CVE-2017-16252

Vulnerability

Insteon Hub 2245-222 running firmware version 1012 contains a stack-based buffer overflow vulnerability in the PubNub message handler for the “cc” channel [1]. At address 0x9d014cc0, the value for the cmd key is copied using strcpy to a buffer at $sp+0x11c. This buffer is only 20 bytes; sending a cmd value longer than 20 bytes causes a stack-based buffer overflow [1]. The vulnerability is reachable via authenticated HTTP requests to the Hub [1].

Exploitation

An attacker must first have authenticated access to the Insteon Hub (for example, via a valid user session or credentials) [1]. The attacker then sends a specially crafted HTTP request that delivers an overly long cmd value through the PubNub service channel. The strcpy call copies the attacker-controlled string into the fixed-size stack buffer, overwriting adjacent stack data including the return address and other local variables [1]. No user interaction is required beyond the initial authentication.

Impact

Successful exploitation allows the attacker to overwrite arbitrary data on the stack, potentially achieving arbitrary code execution with the privileges of the vulnerable process [1]. The CVSSv3 score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates a high impact on confidentiality, integrity, and availability, with the scope change meaning the attacker can affect resources beyond the initial vulnerable component [1].

Mitigation

As of the publication of TALOS-2017-0483 (August 2018), Insteon has not released a firmware update addressing this vulnerability [1]. Users should restrict network access to the Insteon Hub and ensure it is not directly exposed to the internet. Monitor vendor advisories for a future patched firmware version. No workaround is available that does not involve disabling the PubNub functionality.