CVE-2017-16344

Name of the Vulnerable Software and Affected Versions: Insteon Hub version 1012

Description: An attacker could send an authenticated HTTP request to trigger this issue in Insteon Hub. The value for the s url key is copied using strcpy to the buffer at 0xa0001a0c. This buffer is 16 bytes large, and sending anything longer will cause a buffer overflow. The destination can also be shifted by using an sn speaker parameter between "0" and "3".

Recommendations: For Insteon Hub version 1012, consider restricting access to authenticated HTTP requests until a patch is available. As a temporary workaround, avoid using the sn speaker parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.