Main Vulnerability Database Vulnerabilities #VU15692

OS command injection in Yi Home Camera - CVE-2018-3910

Published: November 2, 2018

Vulnerability identifier: #VU15692

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-3910

CWE-ID: CWE-78

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: YI Technology

Affected software:
Yi Home Camera

Detailed vulnerability description

The vulnerability allows an adjacent attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to a flaw in in the cloud OTA setup functionality during insufficient sanitization of user-supplied data. An adjacent attacker can trick the victim into connecting their camera to this SSID to inject arbitrary OS commands and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

How to mitigate CVE-2018-3910

Update to the latest version.

Sources

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0580

OS command injection in Yi Home Camera - CVE-2018-3910

Detailed vulnerability description

How to mitigate CVE-2018-3910

Sources

Please verify you're human