Details of VAR-202202-0264

ID

VAR-202202-0264

CVE

CVE-2022-24049

TITLE

(Pwn2Own) Sonos One Speaker ALAC Frame Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-261

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems). Authentication is not required to exploit this vulnerability. The specific flaw exists within the ALAC audio codec. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15798

Trust: 1.53

sources: NVD: CVE-2022-24049 // ZDI: ZDI-22-261

IOT TAXONOMY

category:

['wearable device']

sub_category:

smart speaker

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	sonos	model:	s2	scope:	lt	version:	3.4.1	Trust: 1.0
vendor:	sonos	model:	s1	scope:	lt	version:	11.2.13	Trust: 1.0
vendor:	sonos	model:	one speaker	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-22-261 // NVD: CVE-2022-24049

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-24049
value:	CRITICAL
Trust: 1.0
zdi-disclosures@trendmicro.com:	CVE-2022-24049
value:	CRITICAL
Trust: 1.0
ZDI:	CVE-2022-24049
value:	CRITICAL
Trust: 0.7
CNNVD:	CNNVD-202202-942
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-24049
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0

nvd@nist.gov:	CVE-2022-24049
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
zdi-disclosures@trendmicro.com:	CVE-2022-24049
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.0
ZDI:	CVE-2022-24049
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-261 // CNNVD: CNNVD-202202-942 // NVD: CVE-2022-24049 // NVD: CVE-2022-24049

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.0
problemtype:	CWE-121	Trust: 1.0

sources: NVD: CVE-2022-24049

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-942

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202202-942

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24049	Trust: 2.4
db:	ZDI	id:	ZDI-22-261	Trust: 2.3
db:	ZDI_CAN	id:	ZDI-CAN-15798	Trust: 0.7
db:	CS-HELP	id:	SB2022021402	Trust: 0.6
db:	CNNVD	id:	CNNVD-202202-942	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // ZDI: ZDI-22-261 // CNNVD: CNNVD-202202-942 // NVD: CVE-2022-24049

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-22-261/	Trust: 2.2
url:	https://cxsecurity.com/cveshow/cve-2022-24049/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022021402	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24049	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // CNNVD: CNNVD-202202-942 // NVD: CVE-2022-24049

CREDITS

David BERARD (@_p0ly_) from @Synacktiv

Trust: 1.3

sources: ZDI: ZDI-22-261 // CNNVD: CNNVD-202202-942

SOURCES

db:	OTHER	id:	-
db:	ZDI	id:	ZDI-22-261
db:	CNNVD	id:	CNNVD-202202-942
db:	NVD	id:	CVE-2022-24049

LAST UPDATE DATE

2025-01-30T20:16:40.618000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-261	date:	2022-02-14T00:00:00
db:	CNNVD	id:	CNNVD-202202-942	date:	2022-03-11T00:00:00
db:	NVD	id:	CVE-2022-24049	date:	2024-11-21T06:49:43.900

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-261	date:	2022-02-10T00:00:00
db:	CNNVD	id:	CNNVD-202202-942	date:	2022-02-10T00:00:00
db:	NVD	id:	CVE-2022-24049	date:	2022-02-18T20:15:17.817