CVE-2017-14454 HIGH

CVE-2017-14454

Vendor Insteon

Product Hub

Weakness CWE-120

Published January 11, 2023

Last update April 9, 2025

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Multiple exploitable buffer overflow vulnerabilities exists in the PubNub message handler for the "control" channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. The `strcpy` at [18] overflows the buffer `insteon_pubnub.channel_al`, which has a size of 16 bytes.

Key dates

02Disclosure timeline

January 11, 2023 CVE published

April 9, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2017-14454 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/120.html

Related vulnerabilities

CVE-2017-14454

01Description

02Disclosure timeline

03References

04Related CVE