CVE-2018-3875

Vulnerability

In Samsung SmartThings Hub STH-ETH-250 firmware version 0.20.17, the video-core process handles HTTP requests related to camera credential management. The handler incorrectly extracts fields from a user-controlled JSON payload, using strncpy to copy the "sessionToken" value into a stack buffer of only 2,000 bytes. An attacker can supply an arbitrarily long "sessionToken", causing a classic buffer overflow (CWE-120) on the stack. Reference [1] confirms the affected firmware version and this root cause.

Exploitation

An attacker must first authenticate to the hub (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). With network access to the hub, the attacker sends a crafted HTTP request containing a JSON body with an oversized "sessionToken" field. The video-core process parses this JSON and copies the token into the fixed‑size stack buffer using strncpy, which overflows the buffer. No user interaction beyond authentication is required. Reference [1] describes the attack as sending an HTTP request with the malicious payload.

Impact

Successful exploitation can cause a stack buffer overflow, leading to a crash of the video-core process or, potentially, arbitrary code execution. The CVSS scope indicates the compromise can affect other components of the hub (changed scope), with high impact on confidentiality, integrity, and availability. An attacker could gain root‑level access to the device or use it as a pivot point within the local network. Reference [1] lists the CVSS score of 9.9 and details the possible consequences.

Mitigation

Samsung has not released a firmware update for this vulnerability as of the published date. Users should monitor vendor advisories for a patched firmware version. There are no known workarounds, and the device is not listed on CISA’s KEV as of this writing. Reference [1] provides the disclosure and notes that the tested version is 0.20.17, but no fix is mentioned.