CVE-2017-14455

Name of the Vulnerable Software and Affected Versions: Insteon Hub 2245-222 version 1012

Description: The issue arises from specially crafted replies received from the PubNub service, which can cause buffer overflows on a global section, overwriting arbitrary data. An attacker must impersonate PubNub and answer an HTTPS GET request to trigger this issue. Specifically, a strcpy overflows the buffer insteon pubnub.channel ak, which has a size of 16 bytes. This can be exploited by sending an arbitrarily long ak parameter.

Recommendations: For Insteon Hub 2245-222 version 1012, as a temporary workaround, consider restricting access to the insteon pubnub.channel ak buffer to minimize the risk of exploitation. Avoid using the ak parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.