Vulnerability Details : CVE-2018-11315
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860.
Vulnerability category: Input validationBypass
Products affected by CVE-2018-11315
- cpe:2.3:o:radiothermostat:ct50_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:radiothermostat:ct80_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11315
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11315
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:A/AC:L/Au:N/C:N/I:P/A:N |
6.5
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-11315
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11315
-
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
Attacking Private Networks from the Internet with DNS Rebinding
-
https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability
Millions of Google, Roku, and Sonos Devices Are Vulnerable to a Web Attack | WIRED
-
https://github.com/brannondorsey/radio-thermostat
GitHub - brannondorsey/radio-thermostat: Radio Thermostat CT50 & CT80 REST API notesExploit;Third Party Advisory
Jump to