Security researchers from FortiGuard Labs discovered three vulnerabilities in Sony Bravia smart TVs.
Three vulnerabilities discovered were Command Injection – CVE-2018-16593 (critical severity), Stack Buffer Overflow – CVE-2018-16595 (high severity) and Directory Traversal – CVE-2018-16594 (high severity),
Vulnerabilities were found in Sony’s proprietary applications called Photo Sharing Plus, and attackers who are connected to the same local network can exploit it remotely without any authentication.
The CVE-2018-16593 is a Command Injection vulnerability which mishandles the file name when the user uploads a media file to the system.
This can be leveraged by an attacker to run an arbitrary command on the system and result in complete remote execution with root privilege.
The second one CVE-2018-16595 is a memory corruption vulnerability “results from insufficient size checking of user input. With a long enough HTTP POST request sent to the corresponding URL, the application will crash.”
The third flawCVE-2018-16594 handles file names incorrectly when receiving a user’s input file through uploading a URL.
Researchers notified the vulnerabilities to Sony PSIRT team on 27th March 2018, and Sony released an advisory regarding the patch on 30th August 2018.
The affected models are R5C , WD75 ,WD65, XE70 ,XF70, WE75, WE6 and WF6 TV series.
If your televisions are set to automatically update when connected to the internet, it will be updated automatically.
“To verify that your television has been updated, please visit the Downloads section of your model’s product page. Click the Firmware update link for details about how to check the software version. If your television has not already been updated, please follow the instructions to download and install the update.” said in the advisory published by Sony.
You may be interested in reading:Facebook Admits using 2FA Phone Numbers for Targeted Ads