Sony Remote Denial-of-Service Over Wifi / LAN / Internet Vulnerability

02 July 2019

 

CVE   

 

CVE-2019-11890

 

CVSS SCORE

 

7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

XID

 

XL-19-013

 

AFFECTED VENDORS

 

sony

 

CREDIT

 

xen1thLabs - Telecom Labs

 

VULNERABILITY SUMMARY       

 

 

 

 

 

 

 

 

xen1thLabs has found a vulnerability in Sony products and coordinated the disclosure of these security flaws with Sony. The vulnerability has been found in the Sony Bravia Smart TVs by xen1thLabs while auditing the security of Smart TVs. This vulnerability allows an attacker to remotely crash the Smart TV through a synflood attack.

This vulnerability allows an attacker to remotely crash the Smart TV using TCP packets. The reference of the vulnerability is: CVE-2019-11890. -.

The list of affected models has not been shared by Sony.

Sony shared the following analysis: “The Sony Product teams have conducted additional research regarding the submission and identified the following: CVE-2019-1189: DoS over WiFi / LAN - This is due to the performance of the interrupt operation in the Linux driver.”

 

TECHNICAL DETAILS

     

 

An unauthenticated remote attacker can synflood the Smart TV over LAN and Wi-Fi, the smart television freezes and becomes irresponsive, some programs crash and the television reboots randomly.

 

PROOF OF CONCEPT 

 

 

No PoC released due to low complexity level of exploitation as Sony is not planning to release a security patch.

 

AFFECTED SYSTEMS 

  

Sony BRAVIA Smart TV

 

SOLUTION 

 

 

 

 

 

 

Sony provided the following recommendation:

"Sony’s manual instructs users to: Make sure to connect to the Internet or home network via a router, which will minimize this risk. In addition, these two symptoms can be recovered by unplugging the power supply cable. The TV cannot be broken and there is no internal data that can be stolen by these actions." (May 30th, 2019).

And informed xen1thLabs the following:

“we will not be releasing any notifications.” (June 19th, 2019).

 

DISCLOSURE TIMELINE

 

 

 

 

 

 

 

 

 

 

01/04/2019 - Vulnerabilities have been found by xen1thLabs

28/04/2019 - xen1thLabs send the report to Sony through their HackerOne Bug bounty program

02/05/2019 - Updates requested from xen1thLabs through HackerOne

10/05/2019 - Vulnerabilities have been confirmed by Sony through HackerOne

14/05/2019 - xen1thLabs requests a CVE from MITRE

30/05/2019 - Sony inform xen1thLabs of the solutions recommended for users through HackerOne

30/05/2019 - xen1thLabs request the confirmation from Sony that no security patches will be provided through HackerOne

07/06/2019 - Sony informs the following "Due to the evaluation conducted by our product team we will be closing out this ticket" through HackerOne

26/06/2019 - Public disclosure