CVE-2018-3832
Summary
| CVE | CVE-2018-3832 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-08-23 14:29:00 UTC |
| Updated | 2023-02-03 18:39:00 UTC |
| Description | An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker can upload an MPFS binary via the '/mpfsupload' HTTP form and later on upload the firmware via a POST request to 'firmware.htm'. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Insteon | Hub 2245-222 | - | All | All | All |
| Hardware | Insteon | Hub 2245-222 | - | All | All | All |
| Operating System | Insteon | Hub 2245-222 Firmware | 1013 | All | All | All |
| Operating System | Insteon | Hub 2245-222 Firmware | 1013 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| IBM X-Force Exchange | Insteon Hub MPFS binary file upload | exchange.xforce.ibmcloud.com | Third Party Advisory |
| TALOS-2018-0511 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence | MISC | www.talosintelligence.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.