CVE-2017-16296

Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a1d4, the value for the `days` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483	Exploit Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*

cpe:2.3:h:insteon:insteon_hub:-:*:*:*:*:*:*:*

History

23 Jan 2023, 16:53

Type	Values Removed	Values Added
CPE		cpe:2.3:o:insteon:insteon_hub_firmware:1012:::::::* cpe:2.3:h:insteon:insteon_hub:-:::::::*
References	~~(MISC) https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483 -~~	(MISC) https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483 - Exploit, Technical Description, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.9
First Time		Insteon Insteon insteon Hub Firmware Insteon insteon Hub

11 Jan 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-01-11 22:15

Updated : 2023-12-10 14:48

NVD link : CVE-2017-16296

Mitre link : CVE-2017-16296

CVE.ORG link : CVE-2017-16296

JSON object : View

Products Affected

insteon

insteon_hub
insteon_hub_firmware

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2017-16296", "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2023-01-11T22:15:12.370", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0483", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "talos-cna@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "talos-cna@cisco.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a1d4, the value for the `days` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow."}], "lastModified": "2023-01-23T16:53:27.037", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69CCA985-291A-4247-9187-441F5A04AAE8"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:insteon:insteon_hub:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8DB75024-9744-412B-BCFB-74BB36F352F0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "talos-cna@cisco.com"}