CVE-2017-14455
Description
On Insteon Hub 2245-222 devices with firmware version 1012, specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. A strcpy overflows the buffer insteon_pubnub.channel_ak, which has a size of 16 bytes. An attacker can send an arbitrarily long "ak" parameter in order to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in Insteon Hub 2245-222 firmware 1012 allows an attacker impersonating PubNub to overwrite arbitrary data via a long "ak" parameter.
Vulnerability
A buffer overflow vulnerability exists in the PubNub message handler for the “control” channel of Insteon Hub model 2245-222 running firmware version 1012. A strcpy overflows the global buffer insteon_pubnub.channel_ak, which has a size of 16 bytes. The issue is triggered by a specially crafted reply received from the PubNub service, specifically an arbitrarily long "ak" parameter [1]. The firmware uses a Microchip PIC32MX MCU with MIPS32 architecture and a co-operative multitasking loop [1].
Exploitation
An attacker must impersonate the legitimate PubNub service and answer an HTTPS GET request to the Insteon Hub. No user interaction on the target device is required beyond normal operation. The attacker can send an arbitrarily long "ak" parameter in the crafted reply, causing a classic buffer overflow [1]. The CVSS 3.0 score is 8.5, with attack complexity high and privileges required low, but scope changed [1].
Impact
Successful exploitation results in a buffer overflow on a global section, overwriting arbitrary data. This can lead to both information disclosure and high impact on integrity and availability, depending on the overwritten data [1]. The attacker gains the ability to execute arbitrary code or alter device state with the privileges of the hub process, potentially compromising the entire home automation system [1].
Mitigation
As of the Talos advisory publication date, no fixed firmware version has been released by Insteon for the Hub 2245-222 [1]. The product may be end-of-life or unmaintained. Users should consider isolating the hub on a separate network segment and monitoring for unusual traffic. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1012
- Insteon/Insteon Hub 2245-222v5Range: Firmware version 1012
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unbounded strcpy of the "ak" parameter into a 16-byte fixed-size buffer causes a buffer overflow."
Attack vector
An attacker must impersonate the PubNub service and answer an HTTPS GET request from the Insteon Hub [ref_id=1]. The attacker sends a crafted JSON payload containing an arbitrarily long "ak" parameter, e.g. `[[{"cc":"x","cc_r":"x","ad":"x","ad_r":"x","al":"x","ak":"{OVERFLOW}"}],"1"]` [ref_id=1]. The `strcpy` at [19] copies this value into the 16-byte `insteon_pubnub.channel_ak` buffer without bounds checking, causing a buffer overflow that overwrites adjacent data in the `insteon_pubnub` structure, which contains string and function pointers [ref_id=1].
Affected code
The vulnerability is in the Insteon Hub 2245-222 firmware version 1012. A `strcpy` call at the location referenced as [19] in the Talos report overflows the buffer `insteon_pubnub.channel_ak`, which has a size of 16 bytes [ref_id=1]. The unsafe copy occurs when processing the "ak" parameter from a JSON payload received from the PubNub service [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The vendor was advised of the issue in December 2017 and indicated in April 2018 that the issues were addressed and planned for beta testing, but no patch details are published in this bundle [ref_id=1]. The recommended fix would be to replace the unsafe `strcpy` calls with bounded string copy functions that respect the 16-byte buffer size of `insteon_pubnub.channel_ak`.
Preconditions
- networkAttacker must be able to impersonate the PubNub service on the network path between the hub and PubNub
- networkThe hub must make an HTTPS GET request to PubNub that the attacker can intercept and respond to
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0502mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.