Sonos Era 100 SMB2 Message Handling Out-Of-Bounds Read Information Disclosure Vulnerability

Vulnerability

An out-of-bounds read vulnerability exists in the handling of SMB2 messages on the Sonos Era 100 smart speaker ([1]). The issue stems from insufficient validation of user-supplied data, allowing a read past the end of an allocated buffer. This affects all versions of the Sonos Era 100 firmware prior to the fix included in the June 2024 update.

Exploitation

An attacker can exploit this vulnerability from a network-adjacent position without requiring any authentication. The attack involves sending a specially crafted SMB2 message to the vulnerable device, triggering the out-of-bounds read. While the direct impact is a limited information disclosure, the ZDI advisory notes that this can be chained with other vulnerabilities to achieve full code execution ([1]).

Impact

Successful exploitation allows an attacker to read sensitive memory contents from the device, potentially leaking cryptographic keys, configuration data, or other secrets. More critically, an attacker can use this vulnerability as a stepping stone in a chain of exploits to execute arbitrary code in the context of the root user, gaining full control of the device ([1]).

Mitigation

Sonos released a firmware update in June 2024 that resolves this vulnerability. Users should ensure their Era 100 devices are updated to the latest firmware version. No public workaround is available. The vulnerability is not currently listed on the CISA KEV, but active exploitation as part of the Pwn2Own contest was demonstrated ([1]).