CVE-2022-24046
Published: 18 February 2022
Summary
CVE-2022-24046 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Sonos S1. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
This vulnerability is an integer underflow, tracked as CWE-191, in the anacapd daemon of Sonos One Speakers. It affects all S2 systems prior to version 3.4.1 and all S1 systems prior to version 11.2.13 build 57923290, and stems from missing validation of user-supplied data that can corrupt memory before a write operation occurs. The flaw carries a CVSS 3.1 score of 8.8.
Network-adjacent attackers can exploit the issue without authentication or user interaction to execute arbitrary code in the root context on affected devices. The attack surface is limited to the local network segment because of the adjacent-network attack vector.
The Zero Day Initiative advisories ZDI-22-260 and ZDI-CAN-15828 identify the issue and indicate that the vendor has released the firmware versions listed above to resolve it. The EPSS score has remained flat at 0.0742 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28961
Vulnerability details
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems). Authentication is not required to exploit this vulnerability. The specific flaw exists within…
more
the anacapd daemon. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15828.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.