CVE-2018-3833
Summary
| CVE | CVE-2018-3833 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-08-23 14:29:00 UTC |
| Updated | 2023-02-03 18:40:00 UTC |
| Description | An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server 'cache.insteon.com' and serve any signed firmware image. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Insteon | Hub 2245-222 | - | All | All | All |
| Hardware | Insteon | Hub 2245-222 | - | All | All | All |
| Operating System | Insteon | Hub 2245-222 Firmware | 1013 | All | All | All |
| Operating System | Insteon | Hub 2245-222 Firmware | 1013 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| TALOS-2018-0512 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence | MISC | www.talosintelligence.com | Exploit, Technical Description, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.