A collection of vulnerabilities found through independent security research. For thoughts on disclosure policy, see this post.
- CVE-2018-11314: The External Control API in versions of Roku OS before 8.1 allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.
- CVE-2018-11315: The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860.
- CVE-2018-11316: The UPnP HTTP server on Sonos device versions 8.6 and below allow unauthorized access via a DNS rebinding attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.
- CVE-2018-12716: The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network, extracting the scan_results bssid fields, and sending these fields in a geolocation/v1/geolocate Google Maps Geolocation API request. Note: This vulnerability was discovered independently by several security researchers including Craig Young from Tripwire, Brannon Dorsey, Gunes Acar Et. Al, and others.