CVE-2017-16252
Last modified
CVE-2017-16252 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Specially crafted commands sent through the PubNub service in Insteon Hub 2245-222 with firmware version 1012 can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability.At 0x9d014cc0 the value for the cmd key is copied using strcpy to the buffer at $sp+0x11c. EPSS estimates a 1.20% chance of exploitation in the next 30 days.
Description
Specially crafted commands sent through the PubNub service in Insteon Hub 2245-222 with firmware version 1012 can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability.At 0x9d014cc0 the value for the cmd key is copied using strcpy to the buffer at $sp+0x11c. This buffer is 20 bytes large, sending anything longer will cause a buffer overflow.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Insteon | Hub Firmware | 1012 |
References
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0483Exploit, Issue Tracking, Third Party Advisory
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0483Exploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-16252?
How severe is CVE-2017-16252?
How do I fix CVE-2017-16252?
Are you affected by CVE-2017-16252?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST