CVE-2018-3907 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2018-3907?

CVE-2018-3907 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Samsung SmartThings Hub devices by exploiting a flaw in the HTTP server's REST parser. Attackers can send specially crafted pipelined HTTP requests that overwrite previously parsed HTTP methods, potentially leading to complete system compromise. Only Samsung SmartThings Hub STH-ETH-250 devices with vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Samsung SmartThings Hub devices by exploiting a flaw in the HTTP server's REST parser. Attackers can send specially crafted pipelined HTTP requests that overwrite previously parsed HTTP methods, potentially leading to complete system compromise. Only Samsung SmartThings Hub STH-ETH-250 devices with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Samsung SmartThings Hub STH-ETH-250

Versions: Firmware version 0.20.17 and earlier

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The video-core HTTP server runs by default on port 39500 and is typically internet-accessible for remote management.

📦 What is this software?

Sth Eth 250 Firmware by Samsung

View all CVEs affecting Sth Eth 250 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to persistent access, data theft, and potential lateral movement to other IoT devices on the network.

🟠

Likely Case

Remote code execution allowing attackers to install malware, create backdoors, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is isolated from internet and other critical systems, though local network attacks remain possible.

🌐 Internet-Facing: HIGH - The HTTP server is internet-accessible by default, making devices directly exploitable from the internet.

🏢 Internal Only: HIGH - Even if not internet-facing, devices on local networks remain vulnerable to internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details and proof-of-concept code are publicly available in the Talos Intelligence report. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after 0.20.17

Vendor Advisory: https://www.samsung.com/us/support/answer/ANS00078095/

Restart Required: Yes

Instructions:

1. Log into SmartThings mobile app 2. Navigate to Settings > Hub Information 3. Check for firmware updates 4. Apply available updates 5. Device will automatically restart

🔧 Temporary Workarounds

Network Isolation

linux

Block inbound internet access to the SmartThings Hub while maintaining outbound connectivity for functionality

iptables -A INPUT -p tcp --dport 39500 -j DROP
iptables -A INPUT -p udp --dport 39500 -j DROP

Firewall Restriction

linux

Restrict access to port 39500 to only trusted management systems

iptables -A INPUT -p tcp --dport 39500 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 39500 -j DROP

🧯 If You Can't Patch

Disconnect device from internet entirely and use only local network control
Place device in isolated VLAN with no access to other critical systems

🔍 How to Verify

Check if Vulnerable:

Check firmware version in SmartThings app: Settings > Hub Information > Firmware version. If version is 0.20.17 or earlier, device is vulnerable.

Check Version:

curl -s http://[HUB_IP]:39500 | grep -i version

Verify Fix Applied:

Verify firmware version shows higher than 0.20.17 in SmartThings app. Test HTTP requests to port 39500 should no longer trigger the vulnerability.

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP requests to port 39500 in rapid succession
Unusual process creation from video-core service
Failed HTTP parsing errors in system logs

Network Indicators:

Unusual traffic patterns to port 39500
HTTP pipelining requests to the hub
Outbound connections from hub to unknown destinations

SIEM Query:

source="smartthings_hub" AND (dest_port=39500 AND http_method_count>5) OR process="video-core" AND cmdline="*unusual*"

📊 Metadata

CVE ID: CVE-2018-3907

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE: CWE-444

Published: August 24, 2018

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0577 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0577 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-3907, you might also want to check these: