CVE-2018-15476

Name of the Vulnerable Software and Affected Versions myStrom WiFi Switch V1 versions prior to 2.66 myStrom WiFi Switch V2 versions prior to 3.80 myStrom WiFi Switch EU versions prior to 3.80 myStrom WiFi Bulb versions prior to 2.58 myStrom WiFi LED Strip versions prior to 3.80 myStrom WiFi Button versions prior to 2.73 myStrom WiFi Button Plus versions prior to 2.73

Description An issue was discovered where the SSL/TLS server certificate in device to cloud communication was not verified by the device. This allowed an attacker in control of the network traffic to potentially take control of a device through a Man-in-the-Middle attack by intercepting and modifying commands from the server to the device. The attacker could also inject firmware update commands, causing the device to install maliciously modified firmware.

Recommendations For myStrom WiFi Switch V1 versions prior to 2.66, update to version 2.66 or later. For myStrom WiFi Switch V2 versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Switch EU versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Bulb versions prior to 2.58, update to version 2.58 or later. For myStrom WiFi LED Strip versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Button versions prior to 2.73, update to version 2.73 or later. For myStrom WiFi Button Plus versions prior to 2.73, update to version 2.73 or later.