CVE-2018-11314

EUVD-2018-3353
The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.6 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
rokuroku_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
https://support.roku.com/article/12554388937879
https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability
https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
https://support.roku.com/article/12554388937879
https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability