CVE-2018-11314

Published: Jul 3, 2018Modified: Nov 21, 2024

9.6

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 6.0

Source: NVD

Description

The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.

Affected (1)

Products: Roku: Roku Firmware

Roku

1 product

Roku Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Roku Roku Firmware	All versions

Running on/with	Platform Versions
Roku Roku	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

Source: cve@mitre.org

https://support.roku.com/article/12554388937879

Source: cve@mitre.org

https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability

Source: cve@mitre.org

Press/Media CoverageThird Party Advisory

https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

Source: af854a3a-2127-422b-91ae-364da2661108

https://support.roku.com/article/12554388937879

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

Press/Media CoverageThird Party Advisory

Timeline

No history available yet.