CVE-2018-11315 - OpenCVE

The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:A/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Radiothermostat	Ct50 Ct50 Firmware Ct80 Ct80 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:radiothermostat:ct50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:radiothermostat:ct50:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:radiothermostat:ct80_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:radiothermostat:ct80:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/brannondorsey/radio-thermostat
https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-05-20T13:00:00

Updated: 2024-08-05T08:01:52.900Z

Reserved: 2018-05-20T00:00:00

Link: CVE-2018-11315

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-20T13:29:00.273

Modified: 2023-11-07T02:51:40.023

Link: CVE-2018-11315

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-05-20T00:00:00", "descriptions": [{"lang": "en", "value": "The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-03T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/brannondorsey/radio-thermostat"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-11315", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability", "refsource": "MISC", "url": "https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability"}, {"name": "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325", "refsource": "MISC", "url": "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325"}, {"name": "https://github.com/brannondorsey/radio-thermostat", "refsource": "MISC", "url": "https://github.com/brannondorsey/radio-thermostat"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T08:01:52.900Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/brannondorsey/radio-thermostat"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-11315", "datePublished": "2018-05-20T13:00:00", "dateReserved": "2018-05-20T00:00:00", "dateUpdated": "2024-08-05T08:01:52.900Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:radiothermostat:ct50_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AAAD4A16-DF2A-4B01-93B8-D293E9B3018E", "versionEndIncluding": "1.04.84", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:radiothermostat:ct50:-:*:*:*:*:*:*:*", "matchCriteriaId": "13E0CACE-02E9-4250-AF18-C841F6859D49", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:radiothermostat:ct80_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2AF5DA3-5A66-465A-BC2D-ADF99AF4FEF1", "versionEndIncluding": "1.04.84", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:radiothermostat:ct80:-:*:*:*:*:*:*:*", "matchCriteriaId": "1837925F-485B-49DF-9C29-094C8721D5AC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860."}, {"lang": "es", "value": "La API HTTP local en productos Radio Thermostat CT50 y CT80, en versiones 1.04.84 y anteriores, permite el acceso no autorizado mediante un ataque de reenlace DNS. Esto puede resultar en el control remoto de la temperatura del dispositivo, tal y como queda demostrado con una petici\u00f3n tstat t_heat que accede al dispositivo comprado en primavera de 2018 y establece la temperatura objetivo de un hogar en 95 grados Fahrenheit. Esta vulnerabilidad podr\u00eda describirse como un a\u00f1adido de CVE-2013-4860."}], "id": "CVE-2018-11315", "lastModified": "2023-11-07T02:51:40.023", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-20T13:29:00.273", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/brannondorsey/radio-thermostat"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325"}, {"source": "cve@mitre.org", "url": "https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}