Details of VAR-201808-0888

ID

VAR-201808-0888

CVE

CVE-2018-3832

TITLE

Insteon Hub Firmware unreliable upload vulnerability type file vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-009271

DESCRIPTION

An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker can upload an MPFS binary via the '/mpfsupload' HTTP form and later on upload the firmware via a POST request to 'firmware.htm'. Insteon Hub The firmware contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Insteon Hub is an Insteon central controller product of Insteon Company in the United States. This product can remotely control light bulbs, wall switches, air conditioners, etc. in your home

Trust: 1.71

sources: NVD: CVE-2018-3832 // JVNDB: JVNDB-2018-009271 // VULHUB: VHN-133863

AFFECTED PRODUCTS

vendor:	insteon	model:	hub 2245-222	scope:	eq	version:	1013	Trust: 1.6
vendor:	insteon	model:	hub	scope:	eq	version:	firmware 1013	Trust: 0.8

sources: JVNDB: JVNDB-2018-009271 // CNNVD: CNNVD-201808-776 // NVD: CVE-2018-3832

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-3832
value:	CRITICAL
Trust: 1.0
talos-cna@cisco.com:	CVE-2018-3832
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-3832
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201808-776
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-133863
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-3832
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-133863
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-3832
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.1
Trust: 1.0
talos-cna@cisco.com:	CVE-2018-3832
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.0
Trust: 1.0
NVD:	CVE-2018-3832
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-133863 // JVNDB: JVNDB-2018-009271 // CNNVD: CNNVD-201808-776 // NVD: CVE-2018-3832 // NVD: CVE-2018-3832

PROBLEMTYPE DATA

problemtype:

CWE-434

Trust: 1.9

sources: VULHUB: VHN-133863 // JVNDB: JVNDB-2018-009271 // NVD: CVE-2018-3832

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-776

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201808-776

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-009271

PATCH

title:

Insteon Hub

url:

http://www.insteon.com/insteon-hub

Trust: 0.8

sources: JVNDB: JVNDB-2018-009271

EXTERNAL IDS

db:	TALOS	id:	TALOS-2018-0511	Trust: 2.5
db:	NVD	id:	CVE-2018-3832	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-009271	Trust: 0.8
db:	CNNVD	id:	CNNVD-201808-776	Trust: 0.7
db:	SEEBUG	id:	SSVID-97358	Trust: 0.1
db:	VULHUB	id:	VHN-133863	Trust: 0.1

sources: VULHUB: VHN-133863 // JVNDB: JVNDB-2018-009271 // CNNVD: CNNVD-201808-776 // NVD: CVE-2018-3832

REFERENCES

url:	https://www.talosintelligence.com/vulnerability_reports/talos-2018-0511	Trust: 1.9
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/144976	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-3832	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-3832	Trust: 0.8
url:	https://talosintelligence.com/vulnerability_reports/talos-2018-0511	Trust: 0.6

sources: VULHUB: VHN-133863 // JVNDB: JVNDB-2018-009271 // CNNVD: CNNVD-201808-776 // NVD: CVE-2018-3832

SOURCES

db:	VULHUB	id:	VHN-133863
db:	JVNDB	id:	JVNDB-2018-009271
db:	CNNVD	id:	CNNVD-201808-776
db:	NVD	id:	CVE-2018-3832

LAST UPDATE DATE

2024-11-23T23:02:01.818000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-133863	date:	2023-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-009271	date:	2018-11-14T00:00:00
db:	CNNVD	id:	CNNVD-201808-776	date:	2022-04-20T00:00:00
db:	NVD	id:	CVE-2018-3832	date:	2024-11-21T04:06:07.850

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-133863	date:	2018-08-23T00:00:00
db:	JVNDB	id:	JVNDB-2018-009271	date:	2018-11-14T00:00:00
db:	CNNVD	id:	CNNVD-201808-776	date:	2018-08-24T00:00:00
db:	NVD	id:	CVE-2018-3832	date:	2018-08-23T14:29:00.370