerability allows for a buffer overflow attack, which can be exploited during the WPA2 handshake, leading to remote code execution. Attackers can take control of the device and potentially turn it into a wiretap to covertly capture and exfiltrate audio data.

What is CVE-2023-50810?

CVE-2023-50810 is a vulnerability (CVSS score 7.8) in the U-Boot component of Sonos firmware that could allow persistent arbitrary code execution with Linux kernel privileges. This flaw can be exploited by a malicious actor with physical access to the device or by obtaining write access to the flash memory through another runtime vulnerability.

Advisory

Sonos reports vulnerabilities in their Smart Speakers enabling code execution

Q: What should Sonos users do to protect their devices from these vulnerabilities?

Sonos has advised all users of affected products to update their devices to the latest firmware versions immediately to mitigate these risks.

published: Aug. 13, 2024

Take action: The vulnerabilities are real, but they both require either physical access to the device or access to the same WiFi and relative proximity. So it's not a panic mode flaw, but it's better that you patch your Sonos devices, because a malware on a laptop can reach and be embedded in the speakers for further attacks.

Learn More

Sonos has released security updates to address a two vulnerabilities tracked as CVE-2023-50809 and CVE-2023-50810.

These vulnerabilities impacts Sonos Smart Speakers S1 and S2 and could allow attackers to execute arbitrary code on the affected devices. Successful exploitation of this flaw enables attackers to take complete control of the device, covertly record audio, and exfiltrate the recordings to a remote server.

Affected Product Versions

Sonos S1: Versions up to and including 11.12
Sonos S2: Versions up to and including 15.9

Vulnerability Details

CVE-2023-50809 (CVSS score 9.8) is linked to a flaw in the WPA2 handshake process used by Sonos devices. Specifically, this vulnerability arises from improper input validation within the WpaParseEapolKeyData function during the four-way handshake process. The function fails to enforce a maximum length for the gtk_length parameter in the KeyData structure, allowing for a buffer overflow attack. Low privilege attackers can exploit this vulnerability by crafting malicious packets during the WPA2 handshake. The flaw can be triggered in the third message (M3) of the handshake, leading to a stack buffer overflow, which subsequently allows remote code execution. Once control over the device is established, the attacker can execute arbitrary commands, potentially turning the device into a wiretap, capable of capturing and exfiltrating audio data covertly.
CVE-2023-50810 (CVSS score 7.8) a vulnerability in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. A malicious actor with physical access to the device or by obtaining write access to the flash memory through a separate runtime vulnerability may be able to exploit this flaw/

Sonos has advised all users of the affected products to update their devices to the latest firmware versions immediately to mitigate these risks.

Sonos reports vulnerabilities in their Smart Speakers enabling code execution