CVE-2018-3832

An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker can upload an MPFS binary via the '/mpfsupload' HTTP form and later on upload the firmware via a POST request to 'firmware.htm'.

CVSS v3 9.0 CRITICAL
CVSS v2.0 8.5 HIGH

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

8.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:S/C:C/I:C/A:C

Exploitability : 6.8 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/144976	Third Party Advisory VDB Entry
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0511	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:insteon:hub_2245-222_firmware:1013:*:*:*:*:*:*:*

cpe:2.3:h:insteon:hub_2245-222:-:*:*:*:*:*:*:*

History

03 Feb 2023, 18:39

Type	Values Removed	Values Added
References	~~(Insteon Hub MPFS binary file upload) https://exchange.xforce.ibmcloud.com/vulnerabilities/144976 - Third Party Advisory~~	(Insteon Hub MPFS binary file upload) https://exchange.xforce.ibmcloud.com/vulnerabilities/144976 - Third Party Advisory, VDB Entry

Information

Published : 2018-08-23 14:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-3832

Mitre link : CVE-2018-3832

CVE.ORG link : CVE-2018-3832

JSON object : View

Products Affected

insteon

hub_2245-222
hub_2245-222_firmware

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2018-3832", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 8.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2018-08-23T14:29:00.370", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/144976", "tags": ["Third Party Advisory", "VDB Entry"], "source": "nvd@nist.gov"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0511", "tags": ["Third Party Advisory"], "source": "talos-cna@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker can upload an MPFS binary via the '/mpfsupload' HTTP form and later on upload the firmware via a POST request to 'firmware.htm'."}, {"lang": "es", "value": "Existe una vulnerabilidad de actualizaci\u00f3n de firmware explotable en Insteon Hub con la versi\u00f3n de firmware 1013. El servidor HTTP permite la subida de archivos binarios MPFS arbitrarios que se podr\u00edan modificar para permitir el acceso a recursos ocultos, lo que permitir\u00eda la subida de im\u00e1genes de firmware sin firmar al dispositivo. Para desencadenar esta vulnerabilidad, un atacante puede subir una binario MPFS mediante el formulario HTTP \"/mpfsupload\" y luego subir el firmware mediante una petici\u00f3n POST a \"firmware.htm\"."}], "lastModified": "2023-02-03T18:39:00.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:insteon:hub_2245-222_firmware:1013:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69E53BAA-E75D-4868-8834-09466CA61026"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:insteon:hub_2245-222:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "150E9049-5523-4BC3-A5A5-473B6D320B68"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "talos-cna@cisco.com"}