Sonos Era 100 SMB2 Message Handling Integer Underflow Information Disclosure Vulnerability

Vulnerability

An integer underflow vulnerability exists in the SMB2 message handling of Sonos Era 100 smart speakers [1]. The flaw arises from a lack of proper validation of user-supplied data, leading to an integer underflow before reading from memory. This affects all Sonos Era 100 devices running firmware that supports SMB2 services (specific firmware versions not disclosed).

Exploitation

A network-adjacent attacker can exploit this vulnerability without requiring authentication [1]. By sending a crafted SMB2 message, the attacker triggers an integer underflow, causing the device to read from an unintended memory location. The attacker can leverage this information disclosure in conjunction with other vulnerabilities to achieve remote code execution as root.

Impact

Successful exploitation results in information disclosure [1]. When combined with other vulnerabilities, an attacker can achieve arbitrary code execution with root privileges, gaining full control over the affected Sonos Era 100 speaker.

Mitigation

As of the publication date (June 6, 2024), no official fix has been released by Sonos [1]. Users are advised to monitor Sonos security advisories and apply firmware updates as soon as they become available. There are no known workarounds.