CVE-2017-14454

2023-01-1200:15:08

CWE-120

talos

web.nvd.nist.gov

cve-2017-14454

buffer overflow

pubnub

insteon hub

firmware

vulnerability

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

40.2%

JSON

Multiple exploitable buffer overflow vulnerabilities exists in the PubNub message handler for the “control” channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. The strcpy at [18] overflows the buffer insteon_pubnub.channel_al, which has a size of 16 bytes.

Affected configurations

Nvd

Vulners

Node

insteonhub_firmwareMatch1012

AND

insteonhubMatch-

VendorProductVersionCPE
insteonhub_firmware1012cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*
insteonhub-cpe:2.3:h:insteon:hub:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
insteon	hub_firmware	1012	cpe:2.3:o:insteon:hub_firmware:1012:::::::*
insteon	hub	-	cpe:2.3:h:insteon:hub:-:::::::*

CNA Affected

[
  {
    "vendor": "Insteon",
    "product": "Hub",
    "versions": [
      {
        "version": "Not specified",
        "status": "affected"
      }
    ]
  }
]