CVE-2018-3927

Name of the Vulnerable Software and Affected Versions Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

Description An information disclosure issue exists in the crash handler of the hubCore binary. When hubCore crashes, it uses Google Breakpad to record minidumps, which are then sent over an insecure HTTPS connection to the backtrace.io service. This leads to the exposure of sensitive data. An attacker can impersonate the remote backtrace.io server to trigger this issue.

Recommendations For Firmware version 0.20.17, consider restricting access to the hubCore binary until a secure connection method is implemented for sending minidumps to the backtrace.io service. As a temporary workaround, disabling the crash handler or limiting its functionality may help minimize the risk of sensitive data exposure.