CVE-2017-14453
Description
On Insteon Hub 2245-222 devices with firmware version 1012, specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. A strcpy overflows the buffer insteon_pubnub.channel_ad_r, which has a size of 16 bytes. An attacker can send an arbitrarily long "ad_r" parameter in order to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Insteon Hub 2245-222 firmware 1012 via specially crafted PubNub replies, allowing arbitrary data overwrite.
Vulnerability
On Insteon Hub 2245-222 devices with firmware version 1012, the PubNub message handler for the control channel contains a buffer overflow vulnerability. Specifically, a strcpy overflows the global buffer insteon_pubnub.channel_ad_r, which has a size of 16 bytes. An attacker can send an arbitrarily long ad_r parameter in a specially crafted reply from the PubNub service to trigger this overflow [1]. The affected firmware version is 1012.
Exploitation
To exploit this vulnerability, an attacker must impersonate the PubNub service and answer an HTTPS GET request from the Insteon Hub. This requires a man-in-the-middle position or the ability to spoof PubNub responses. No user interaction is required beyond the normal operation of the hub [1].
Impact
Successful exploitation allows the attacker to overwrite arbitrary data in the global section of memory. This can lead to arbitrary code execution with the privileges of the hub's firmware, resulting in complete compromise of confidentiality, integrity, and availability. The CVSSv3 score is 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) [1].
Mitigation
No official fix or patched firmware version has been disclosed in the available references. Users should monitor vendor advisories for updates. As of the publication date (2018-08-23), no mitigation is available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1012 firmware
- Insteon/Insteon Hub 2245-222v5Range: Firmware version 1012
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in strcpy allows an attacker-supplied "ad_r" JSON parameter to overflow the 16-byte global buffer insteon_pubnub.channel_ad_r."
Attack vector
An attacker who can impersonate the PubNub service sends a crafted HTTPS GET response containing a JSON payload with an arbitrarily long "ad_r" parameter [ref_id=1]. The device parses this JSON and copies the "ad_r" value into the global buffer insteon_pubnub.channel_ad_r using strcpy without length validation [ref_id=1]. This overwrites adjacent fields in the insteon_pubnub structure, which contains string buffers and function pointers, enabling arbitrary code execution [ref_id=1]. The attacker must be positioned to intercept or spoof PubNub replies to the Insteon Hub.
Affected code
The vulnerable code is in the function that processes PubNub JSON replies. The global buffer insteon_pubnub.channel_ad_r (size 16 bytes) at offset 0xa000d1bc is overflowed by an unsafe strcpy call at the location marked [17] in the Talos report [ref_id=1]. The insteon_pubnub structure is larger than 0x1000 bytes and contains string buffers and function pointers, making it a high-value target for exploitation [ref_id=1].
What the fix does
The advisory does not include a patch diff. The vendor (Insteon) was informed on 2017-12-05 and advised on 2018-04-12 that issues were addressed and beta testing was planned, with public disclosure on 2018-06-19 [ref_id=1]. No further remediation details are provided in the bundle. The correct fix would replace the unsafe strcpy calls with bounded string copy functions (e.g. strncpy) that respect the 16-byte buffer size.
Preconditions
- networkAttacker must be able to impersonate the PubNub service and respond to the device's HTTPS GET request
- configDevice must be running firmware version 1012 on Insteon Hub 2245-222
Reproduction
[[{"cc":"x","cc_r":"x","ad":"x","ad_r":"{OVERFLOW}","al":"x","ak":"x"}],"1"] — replace "{OVERFLOW}" with "A"*0x400 to crash the device [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0502mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.