CVE-2023-33248

Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing). Commands at these frequencies are essentially never spoken by authorized actors, but a substantial fraction of the commands are successful.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.5

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://arxiv.org/abs/2305.10358	Third Party Advisory
https://cios2023.org/papers	Third Party Advisory
https://github.com/reveondivad/nuance	Exploit Third Party Advisory
https://sites.google.com/view/nuitattack/home	Third Party Advisory
https://www.usenix.org/system/files/sec23fall-prepub-261-xia-qi.pdf	Exploit Technical Description Third Party Advisory
https://youtu.be/3gEc5ZFWIWo	Exploit Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:amazon:alexa:8960323972:*:*:*:*:*:*:*

OR	cpe:2.3:h:amazon:echo_dot:-::2nd_gen:::::
	cpe:2.3:h:amazon:echo_dot:-::3rd_gen:::::

History

No history.

Information

Published : 2023-05-24 22:15

Updated : 2023-06-01 17:20

NVD link : CVE-2023-33248

Mitre link : CVE-2023-33248

CVE.ORG link : CVE-2023-33248

JSON object : View

Products Affected

amazon

alexa
echo_dot

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-33248", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 2.1}]}, "published": "2023-05-24T22:15:09.207", "references": [{"url": "https://arxiv.org/abs/2305.10358", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://cios2023.org/papers", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/reveondivad/nuance", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://sites.google.com/view/nuitattack/home", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.usenix.org/system/files/sec23fall-prepub-261-xia-qi.pdf", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://youtu.be/3gEc5ZFWIWo", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing). Commands at these frequencies are essentially never spoken by authorized actors, but a substantial fraction of the commands are successful."}], "lastModified": "2023-06-01T17:20:32.917", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:amazon:alexa:8960323972:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A43F757-D8D2-450E-9454-6AEB1E417E34"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:amazon:echo_dot:-:*:2nd_gen:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "23FBCB3B-2917-4AFC-8C67-976C2EDFAC68"}, {"criteria": "cpe:2.3:h:amazon:echo_dot:-:*:3rd_gen:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F6999715-5BAE-48C6-A5C9-E00B89AE7104"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}