CVE-2018-3918

Name of the Vulnerable Software and Affected Versions Samsung SmartThings Hub STH-ETH-250 version 0.20.17

Description An issue exists in the remote servers of Samsung SmartThings Hub where the hubCore process listens on port 39500 and relays unauthenticated messages. The servers incorrectly handle camera IDs for the 'sync' operation, leading to arbitrary deletion of cameras. An attacker can send an HTTP request to trigger this issue.

Recommendations For Samsung SmartThings Hub STH-ETH-250 version 0.20.17, consider restricting access to the hubCore process on port 39500 until a patch is available. As a temporary workaround, avoid using the 'sync' operation for camera IDs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.