CVE-2018-3907

Vulnerability

The vulnerability resides in the REST parser of the video-core HTTP server in the Samsung SmartThings Hub STH-ETH-250 running firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, allowing successive requests to overwrite the previously parsed HTTP method and the on_url callback. This is a manifestation of CWE-444 (HTTP Request Smuggling) [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted sequence of pipelined HTTP requests to the video-core REST parser. The attacker does not require authentication or any prior access to the hub; the vulnerability is remotely exploitable over the network with low complexity. By leveraging HTTP pipelining, the attacker causes the parser to use corrupted or attacker-controlled values for the HTTP method and URL in subsequent request handling [1].

Impact

Successful exploitation allows an attacker to bypass request parsing logic, potentially leading to integrity and availability impacts. The CVSSv3 score is 9.1 (Critical) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating high impact on integrity and availability, but no direct confidentiality impact. The attacker can cause the hub to mishandle requests, possibly leading to denial of service or unintended actions on the device [1].

Mitigation

Samsung has not released a fixed firmware version for this specific vulnerability as of the public disclosure date (August 24, 2018). Users of the Samsung SmartThings Hub STH-ETH-250 with firmware 0.20.17 are advised to apply any available updates from Samsung and monitor for security advisories. No workaround is provided in the available references. The device should be isolated from untrusted networks if possible [1].