Sony BRAVIA Smart TV Denial Of Service

#138
Topic created · 1 Posts · 0 Views
  • Sony BRAVIA Smart TVs suffer from multiple denial of service vulnerabilities.
    MD5 | fdd5b168347d3881e7b4c597d34d83cf
    Download

    ## ADVISORY INFORMATION  
    TITLE: Two vulnerabilities found in Sony BRAVIA Smart TVs  
    ADVISORY URL:  
    CVE-2019-11889  
    https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-triggered-over-vulnerability-hbbtv-xl-19-014/  
    CVE-2019-11890  
    https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-over-wifi-lan-internet-vulnerability-xl-19-013/  
    DATE PUBLISHED: 02/07/2019  
    AFFECTED VENDORS: Sony  
    RELEASE MODE: Coordinated release  
    CVE: CVE-2019-11889, CVE-2019-11890  
    CVSSv3 for CVE-2019-11889: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)  
    CVSSv3 for CVE-2019-11890: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)  
    ## PRODUCT DESCRIPTION  
    BRAVIA is a brand of Sony Visual Products known as Smart TVs.   
    These Smart TVs are known to be high standard products.  
    ## DETAILS OF VULNERABILITIES  
    xen1thLabs has found two vulnerabilities in Sony products and coordinated   
    the disclosure of these security flaws with Sony. The vulnerabilities have   
    been found in the Sony Bravia Smart TV by xen1thLabs while auditing the   
    security of Smart TVs. The list of affected models has not been shared by Sony.   
    xen1thLabs tested several Sony Bravia Smart TVs.  
    The summary of the vulnerabilities is:  
    - CVE-2019-11889 Sony Remote Denial-of-Service Triggered Over HbbTV   
    Vulnerability:  
    This vulnerability allows an attacker to remotely crash the HbbTV rendering   
    engine and block the TV  
    - CVE-2019-11890 Sony Remote Denial-of-Service Over Wifi / LAN / Internet  
    Vulnerability:  
    This vulnerability allows an attacker to remotely crash the Smart TV using  
    TCP packets.  
    ### 1. CVE-2019-11889 Sony Remote Denial-of-Service Triggered Over HbbTV   
    Vulnerability  
    By sending a specifically crafted webpage over HbbTV it is possible to freeze the   
    television remotely. (please see the presentation at HiTB Dubai 2018 for HbbTV description   
    https://conference.hitb.org/hitbsecconf2018dxb/sessions/hacking-into-broadband-and-broadcast-tv-systems/),   
    The remote control does not appear to work except the PROG+ and PROG- buttons.   
    Only changing channels allows to 'un-freeze' the television. Android is supposed   
    to kill blocked applications.  
    In order to reproduce the behavior, start by generating a webpage using:   
    

    dd if=/dev/zero of=index.html bs=1M count=2048

    Using the software-defined radio, send a DVB-T signal containing a HbbTV application that force   
    the targeted Smart TV to load a file from a controlled server. By forcing the Smart TV to load   
    the generated file, it can be observed from the logs, only between 180KB and 250KB are served   
    before the HbbTV application freezes:  
    ```  
    vaccess.log:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:06:40:54 -0400] "GET /hbbtvtest/test3/ HTTP/1.1"   
    200 178647 "http://x.test/hbbtvtest/index.php" "Mozilla/5.0 (Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko)   
    Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.000000000; 2016;)   
    sony.hbbtv.tv.2016HE"  
    
    vaccess.log.1:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:02:36:16 -0400] "GET /hbbtvtest/test3/ HTTP/1.1"   
    200 170543 "http://x.test/hbbtvtest/index.php" "Mozilla/5.0 (Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko)   
    Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.000000000; 2016;)   
    sony.hbbtv.tv.2016HE"  
    

    Sony investigated the issue and shared the following analysis:
    "MITM attack by http connection is caused by the specification of the HbbTV service".

    2. CVE-2019-11890 Sony Remote Denial-of-Service Over Wifi / LAN / Internet Vulnerability

    An unauthenticated remote attacker can synflood the Smart TV over LAN and Wi-Fi, the smart
    television freezes and becomes irresponsive, some programs crash and the television reboots
    randomly. No PoC is released due to low complexity level of exploitation as Sony is not
    planning to release a security patch.
    Sony investigated the issue and shared the following analysis:
    "The Sony Product teams have conducted additional research regarding the submission and
    identified the following: CVE-2019-1189: DoS over WiFi /LAN - This is due to the performance
    of the interrupt operation in the Linux driver".

    SOLUTION

    Sony provided the following recommendation:
    "Sony's manual instructs users to: Make sure to connect to the Internet or home network
    via a router, which will minimize this risk. In addition, these two symptoms can be
    recovered by unplugging the power supply cable. The TV cannot be broken and there is no
    internal data that can be stolen by these actions." (May 30th, 2019).
    And informed xen1thLabs that:
    "we will not be releasing any notifications." (June 19th, 2019).

    DISCLOSURE TIMELINE

    01/04/2019 - Vulnerabilities have been found by xen1thLabs
    28/04/2019 - xen1thLabs send the report to Sony through their HackerOne Bug bounty program
    02/05/2019 - Updates requested from xen1thLabs through HackerOne
    10/05/2019 - Vulnerabilities have been confirmed by Sony through HackerOne
    14/05/2019 - xen1thLabs requests a CVE from MITRE
    30/05/2019 - Sony inform xen1thLabs of the solutions recommended for users through HackerOne
    30/05/2019 - xen1thLabs request the confirmation from Sony that no security patches will be provided through HackerOne
    07/06/2019 - Sony informs the following "Due to the evaluation conducted by our product team we will be closing out this ticket" through HackerOne
    26/06/2019 - Public disclosure

    CREDITS

    xen1thLabs - Telecom Lab

    REFERENCES

    CVE-2019-11889
    https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-triggered-over-vulnerability-hbbtv-xl-19-014/
    CVE-2019-11890
    https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-over-wifi-lan-internet-vulnerability-xl-19-013/
    Sony will not publish any security advisory nor release any security patch.

    ABOUT xen1thLabs

    xen1thLabs conducts vulnerability research, which feeds in the testing and
    validation activities it conducts across software, hardware and
    telecommunication.
    xen1thLabs houses a team of world-class experts dedicated to providing
    high impact capabilities in cyber security.
    At xen1thLabs we are committed to uncovering new vulnerabilities that combat
    tomorrow's threats today.
    More information about xen1thLabs can be found at:
    https://www.darkmatter.ae/xen1thlabs/

    WORKING AT xen1thLabs

    xen1thLabs is looking for several security researchers across multiple disciplines.
    Join a great team of likeminded specialists and enjoy all that UAE has to offer!
    If you are interested please visit:
    https://www.darkmatter.ae/xen1thlabs/

    **Source:** [packetstormsecurity.com](https://packetstormsecurity.com/files/153547/XL-19-013-014.txt)
Log in to reply