CVE-2018-3834

Published: Aug 2, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

8.7

HIGH

Description

An exploitable permanent denial of service vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware image that is going to be installed and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent brick condition. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve a signed firmware image.

Vendor	Product	Versions
Insteon	Insteon	affected `Insteon Hub 2245-222 - Firmware version 1013`

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

References

https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0513

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2018-3834

Description

Affected Products

CVSS v3.0 Details

References