SB2018073008 - Multiple vulnerabilities in Samsung SmartThings Hub
Published: July 30, 2018
Security Bulletin ID
SB2018073008
Severity
High
Patch available
YES
Number of vulnerabilities
40
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 40 secuirty vulnerabilities.
1) Command injection (CVE-ID: CVE-2018-3856)
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The weakness exists in the smart cameras RTSP configuration of the Samsung SmartThings Hub due to incorrect handling of spaces in the URL field. A remote attacker can send a series of HTTP requests, inject and execute arbitrary command with elevated privileges.
The weakness exists in the smart cameras RTSP configuration of the Samsung SmartThings Hub due to incorrect handling of spaces in the URL field. A remote attacker can send a series of HTTP requests, inject and execute arbitrary command with elevated privileges.
2) Stack-based buffer overflow (CVE-ID: CVE-2018-3863)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
3) Stack-based buffer overflow (CVE-ID: CVE-2018-3864)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
4) Stack-based buffer overflow (CVE-ID: CVE-2018-3865)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
5) Stack-based buffer overflow (CVE-ID: CVE-2018-3866)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
The weakness exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting fields from a user-controlled JSON payload by the video-core process. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
6) Stack-based buffer overflow (CVE-ID: CVE-2018-3867)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the samsungWifiScan callback notification of
The weakness exists in the samsungWifiScan callback notification of
video-core's HTTP server of Samsung SmartThings Hub due to incorrect handling of the answer received from a smart camera. A remote attacker can send a series of HTTP requests, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
7) Stack-based buffer overflow (CVE-ID: CVE-2018-3872)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of the videoHostUrl
field from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges. 8) Stack-based buffer overflow (CVE-ID: CVE-2018-3873)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
9) Stack-based buffer overflow (CVE-ID: CVE-2018-3874)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
10) Stack-based buffer overflow (CVE-ID: CVE-2018-3875)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
11) Stack-based buffer overflow (CVE-ID: CVE-2018-3876)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
12) Stack-based buffer overflow (CVE-ID: CVE-2018-3877)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
13) Stack-based buffer overflow (CVE-ID: CVE-2018-3878)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
14) SQL-injection (CVE-ID: CVE-2018-3879)
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect parsing the user-controlled JSON payload. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in the video-core database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
15) Stack-based buffer overflow (CVE-ID: CVE-2018-3880)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the database "find-by-cameraId" functionality of
The weakness exists in the database "find-by-cameraId" functionality of
video-core's HTTP server of Samsung SmartThings Hub due to incorrect handling of existing records inside its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
16) Stack-based buffer overflow (CVE-ID: CVE-2018-3893)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
/cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
17) Stack-based buffer overflow (CVE-ID: CVE-2018-3894)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
/cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
18) Stack-based buffer overflow (CVE-ID: CVE-2018-3895)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
/cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
19) Stack-based buffer overflow (CVE-ID: CVE-2018-3896)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
/cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
20) Stack-based buffer overflow (CVE-ID: CVE-2018-3897)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the
The weakness exists in the
/cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
21) Stack-based buffer overflow (CVE-ID: CVE-2018-3902)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the camera "replace" feature of
The weakness exists in the camera "replace" feature of
video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of the URL field from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges. 22) Stack-based buffer overflow (CVE-ID: CVE-2018-3903)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the camera "update" feature of
The weakness exists in the camera "update" feature of
video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of the fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
23) Stack-based buffer overflow (CVE-ID: CVE-2018-3904)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the camera "update" feature of
The weakness exists in the camera "update" feature of
video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of the fields from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
24) Stack-based buffer overflow (CVE-ID: CVE-2018-3905)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the camera "create" feature of
The weakness exists in the camera "create" feature of
video-core's HTTP server of Samsung SmartThings Hub due to incorrect extracting of the "state" field from a user-controlled JSON payload. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
25) Stack-based buffer overflow (CVE-ID: CVE-2018-3906)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of a database field in
The weakness exists in the retrieval of a database field in
video-core's HTTP server of Samsung SmartThings Hub due to insecure extracting of the shard.videoHostURL field from its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges. 26) Improper input validation (CVE-ID: CVE-2018-3907)
The vulnerability allows a remote attacker to overwrite arbitrary data on the target system.
The weakness exists in the REST parser of
The weakness exists in the REST parser of
video-core's HTTP server of the Samsung SmartThings Hub due to incorrect handling of pipelined HTTP requests. A remote attacker can send an HTTP request and overwrite the previously parsed HTTP method, URL and body.
27) Improper input validation (CVE-ID: CVE-2018-3908)
The vulnerability allows a remote attacker to overwrite arbitrary data on the target system.
The weakness exists in the REST parser of
The weakness exists in the REST parser of
video-core's HTTP server of the Samsung SmartThings Hub due to incorrect handling of pipelined HTTP requests. A remote attacker can send an HTTP request and overwrite the previously parsed HTTP method, URL and body.
28) Improper input validation (CVE-ID: CVE-2018-3909)
The vulnerability allows a remote attacker to overwrite arbitrary data on the target system.
The weakness exists in the REST parser of
The weakness exists in the REST parser of
video-core's HTTP server of the Samsung SmartThings Hub due to incorrect handling of pipelined HTTP requests. A remote attacker can send an HTTP request and overwrite the previously parsed HTTP method, URL and body.
29) HTTP header injection (CVE-ID: CVE-2018-3911)
The vulnerability allows a remote attacker to inject HTTP header on the target system.
The weakness exists in the remote servers of Samsung SmartThings Hub due to the
The weakness exists in the remote servers of Samsung SmartThings Hub due to the
hubCore
process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely handle JSON messages. A remote attacker can send an HTTP request and cause partially controlled requests to be generated toward the internal video-core process.30) Stack-based buffer overflow (CVE-ID: CVE-2018-3912)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of database fields in the
The weakness exists in the retrieval of database fields in the
video-core HTTP server of the Samsung SmartThings Hub due to insecure extracting of the fields from the "shard" table of its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
31) Stack-based buffer overflow (CVE-ID: CVE-2018-3913)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of database fields in the
The weakness exists in the retrieval of database fields in the
video-core HTTP server of the Samsung SmartThings Hub due to insecure extracting of the fields from the "shard" table of its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
32) Stack-based buffer overflow (CVE-ID: CVE-2018-3914)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of database fields in the
The weakness exists in the retrieval of database fields in the
video-core HTTP server of the Samsung SmartThings Hub due to insecure extracting of the fields from the "shard" table of its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
33) Stack-based buffer overflow (CVE-ID: CVE-2018-3915)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of database fields in the
The weakness exists in the retrieval of database fields in the
video-core HTTP server of the Samsung SmartThings Hub due to insecure extracting of the fields from the "shard" table of its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
34) Stack-based buffer overflow (CVE-ID: CVE-2018-3916)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of database fields in the
The weakness exists in the retrieval of database fields in the
video-core HTTP server of the Samsung SmartThings Hub due to insecure extracting of the fields from the "shard" table of its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
35) Stack-based buffer overflow (CVE-ID: CVE-2018-3917)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of database fields in the
The weakness exists in the retrieval of database fields in the
video-core HTTP server of the Samsung SmartThings Hub due to insecure extracting of the fields from the "shard" table of its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
36) Stack-based buffer overflow (CVE-ID: CVE-2018-3919)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the retrieval of database fields in
The weakness exists in the retrieval of database fields in
video-core's HTTP server of Samsung SmartThings Hub due to insecure extracting of the fields from the "clips" table of its SQLite database. A remote attacker can send an HTTP request, trigger stack-based buffer overflow and execute arbitrary code with elevated privileges.
37) Improper input validation (CVE-ID: CVE-2018-3918)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the remote servers of Samsung SmartThings Hub due to the
The weakness exists in the remote servers of Samsung SmartThings Hub due to the
hubCore
process listens on port 39500 and relays any unauthenticated messages to SmartThings' remote servers. A remote attacker can send an HTTP request, trigger incorrect handling of camera IDs for the "sync" operation, delete arbitrary cameras and cause the service to crash.
38) Heap-based buffer overflow (CVE-ID: CVE-2018-3925)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the remote video-host communication of
The weakness exists in the remote video-host communication of
video-core's HTTP server of Samsung SmartThings Hub due to insecure parsing of the AWSELB cookie while communicating with remote video-host servers. A remote attacker able to impersonate the remote HTTP servers can send an HTTP request, trigger heap-based buffer overflow and execute arbitrary code with elevated privileges.
39) Integer underflow (CVE-ID: CVE-2018-3926)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the ZigBee firmware update routine of the
The weakness exists in the ZigBee firmware update routine of the
hubCore binary of the Samsung SmartThings Hub due to integer underflow when incorrect handling of malformed files existing in its "data" directory. A remote attacker can send an HTTP request, trigger infinite loop and cause the service to crash.
40) Information disclosure (CVE-ID: CVE-2018-3927)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the crash handler of the
The weakness exists in the crash handler of the
hubCore binary of the Samsung SmartThings Hub due to Google Breakpad is used to record minidumps, which are sent over an insecure HTTPS connection to the backtrace.io service when hubCore
crashes. A remote attacker can impersonate the remote backtrace.io server and gain access to arbitrary data.Remediation
Install update from vendor's website.
References
- https://www.talosintelligence.com/reports/TALOS-2018-0539/
- https://www.talosintelligence.com/reports/TALOS-2018-0548/
- https://www.talosintelligence.com/reports/TALOS-2018-0549/
- https://www.talosintelligence.com/reports/TALOS-2018-0554/
- https://www.talosintelligence.com/reports/TALOS-2018-0555/
- https://www.talosintelligence.com/reports/TALOS-2018-0556/
- https://www.talosintelligence.com/reports/TALOS-2018-0557/
- https://www.talosintelligence.com/reports/TALOS-2018-0570/
- https://www.talosintelligence.com/reports/TALOS-2018-0573/
- https://www.talosintelligence.com/reports/TALOS-2018-0574/
- https://www.talosintelligence.com/reports/TALOS-2018-0575/
- https://www.talosintelligence.com/reports/TALOS-2018-0576/
- https://www.talosintelligence.com/reports/TALOS-2018-0577/
- https://www.talosintelligence.com/reports/TALOS-2018-0578/
- https://www.talosintelligence.com/reports/TALOS-2018-0581/
- https://www.talosintelligence.com/reports/TALOS-2018-0583/
- https://www.talosintelligence.com/reports/TALOS-2018-0582/
- https://www.talosintelligence.com/reports/TALOS-2018-0591/
- https://www.talosintelligence.com/reports/TALOS-2018-0593/
- https://www.talosintelligence.com/reports/TALOS-2018-0594/