CVE-2018-3911

Name of the Vulnerable Software and Affected Versions Samsung SmartThings Hub STH-ETH-250 version 0.20.17

Description An exploitable HTTP header injection issue exists in the remote servers of the Samsung SmartThings Hub. The hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely handle JSON messages. This leads to partially controlled requests generated toward the internal video-core process. An attacker can send an HTTP request to trigger this issue.

Recommendations For Samsung SmartThings Hub STH-ETH-250 version 0.20.17, consider restricting access to port 39500 to minimize the risk of exploitation. As a temporary workaround, avoid using the hubCore process until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.