CVE-2017-16337

Vulnerability

The vulnerability exists in the PubNub message handler for the "cc" channel of Insteon Hub model 2245-222 running firmware version 1012 [1]. At address 0x9d01ef24, the value for the s_offset key is copied using strcpy to a buffer located at $sp+0x2b0 which is only 32 bytes large. Sending a value longer than 32 bytes causes a stack-based buffer overflow, overwriting arbitrary data on the stack [1]. No special configuration is required beyond the device being online and reachable via PubNub.

Exploitation

An attacker must first obtain valid authentication credentials for the Insteon Hub and send an authenticated HTTP request to trigger this vulnerability [1]. The crafted command is sent through the PubNub service to the target device, specifically targeting the "cc" channel handler. The attacker provides an overly long value for the s_offset key, which is then copied without bounds checking, leading to stack corruption [1].

Impact

Successful exploitation of this buffer overflow allows an attacker to achieve remote code execution (RCE) in the context of the device firmware. Given the CVSSv3 score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), the impact includes complete compromise of confidentiality, integrity, and availability [1]. The attacker can overwrite arbitrary data on the stack and redirect execution flow, potentially gaining full control of the device.

Mitigation

As of the publication date (August 2018), the affected firmware version 1012 has no official patch or workaround documented in the available references [1]. Users should monitor the vendor (Insteon) for firmware updates that address this vulnerability. If no update is provided and the device reaches end-of-life (EOL), replacement with a supported device may be necessary. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.