CVE-2017-16286

Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_time, at 0x9d018ea0, the value for the `dststart` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483	Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*

cpe:2.3:h:insteon:hub:-:*:*:*:*:*:*:*

History

19 Jan 2023, 20:31

Type	Values Removed	Values Added
CPE		cpe:2.3:o:insteon:hub_firmware:1012:::::::* cpe:2.3:h:insteon:hub:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.9
References	~~(MISC) https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483 -~~	(MISC) https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483 - Technical Description, Third Party Advisory
First Time		Insteon hub Firmware Insteon Insteon hub

11 Jan 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-01-11 22:15

Updated : 2023-12-10 14:48

NVD link : CVE-2017-16286

Mitre link : CVE-2017-16286

CVE.ORG link : CVE-2017-16286

JSON object : View

Products Affected

insteon

hub_firmware
hub

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2017-16286", "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2023-01-11T22:15:11.713", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483", "tags": ["Technical Description", "Third Party Advisory"], "source": "talos-cna@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "talos-cna@cisco.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_time, at 0x9d018ea0, the value for the `dststart` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow."}], "lastModified": "2023-01-19T20:31:26.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17F98B37-72C0-48A5-A4E2-12327F48327E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:insteon:hub:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "951165BE-0AC1-4690-8B36-E402CA0197FB"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "talos-cna@cisco.com"}