CVE-2017-16255

Vulnerability

The vulnerability is a stack-based buffer overflow in the PubNub message handler of the Insteon Hub 2245-222 running firmware version 1012. The issue exists at address 0x9d014e84 where the value for the cmd1 key is copied using strcpy to a buffer at $sp+0x280 that is only 16 bytes large. Specially crafted commands sent through the PubNub service can overwrite arbitrary data on the stack [1]. The vulnerable code path is reachable via authenticated HTTP requests to the hub [1].

Exploitation

An attacker must first have authenticated access to the target Insteon Hub. They then send a specially crafted HTTP request containing a malicious PubNub command that stores an overly long string in the cmd1 field. The strcpy call copies this string into the undersized 16-byte buffer, causing a stack-based buffer overflow that overwrites adjacent stack data including the return address [1]. No user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution in the context of the affected application. Given that the hub runs with elevated privileges, an attacker could gain full control of the device, leading to complete compromise of confidentiality, integrity, and availability [1]. The Cisco Talos advisory rates this as CVSSv3 8.5 (High).

Mitigation

As of the Cisco Talos advisory publication date (2019-03-21), no vendor-supplied patch was available [1]. The affected firmware version 1012 is confirmed vulnerable. Users should monitor the vendor's site for firmware updates and consider restricting network access to the hub to only trusted hosts as a workaround. The device is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.