CVE-2018-3926

Name of the Vulnerable Software and Affected Versions Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

Description The issue is related to an integer underflow vulnerability in the ZigBee firmware update routine of the hubCore binary. This vulnerability is triggered when the hubCore process incorrectly handles malformed files in its data directory, leading to an infinite loop and eventually causing the process to crash. An attacker can exploit this by sending a specifically crafted HTTP request.

Recommendations For Firmware version 0.20.17, as a temporary workaround, consider restricting access to the hubCore binary until a patch is available. Avoid using the vulnerable firmware update routine in the ZigBee protocol until the issue is resolved.