CVE-2018-3927 — Improper Certificate Validation in Samsung

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

5.9MEDIUMNVD

CNA6.8

EPSS

0.4%

top 42.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Samsung Sth-eth-250 Firmware

Timeline

PublishedAug 27

Latest updateMay 13

Description

An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. When hubCore crashes, Google Breakpad is used to record minidumps, which are sent over an insecure HTTPS connection to the backtrace.io service, leading to the exposure of sensitive data. An attacker can impersonate the remote backtrace.io server in order to trigger this vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDsamsung/sth-eth-250_firmware0.20.17

▶CVEListV5samsung/samsungSamsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

🔴Vulnerability Details

GHSA

GHSA-53x2-3mx9-q64r: An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Fir↗2022-05-13

▶

CVEList

CVE-2018-3927: An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Fir↗2018-08-27

▶