An information security report points to the detection of two critical vulnerabilities in One Speaker, a popular smart speaker manufactured by technology firm Sonos. According to the report, the successful exploitation of the flaws would allow the deployment of multiple hacking tasks.
Below are brief descriptions of the detected flaws, in addition to their respective tracking keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2022-24046: An integer underflow within the anacapd daemon would allow remote threat actors to send a specially crafted request to the affected application, triggering the flaw and an integer overflow and executing arbitrary code on the affected systems.
This is a critical flaw and received a CVSS score of 9/10.
CVE-2022-24049: A boundary bug within the ALAC audio codec would allow unauthenticated remote threat actors to trigger a stack-based buffer overflow and execute arbitrary code on vulnerable systems.
The vulnerability received a CVSS score of 9/10.
According to the report, the flaws reside in the One Speaker models with software version 11.2.13 57923290. At the moment there are no security patches to address these vulnerabilities.
While patches do not yet exist and bugs can be exploited remotely by unauthenticated threat actors, no active exploitation attempts or a malware variant linked to the attack have yet been detected. Still, users of affected deployments are encouraged to stay on top of any company updates.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.