Main Vulnerability Database Vulnerabilities #VU14099

Improper input validation in SmartThings Hub STH-ETH-250 - CVE-2018-3918

Published: July 30, 2018

Vulnerability identifier: #VU14099

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-3918

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Samsung

Affected software:
SmartThings Hub STH-ETH-250

Detailed vulnerability description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the remote servers of Samsung SmartThings Hub due to the hubCore process listens on port 39500 and relays any unauthenticated messages to SmartThings' remote servers. A remote attacker can send an HTTP request, trigger incorrect handling of camera IDs for the "sync" operation, delete arbitrary cameras and cause the service to crash.

How to mitigate CVE-2018-3918

Install update from vendor's website.

Sources

https://www.talosintelligence.com/reports/TALOS-2018-0582/

Improper input validation in SmartThings Hub STH-ETH-250 - CVE-2018-3918

Detailed vulnerability description

How to mitigate CVE-2018-3918

Sources

Please verify you're human