CVE-2018-3926 — MEDIUM (5.5)

Vulnerability Description

An exploitable integer underflow vulnerability exists in the ZigBee firmware update routine of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process incorrectly handles malformed files existing in its data directory, leading to an infinite loop, which eventually causes the process to crash. An attacker can send an HTTP request to trigger this vulnerability.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Samsung	Sth-Eth-250 Firmware	0.20.17
Samsung	Sth-Eth-250	-

Related Weaknesses (CWE)

CWE-191

References

http://www.securityfocus.com/bid/105162Broken LinkThird Party AdvisoryVDB Entry
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0593ExploitThird Party Advisory
http://www.securityfocus.com/bid/105162Broken LinkThird Party AdvisoryVDB Entry
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0593ExploitThird Party Advisory

FAQ

What is CVE-2018-3926?

CVE-2018-3926 is a vulnerability with a CVSS score of 5.5 (MEDIUM). An exploitable integer underflow vulnerability exists in the ZigBee firmware update routine of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore pro...

How severe is CVE-2018-3926?

CVE-2018-3926 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-3926?

Check the references section above for vendor advisories and patch information. Affected products include: Samsung Sth-Eth-250 Firmware, Samsung Sth-Eth-250.