CVE-2017-16345

Name of the Vulnerable Software and Affected Versions: Insteon Hub version 1012

Description: The issue allows an attacker to send an authenticated HTTP request to trigger it. Specifically, it involves copying the value for the s port key to a buffer using strcpy. This buffer has a size of 6 bytes, and sending a value longer than this will cause a buffer overflow. The sn speaker parameter can also be used to shift the destination, with values ranging from "0" to "3".

Recommendations: For Insteon Hub version 1012, as a temporary workaround, consider restricting access to the vulnerable HTTP endpoint until a patch is available. Avoid using the s port key with values longer than 6 bytes in the affected API endpoint until the issue is resolved. Additionally, restrict the use of the sn speaker parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.