LOW🇬🇧 English

CVE-2018-11567

CVSS 3.3v3.0pub. 2018-05-30upd. 2024-11-21

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If a maliciously designed skill is installed, an attacker could obtain transcripts of speech not intended for Alexa to process, but simply spoken within the device's hearing range. NOTE: The vendor states "Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do. Customers do not need to take any action for these mitigations to work.

oryginał EN
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  • Amazon Echo

    HW
    Amazon
    wszystkie wersje
  • Amazon Echo Dot

    HW
    Amazon
    wszystkie wersje
  • Amazon Echo Dot Firmware

    OS
    Amazon
    < 2018-04-27
  • Amazon Echo Firmware

    OS
    Amazon
    < 2018-04-27
  • Amazon Echo Plus

    HW
    Amazon
    wszystkie wersje
  • Amazon Echo Plus Firmware

    OS
    Amazon
    < 2018-04-27
  • Amazon Echo Show

    HW
    Amazon
    wszystkie wersje
  • Amazon Echo Show Firmware

    OS
    Amazon
    < 2018-04-27
  • Amazon Echo Spot

    HW
    Amazon
    wszystkie wersje
  • Amazon Echo Spot Firmware

    OS
    Amazon
    < 2018-04-27
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2022-25809CRITICAL9.8ten sam produkt

Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary v...

CVE-2023-33248HIGH7.6ten sam produkt

Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially all...

CVE-2021-37436MEDIUM4.2ten sam produkt

Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device aft...

CVE-2026-35560CRITICAL9.1PL ✓ten sam vendor

Nieprawidłowa walidacja certyfikatów w Amazon Athena ODBC Driver — atak MITM

CVE-2026-35561CRITICAL9.1PL ✓ten sam vendor

Niewystarczające zabezpieczenia uwierzytelniania w Amazon Athena ODBC Driver

CVE-2018-11567 — LOW 3.3 | CVEbaza.pl