Sonos Era 300 smart speakers contain a severe flaw that enables unauthenticated hackers to take complete control of the device and run arbitrary code, Trend Micro’s Zero Day Initiative (ZDI) researchers warn.
If attackers gain access to the network, they can run code on Sonos Era 300 speakers. ZDI disclosed the vulnerability with a severity rating of 8.8 out of 10.
“This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability,” the coordinated public advisory warns.
The issue exists within the processing of ALAC (Apple Lossless Audio Codec) – user-supplied data is not properly validated prior to copying it to a heap-based buffer.
According to the researchers, an attacker can leverage this vulnerability to execute code in the context of the “anacapa” user, which is likely a Sonos system user account, responsible for direct speaker control.
While attackers might be less interested in what users are playing, a vulnerable network-connected smart appliance could be abused by hackers to advance their attacks, access services or accounts, or even deploy malware.
Sonos was alerted about the flaw on December 11th, 2024, and the flaw was fixed in the newer versions of Player (build 83.1-61240, release v:16.6).
Earlier this year, ZDI disclosed three other Era 300 Speaker use-after-free remote code execution vulnerabilities, which also allowed attackers to run code without authentication and affected Sonos Systems prior to v16.6.
All the flaws were uncovered during the Pwn2Own hacking competition. Hunting flaws in Sonos speakers has become something of a tradition at the annual event. During the 2022 Toronto event, three different teams successfully hacked Sonos One speakers using four different and unique bugs.
Your email address will not be published. Required fields are markedmarked