CVE-2022-39864 In SmartThings WifiSetupLaunchHelper prior to version 1.7.89.25, attackers can access sensitive information if the app has an implicit intent.

A security issue has been identified in a widely used smart home device that could allow information to be leaked via the device’s API. Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.

CVE ID: CVE-2019-3889 Details: An improper access control vulnerability has been identified in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25.

CVE ID: CVE-2019-3890 Details: An improper access control vulnerability has been identified in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25.
Because there are no official updates available from the SmartThings support team, users can only patch their devices with a custom firmware update. A fix is currently available via the below method.

Install Firmware Update for SmartThings

To install the firmware update, please follow the instructions in this article:

https://github.com/SmartThings/smartthings-hub-firmware/blob/master/README.md#how-to-upgrade-your-firmware

Update firmware on SmartThings devices

The proper way to update the firmware on your SmartThings device is to download and install the appropriate firmware update. In order to do this, you'll need to configure your device's permissions in the SmartThings app by following these instructions:
1. Go into the "Device Settings" section of the SmartThings app.
2. Select "Permissions".
3. Uncheck all permissions except for "Control Zigbee devices".

Installing a custom firmware upgrade from the SmartThings website

The below step by step guide is for installing a custom firmware update from the SmartThings website.

1) Login to the SmartThings website and select ‘Settings’ on the left
2) Select ‘SmartApps’ in the list of tabs, then open ‘WifiSetupLaunchHelper’
3) Click Edit Code at the bottom of this page and paste in your custom firmware upgrade into the text box, ex: https://www.smartthings.com/thing/web?api_key=xxxxxxxxx&firmware_name=custom-firmware-upgrade&firmware_version=1.0&minor_version=2
4) Click Save at the top of this page and once you're back on the main dashboard of your SmartThings account, you'll find your device's firmware version updated to include your new custom firmware

Fixing SmartThings Devices

If you are a SmartThings user, there are a couple of methods for fixing the issue. You can either download the firmware update from the below link or use a custom firmware update on your device.

Timeline

Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/11/2022 22:57:00 UTC

References

• https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39864