Security update for Sonos Players | July 2018

  • 7 September 2018
  • 0 replies
  • 592 views

Userlevel 7
Badge +26
  • Community Manager
  • 11455 replies
Summary
Sonos has released a security update for all Sonos Players. This update resolves an important vulnerability (CVE-2018-11316) that could lead to unauthorized access to the user’s Sonos system and network.


Affected versions
All Sonos Players with a software version 8.6 and earlier are vulnerable to this exploit.

To check the version of the Sonos Player software, open the Sonos controller app:

Windows
  1. Launch the Sonos desktop app and sign in with your Sonos ID if prompted
  2. Click Help > About My Sonos System...
MacOS
  1. Launch the Sonos desktop app and sign in with your Sonos ID if prompted
  2. Click Sonos > About My Sonos System
iOS/Android
  1. Launch the Sonos mobile app and sign in with your Sonos ID if prompted
  2. Click the "... More" option along the bottom and choose Settings > About My Sonos System

Solution
Sonos recommends users update their Players to the newest version: 9.0 or later.

The latest Sonos Player software can be downloaded from the mobile controller app. 


Vulnerability Details



Vulnerability Description
This attack uses malicious javascript on a web page to attack devices on the user’s home network that would otherwise be protected behind the user's router. This could result in unauthorized access to a user’s networked devices if a user browses to a webpage with malicious content. This attack is also known as a "DNS Rebinding" attack.

Vulnerability Impact
For Sonos devices, this could allow unauthorized playback control on Sonos and the disclosure of similar information available in the Sonos App.

CVE Numbers
CVE-2018-11316

Acknowledgments
Sonos would like to thank Brannon Dorsey (CVE-2018-11316) for reporting this issue and for working with Sonos to help protect our customers.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.