Brannon Dorsey Radio Thermostat CT50/Radio Thermostat CT80 up to 1.04.84 Local HTTP API DNS Rebinding input validation

Summaryinfo

A vulnerability has been found in Brannon Dorsey Radio Thermostat CT50 and Radio Thermostat CT80 up to 1.04.84 and classified as critical. The impacted element is an unknown function of the component Local HTTP API. The manipulation leads to input validation (DNS Rebinding). This vulnerability is uniquely identified as CVE-2018-11315. Local access is required to approach this attack. No exploit exists.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Brannon Dorsey Radio Thermostat CT50 and Radio Thermostat CT80 up to 1.04.84. This issue affects an unknown part of the component Local HTTP API. The manipulation with an unknown input leads to a input validation vulnerability (DNS Rebinding). Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860.

The bug was discovered 04/02/2018. The weakness was disclosed 05/20/2018 (Website). The advisory is shared at github.com. The identification of this vulnerability is CVE-2018-11315 since 05/20/2018. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 48 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Brannon Dorsey

Name

• Radio Thermostat CT50
• Radio Thermostat CT80

Version

• 1.04.0
• 1.04.1
• 1.04.2
• 1.04.3
• 1.04.4
• 1.04.5
• 1.04.6
• 1.04.7
• 1.04.8
• 1.04.9
• 1.04.10
• 1.04.11
• 1.04.12
• 1.04.13
• 1.04.14
• 1.04.15
• 1.04.16
• 1.04.17
• 1.04.18
• 1.04.19
• 1.04.20
• 1.04.21
• 1.04.22
• 1.04.23
• 1.04.24
• 1.04.25
• 1.04.26
• 1.04.27
• 1.04.28
• 1.04.29
• 1.04.30
• 1.04.31
• 1.04.32
• 1.04.33
• 1.04.34
• 1.04.35
• 1.04.36
• 1.04.37
• 1.04.38
• 1.04.39
• 1.04.40
• 1.04.41
• 1.04.42
• 1.04.43
• 1.04.44
• 1.04.45
• 1.04.46
• 1.04.47
• 1.04.48
• 1.04.49
• 1.04.50
• 1.04.51
• 1.04.52
• 1.04.53
• 1.04.54
• 1.04.55
• 1.04.56
• 1.04.57
• 1.04.58
• 1.04.59
• 1.04.60
• 1.04.61
• 1.04.62
• 1.04.63
• 1.04.64
• 1.04.65
• 1.04.66
• 1.04.67
• 1.04.68
• 1.04.69
• 1.04.70
• 1.04.71
• 1.04.72
• 1.04.73
• 1.04.74
• 1.04.75
• 1.04.76
• 1.04.77
• 1.04.78
• 1.04.79
• 1.04.80
• 1.04.81
• 1.04.82
• 1.04.83
• 1.04.84

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion