Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.
The vulnerability results from improper validation of the DataOffset field in SMB protocol responses handled by the device. Improper validation of user-supplied data leads to out-of-bounds memory access (CWE-119). An attacker can send a crafted SMB response that triggers this error and allows code execution in the kernel context of the device's operating system.
An attacker can execute arbitrary code with kernel privileges, which means complete takeover of the device, including the ability to compromise confidentiality, integrity, and system availability.
Patches available from the manufacturer should be applied according to the references. Detailed information about the corrected firmware version is available at: https://www.zerodayinitiative.com/advisories/ZDI-26-192/
Sonos Era 300 and its firmware (Sonos Era 300 Firmware) — specific versions indicated in the manufacturer's references and in the ZDI-26-192 advisory.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSonos Era 300
HWSonoswszystkie wersjeSonos Era 300 Firmware
OSSonos< 83.1-61240
Related vulnerabilities
Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows networ...
Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows ne...
Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows networ...
Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjac...
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos One Sp...