Insteon Hub PubNub "cc" Channel Message Handler Multiple Stack Overflow Code Execution Vulnerabilities

2018-06-19T00:00:00

Description

### Summary Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the “cc” channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. ### Tested Versions Insteon Hub 2245-222 - Firmware version 1012 ### Product URLs <http://www.insteon.com/insteon-hub> ### CVSSv3 Score 8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-121: Stack-based Buffer Overflow ### Details Insteon produces a series of devices aimed at controlling and monitoring a home: wall switches, led bulbs, thermostats, cameras, etc. One of those is Insteon Hub, a central controller which allows an end-user to use his smartphone to connect to his own house remotely and manage any other device through it. The Insteon Hub board utilizes several MCUs, the firmware in question is executed by a Microchip PIC32MX MCU, which has a MIPS32 architecture. The firmware uses Microchip’s “Libraries for Applications” as core for the application code. Its functionality resides on a co-operative multitasking loop, which continuously executes all the existing tasks: the library already defines several tasks, e.g. for reading and sending network packets and calling the relative callbacks. Custom applications building on this library simply need to add new functions at the end of the loop, taking care of executing tasks as quickly as possible, or splitting them in several loop cycles, in order to let other tasks running smoothly. To enable remote interaction via the Internet, Insteon Hub uses an online service called PubNub (<https://www.pubnub.com/>). End-users install the “Insteon for Hub” application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub SDK, which allows for a bi-directional communication using PubNub’s REST API. The interaction with PubNub happens by means of publish/subscribe methods. Each device has a series of channels it can subscribe to, in order to receive published messages. To subscribe to a specific channel it’s enough to call the function `pubnub_subscribe` (defined in the PubNub SDK), passing as parameter the channel name and a callback function that will be called when a message is received on the specified channel. The device defines a function which parses messages received from PubNub on channel “cc”: `sub_9d014b1c`. The function uses the `cJSON` library for parsing “JSON” messages and receives a `cJSON` object as parameter, which corresponds to the message sent from an authenticated smartphone application. As an example, this is a valid JSON message which is used to change the username/password pair of the device: { "ser": "", "cmd": "s_auth", "usr": "myuser", "pwd": "mypwd" } The function initially checks the `cmd` parameter, and depending on that it proceeds to extract other expected parameters, in this case `usr` and `pwd`. The information is then either cached to be handled on the next multitasking loop, or immediately applied from within the current function. The vulnerable code exists while parsing any JSON element, the following example is the disassembly of the path for the “s_auth” command: seg000:9D014B1C sub_9d014b1c: seg000:9D014B1C seg000:9D014B1C var_418 = -0x418 seg000:9D014B1C var_414 = -0x414 seg000:9D014B1C var_410 = -0x410 ... seg000:9D014B1C var_14 = -0x14 seg000:9D014B1C var_10 = -0x10 seg000:9D014B1C var_C = -0xC seg000:9D014B1C var_8 = -8 seg000:9D014B1C var_4 = -4 seg000:9D014B1C seg000:9D014B1C 000 D8 FB BD 27 addiu $sp, -0x428 seg000:9D014B20 428 24 04 BF AF sw $ra, 0x428+var_4($sp) seg000:9D014B24 428 20 04 BE AF sw $fp, 0x428+var_8($sp) seg000:9D014B28 428 1C 04 B7 AF sw $s7, 0x428+var_C($sp) seg000:9D014B2C 428 18 04 B6 AF sw $s6, 0x428+var_10($sp) seg000:9D014B30 428 14 04 B5 AF sw $s5, 0x428+var_14($sp) seg000:9D014B34 428 10 04 B4 AF sw $s4, 0x428+var_18($sp) seg000:9D014B38 428 0C 04 B3 AF sw $s3, 0x428+var_1C($sp) seg000:9D014B3C 428 08 04 B2 AF sw $s2, 0x428+var_20($sp) seg000:9D014B40 428 04 04 B1 AF sw $s1, 0x428+var_24($sp) seg000:9D014B44 428 00 04 B0 AF sw $s0, 0x428+var_28($sp) seg000:9D014B48 428 21 90 80 00 move $s2, $a0 # ptr to cJSON object seg000:9D014B4C 428 21 98 A0 00 move $s3, $a1 ... seg000:9D014C60 428 21 20 40 02 move $a0, $s2 seg000:9D014C64 428 06 9D 05 3C lui $a1, 0x9D06 seg000:9D014C68 428 F3 43 41 0F jal cJSON_GetObjectItem seg000:9D014C6C 428 24 28 A5 24 la $a1, aCmd # "cmd" seg000:9D014C70 428 0F 00 40 54 bnezl $v0, loc_9D014CB0 ... seg000:9D014CB0 loc_9D014CB0: seg000:9D014CB0 428 06 9D 05 3C lui $a1, 0x9D06 seg000:9D014CB4 428 F3 43 41 0F jal cJSON_GetObjectItem seg000:9D014CB8 428 24 28 A5 24 la $a1, aCmd # "cmd" seg000:9D014CBC 428 1C 01 A4 27 addiu $a0, $sp, 0x428+var_30C seg000:9D014CC0 428 1F DF 41 0F jal strcpy seg000:9D014CC4 428 10 00 45 8C lw $a1, 0x10($v0) ... seg000:9D0153F4 loc_9D0153F4: seg000:9D0153F4 428 06 9D 05 3C lui $a1, 0x9D06 seg000:9D0153F8 428 87 E7 41 0F jal strcmp seg000:9D0153FC 428 54 2A A5 24 la $a1, aS_auth # "s_auth" seg000:9D015400 428 B2 00 40 14 bnez $v0, loc_9D0156CC # goto next cmd seg000:9D015404 428 1C 01 A4 27 addiu $a0, $sp, 0x428+var_30C seg000:9D015408 428 21 20 40 02 move $a0, $s2 seg000:9D01540C 428 06 9D 05 3C lui $a1, 0x9D06 seg000:9D015410 428 F3 43 41 0F jal cJSON_GetObjectItem seg000:9D015414 428 5C 2A A5 24 la $a1, aUsr # "usr" seg000:9D015418 428 0F 00 40 10 beqz $v0, loc_9D015458 # goto fail seg000:9D01541C 428 21 20 40 02 move $a0, $s2 seg000:9D015420 428 06 9D 05 3C lui $a1, 0x9D06 seg000:9D015424 428 F3 43 41 0F jal cJSON_GetObjectItem seg000:9D015428 428 5C 2A A5 24 la $a1, aUsr # "usr" seg000:9D01542C 428 90 02 A4 27 addiu $a0, $sp, 0x428+var_198 seg000:9D015430 428 1F DF 41 0F jal strcpy seg000:9D015434 428 10 00 45 8C lw $a1, 0x10($v0) seg000:9D015438 428 21 20 40 02 move $a0, $s2 seg000:9D01543C 428 06 9D 05 3C lui $a1, 0x9D06 seg000:9D015440 428 F3 43 41 0F jal cJSON_GetObjectItem seg000:9D015444 428 60 2A A5 24 la $a1, aPwd # "pwd" seg000:9D015448 428 07 00 40 14 bnez $v0, loc_9D015468 seg000:9D01544C 428 21 20 40 02 move $a0, $s2 seg000:9D015450 428 28 55 40 0B j loc_9D0154A0 # goto fail seg000:9D015454 428 00 00 00 00 nop seg000:9D015458 seg000:9D015458 loc_9D015458: seg000:9D015458 428 BD 43 40 0F jal insteon_pubnub_send_fail seg000:9D01545C 428 21 28 60 02 move $a1, $s3 seg000:9D015460 428 49 7C 40 0B j loc_9D01F124 seg000:9D015464 428 24 04 BF 8F lw $ra, 0x428+var_4($sp) seg000:9D015468 seg000:9D015468 loc_9D015468: seg000:9D015468 428 06 9D 05 3C lui $a1, 0x9D06 seg000:9D01546C 428 F3 43 41 0F jal cJSON_GetObjectItem seg000:9D015470 428 60 2A A5 24 la $a1, aPwd # "pwd" seg000:9D015474 428 B0 02 A4 27 addiu $a0, $sp, 0x428+var_178 seg000:9D015478 428 1F DF 41 0F jal strcpy seg000:9D01547C 428 10 00 45 8C lw $a1, 0x10($v0) ... seg000:9D0154A0 loc_9D0154A0: seg000:9D0154A0 428 BD 43 40 0F jal insteon_pubnub_send_fail seg000:9D0154A4 428 21 28 60 02 move $a1, $s3 seg000:9D0154A8 428 49 7C 40 0B j loc_9D01F124 seg000:9D0154AC 428 24 04 BF 8F lw $ra, 0x428+var_4($sp) Looking at the pseudocode: if (cJSON_GetObjectItem(obj, "cmd")) { strcpy(buf_cmd, cJSON_GetObjectItem(obj, "cmd")->valuestring); if (!strcmp(buf_cmd, "...")) ... else if (!strcmp(buf_cmd, "...")) ... else if (!strcmp(buf_cmd, "s_auth")) { if (!cJSON_GetObjectItem(obj, "usr")) goto fail; strcpy(buf_usr, cJSON_GetObjectItem(obj, "usr")->valuestring); if (!cJSON_GetObjectItem(obj, "pwd")) goto fail; strcpy(buf_pwd, cJSON_GetObjectItem(obj, "pwd")->valuestring); ... } ... } The `src` parameter for `strcpy` is unconstrained, and can lead to a buffer overflow, in the above example a stack-based one. This same sequence of vulnerable instructions is present for every supported keyword in the message handler. To send a message, an HTTP GET should be used which embeds the JSON string in the “path” portion of the URL: $ curl https://pubsub.pubnub.com/publish/<pub>/<sub>/<callback>/<channel>/<payload>?auth=<auth-key> <pub>: PubNub's publishKey. The device uses pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3 <sub>: PubNub's subscribeKey. The device uses sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe <callback>: can be set to 0 <channel>: composed by "<insteon-id>-<channel-suffix>". <insteon-id> corresponds to the lower 3 octets of the MAC address and <channel-suffix> is the actual channel name, in this case "cc" (example of full channel name: 112233-cc) <payload>: contains the JSON message string, the minimal JSON for Insteon is {"ser":""} <auth-key>: key for access control, 16 bytes hex-encoded Example: $ curl 'https://pubsub.pubnub.com/publish/pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3/sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe/0/112233-cc/ 0/\{"ser":"","cmd":"s_auth","usr":"newusr","pwd":"newpwd"\}?auth=00112233445566778899AABBCCDDEEFF' The following is a list of vulnerable `strcpy` calls and their Proof-of-Concept. Each PoC shows only the payload portion of the request and uses the placeholder “OVERFLOW” to highlight the vulnerable parameter, which can be replaced with `"A"*0x400` to make the device crash. All buffer overflows below happen on the stack, and allow for overwriting arbitrarily all $s-registers, saved-pc and saved-fp. A key with value “x” means that its value is irrelevant. #### CVE-2017-16252 - cmd key At 0x9d014cc0 the value for the `cmd` key is copied using `strcpy` to the buffer at `$sp+0x11c`. This buffer is 20 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "OVERFLOW"} #### CVE-2017-16253 - cmd sn_sx, id key At 0x9d014dd8 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_sx", "id": "OVERFLOW", "flg": "x", "cmd1": "x", "cmd2": "x"} #### CVE-2017-16254 - cmd sn_sx, flg key At 0x9d014e4c the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_sx", "id": "x", "flg": "OVERFLOW", "cmd1": "x", "cmd2": "x"} #### CVE-2017-16255 - cmd sn_sx, cmd1 key At 0x9d014e84 the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "OVERFLOW", "cmd2": "x"} #### CVE-2017-16256 - cmd sn_sx, cmd2 key At 0x9d014ebc the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "OVERFLOW"} #### CVE-2017-16257 - cmd sn_sx, cmd3 key At 0x9d014f28 the value for the `cmd3` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "cmd3": "OVERFLOW"} #### CVE-2017-16258 - cmd sn_sx, cmd4 key At 0x9d014f7c the value for the `cmd4` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "cmd4": "OVERFLOW"} #### CVE-2017-16259 - cmd s_auth, usr key At 0x9d015430 the value for the `usr` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_auth", "usr": "OVERFLOW"} #### CVE-2017-16260 - cmd s_auth, pwd key At 0x9d015478 the value for the `pwd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_auth", "usr": "x", "pwd": "OVERFLOW"} #### CVE-2017-16261 - cmd g_b, grp key At 0x9d015714 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "g_b", "grp": "OVERFLOW"} #### CVE-2017-16262 - cmd g_b, id key At 0x9d015864 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "g_b", "grp": "x", "id": "OVERFLOW"} Note: `grp` needs to be either a hex number lower than 0x3e9 (e.g. “grp”: “3e8”), or any invalid hex digit. #### CVE-2017-16263 - cmd g_b, val key At 0x9d015a8c the value for the `val` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "g_b", "grp": "x", "val": "OVERFLOW"} Note: `grp` needs to be either a hex number lower than 0x3e9 (e.g. “grp”: “3e8”), or any invalid hex digit. #### CVE-2017-16264 - cmd l_b, grp key At 0x9d015cfc the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "l_b", "grp": "OVERFLOW"} #### CVE-2017-16265 - cmd l_bt, grp key At 0x9d016104 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "l_bt", "grp": "OVERFLOW"} #### CVE-2017-16266 - cmd s_b, grp key At 0x9d016530 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_b", "grp": "OVERFLOW"} #### CVE-2017-16267 - cmd s_b, val key At 0x9d016578 the value for the `val` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_b", "grp": "x", "val": "OVERFLOW"} #### CVE-2017-16268 - cmd s_b, id key At 0x9d0165c0 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_b", "grp": "x", "val": "x", "id": "OVERFLOW"} #### CVE-2017-16269 - cmd s_b, s_speaker key At 0x9d01672c the value for the `s_speaker` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_b", "grp": "x", "val": "x", "id": "x", "s_speaker": "OVERFLOW"} #### CVE-2017-16270 - cmd s_b, s_sonos_cmd key At 0x9d01679c the value for the `s_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_b", "grp": "x", "val": "x", "id": "x", "s_sonos_cmd": "OVERFLOW"} #### CVE-2017-16271 - cmd e_l, as_c key At 0x9d016c94 the value for the `as_c` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "e_l", "as_c": "OVERFLOW"} #### CVE-2017-16272 - cmd e_l, grp key At 0x9d016cf0 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "e_l", "as_c": "1", "grp": "OVERFLOW"} Note: `as_c` needs to be exactly “1” #### CVE-2017-16273 - cmd e_ml, grp key At 0x9d016fa8 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "e_ml", "grp": "OVERFLOW"} #### CVE-2017-16274 - cmd e_u, grp key At 0x9d017364 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "e_u", "grp": "OVERFLOW"} #### CVE-2017-16275 - cmd sn_grp, grp key At 0x9d01758c the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_grp", "grp": "OVERFLOW"} #### CVE-2017-16276 - cmd sn_grp, gbt key At 0x9d0175f4 the value for the `gbt` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_grp", "grp": "x", "gbt": "OVERFLOW"} #### CVE-2017-16277 - cmd sn_grp, gcmd key At 0x9d017658 the value for the `gcmd` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_grp", "grp": "x", "gbt": "x", "gcmd": "OVERFLOW"} #### CVE-2017-16278 - cmd s_net, ip key At 0x9d01815c the value for the `ip` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_net", "ip": "OVERFLOW"} #### CVE-2017-16279 - cmd s_net, port key At 0x9d0181a4 the value for the `port` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_net", "ip": "x", "port": "OVERFLOW"} #### CVE-2017-16280 - cmd s_net, gate key At 0x9d0181ec the value for the `gate` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_net", "ip": "x", "port": "x", "gate": "OVERFLOW"} #### CVE-2017-16281 - cmd s_net, sub key At 0x9d018234 the value for the `sub` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_net", "ip": "x", "port": "x", "gate": "x", "sub": "OVERFLOW"} #### CVE-2017-16282 - cmd s_net, dhcp key At 0x9d01827c the value for the `dhcp` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_net", "ip": "x", "port": "x", "gate": "x", "sub": "x", "dhcp": "OVERFLOW"} #### CVE-2017-16283 - cmd s_name, name key At 0x9d0188a8 the value for the `name` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_name", "name": "OVERFLOW"} #### CVE-2017-16284 - cmd s_name, city key At 0x9d018958 the value for the `city` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_name", "city": "OVERFLOW"} #### CVE-2017-16285 - cmd s_time, offset key At 0x9d018e58 the value for the `offset` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_time", "offset": "OVERFLOW"} #### CVE-2017-16286 - cmd s_time, dststart key At 0x9d018ea0 the value for the `dststart` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_time", "offset": "x", "dststart": "OVERFLOW"} #### CVE-2017-16287 - cmd s_time, dstend key At 0x9d018f00 the value for the `dstend` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_time", "offset": "x", "dststart": "xxxxx", "dstend": "OVERFLOW"} Note: ‘dststart’ must be 5 characters long. #### CVE-2017-16288 - cmd s_time, dst key At 0x9d018f60 the value for the `dst` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_time", "offset": "x", "dststart": "xxxxx", "dstend": "xxxxx", "dst": "OVERFLOW"} Note: both ‘dststart’ and ‘dstend’ must be 5 characters long. #### CVE-2017-16289 - cmd s_utc, offset key At 0x9d0193ac the value for the `offset` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_utc", "offset": "OVERFLOW"} #### CVE-2017-16290 - cmd s_sun, sunrise key At 0x9d01980c the value for the `sunrise` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sun", "sunrise": "OVERFLOW"} #### CVE-2017-16291 - cmd s_sun, sunset key At 0x9d019854 the value for the `sunset` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sun", "sunrise": "x", "sunset": "OVERFLOW"} #### CVE-2017-16292 - cmd g_schd, grp key At 0x9d019c50 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "g_schd", "grp": "OVERFLOW"} #### CVE-2017-16293 - cmd s_schd, grp key At 0x9d01a010 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_schd", "grp": "OVERFLOW"} #### CVE-2017-16294 - cmd s_schd, on key At 0x9d01a144 the value for the `on` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_schd", "grp": "x", "on": "OVERFLOW"} Note: `grp` needs to be either a hex number lower than 0x3e9 (e.g. “grp”: “3e8”), or any invalid hex digit. #### CVE-2017-16295 - cmd s_schd, off key At 0x9d01a18c the value for the `off` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_schd", "grp": "x", "on": "x", "off": "OVERFLOW"} Note: `grp` needs to be either a hex number lower than 0x3e9 (e.g. “grp”: “3e8”), or any invalid hex digit. #### CVE-2017-16296 - cmd s_schd, days key At 0x9d01a1d4 the value for the `days` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_schd", "grp": "x", "on": "x", "off": "x", "days": "OVERFLOW"} Note: `grp` needs to be either a hex number lower than 0x3e9 (e.g. “grp”: “3e8”), or any invalid hex digit. #### CVE-2017-16297 - cmd s_schd, oncmd key At 0x9d01a21c the value for the `oncmd` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_schd", "grp": "x", "on": "x", "off": "x", "days": "x", "oncmd": "OVERFLOW"} Note: `grp` needs to be either a hex number lower than 0x3e9 (e.g. “grp”: “3e8”), or any invalid hex digit. #### CVE-2017-16298 - cmd s_schd, offcmd key At 0x9d01a264 the value for the `offcmd` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_schd", "grp": "x", "on": "x", "off": "x", "days": "x", "oncmd": "x", "offcmd": "OVERFLOW"} Note: `grp` needs to be either a hex number lower than 0x3e9 (e.g. “grp”: “3e8”), or any invalid hex digit. #### CVE-2017-16299 - cmd sn_raw, d key At 0x9d01aad8 the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_raw", "d": "OVERFLOW"} #### CVE-2017-16300 - cmd sn_ex, id key At 0x9d01ac74 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_ex", "id": "OVERFLOW"} #### CVE-2017-16301 - cmd sn_ex, flg key At 0x9d01ad14 the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_ex", "id": "x", "flg": "OVERFLOW"} #### CVE-2017-16302 - cmd sn_ex, cmd1 key At 0x9d01ad78 the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_ex", "id": "x", "flg": "x", "cmd1": "OVERFLOW"} #### CVE-2017-16303 - cmd sn_ex, cmd2 key At 0x9d01addc the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_ex", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "OVERFLOW"} #### CVE-2017-16304 - cmd sn_ex, d key At 0x9d01ae40 the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_ex", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "d": "OVERFLOW"} #### CVE-2017-16305 - cmd sn_exw, id key At 0x9d01b20c the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_exw", "id": "OVERFLOW"} #### CVE-2017-16306 - cmd sn_exw, flg key At 0x9d01b2ac the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_exw", "id": "x", "flg": "OVERFLOW"} #### CVE-2017-16307 - cmd sn_exw, cmd1 key At 0x9d01b310 the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_exw", "id": "x", "flg": "x", "cmd1": "OVERFLOW"} #### CVE-2017-16308 - cmd sn_exw, cmd2 key At 0x9d01b374 the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_exw", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "OVERFLOW"} #### CVE-2017-16309 - cmd sn_exw, d key At 0x9d01b3d8 the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "sn_exw", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "d": "OVERFLOW"} #### CVE-2017-16310 - cmd s_ch, ch key At 0x9d01b7b0 the value for the `ch` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_ch", "ch": "OVERFLOW"} #### CVE-2017-16311 - cmd UpdateCheck, type key At 0x9d01bb64 the value for the `type` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "UpdateCheck", "host": "x", "uri": "x", "type": "OVERFLOW"} #### CVE-2017-16312 - cmd s_sonos, sn_discover key At 0x9d01c028 the value for the `sn_discover` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "sn_discover": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16313 - cmd s_sonos, s_ddelay key At 0x9d01c084 the value for the `s_ddelay` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "sn_discover": "0", "s_ddelay": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. Note: `sn_discover` needs to be a hex number lower than 0x100. #### CVE-2017-16314 - cmd s_sonos, s_speaker key At 0x9d01c1cc the value for the `s_speaker` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "s_speaker": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16315 - cmd s_sonos, s_state key At 0x9d01c3a0 the value for the `s_state` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "s_state": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16316 - cmd s_sonos, g_meta_page key At 0x9d01c898 the value for the `g_meta_page` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "g_meta_page": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16317 - cmd s_sonos, g_group key At 0x9d01d068 the value for the `g_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "g_group": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16318 - cmd s_sonos, g_group_off key At 0x9d01d16c the value for the `g_group_off` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "g_group": "0", "g_group_off": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. Note: “g_group” can be either “0” or “00” #### CVE-2017-16319 - cmd s_sonos, g_sonos_index key At 0x9d01d7a8 the value for the `g_sonos_index` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "g_sonos_index": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16320 - cmd s_sonos, s_sonos_cmd key At 0x9d01ddd4 the value for the `s_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "s_sonos_cmd": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16321 - cmd s_sonos, s_sonos_index key At 0x9d01e050 the value for the `s_sonos_index` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "s_sonos_cmd": "x", "s_sonos_index": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16322 - cmd s_sonos, c_group key At 0x9d01e228 the value for the `c_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "c_group": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16323 - cmd s_sonos, s_group key At 0x9d01e2f4 the value for the `s_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "s_group": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16324 - cmd s_sonos, s_group_vol key At 0x9d01e368 the value for the `s_group_vol` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "s_group": "x", "s_group_vol": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16325 - cmd s_sonos, s_group_cmd key At 0x9d01e3a8 the value for the `s_group_cmd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "s_group": "x", "s_group_cmd": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16326 - cmd s_sonos, sn_sonos_cmd key At 0x9d01e5f4 the value for the `sn_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_sonos", "sn_sonos_cmd": "OVERFLOW"} Note: in place of the cmd `s_sonos`, it’s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`. #### CVE-2017-16327 - cmd s_init_event, s_event_offset key At 0x9d01ea88 the value for the `s_event_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_init_event", "s_event_offset": "OVERFLOW"} #### CVE-2017-16328 - cmd s_event_alarm, s_event_offset key At 0x9d01eb08 the value for the `s_event_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event_alarm", "s_event_offset": "OVERFLOW"} #### CVE-2017-16329 - cmd s_event_alarm, s_event_delay key At 0x9d01eb44 the value for the `s_event_delay` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event_alarm", "s_event_delay": "OVERFLOW"} #### CVE-2017-16330 - cmd s_event_alarm, s_event_group key At 0x9d01eb8c the value for the `s_event_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event_alarm", "s_event_group": "OVERFLOW"} #### CVE-2017-16331 - cmd s_event_alarm, s_tid key At 0x9d01ebd4 the value for the `s_tid` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event_alarm", "s_tid": "OVERFLOW"} #### CVE-2017-16332 - cmd s_event_alarm, s_aid key At 0x9d01ec34 the value for the `s_aid` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event_alarm", "s_aid": "OVERFLOW"} #### CVE-2017-16333 - cmd s_event, s_offset key At 0x9d01ed7c the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event", "s_offset": "OVERFLOW"} #### CVE-2017-16334 - cmd s_event, s_raw key At 0x9d01edb8 the value for the `s_raw` key is copied using `strcpy` to the buffer at `$sp+0x10`. This buffer is 244 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event", "s_offset": "x", "s_raw": "OVERFLOW"} #### CVE-2017-16335 - cmd s_event_var, s_offset key At 0x9d01ee70 the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event_var", "s_offset": "OVERFLOW"} #### CVE-2017-16336 - cmd s_event_var, s_value key At 0x9d01eeb0 the value for the `s_value` key is copied using `strcpy` to the buffer at `$sp+0x10`. This buffer is 244 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "s_event_var", "s_offset": "x", "s_value": "OVERFLOW"} #### CVE-2017-16337 - cmd g_event, s_offset key At 0x9d01ef24 the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. {"cmd": "g_event", "s_offset": "OVERFLOW"} ### Timeline 2017-11-27 - Vendor Disclosure 2017-11-28 - Vendor Acknowledged 2018-01-02 - 30 day follow up with vendor for status 2018-01-18 - Vendor advised issues under evaluation 2018-02-12 - 60 day follow up with vendor 2018-03-09 - Vendor advised working on course of action 2018-04-06 - Follow up with vendor on timeline for fix 2018-04-12 - Vendor advised issues addressed & plan for beta testing 2018-06-19 - Public disclosure

{"id": "TALOS-2017-0483", "vendorId": null, "type": "talos", "bulletinFamily": "info", "title": "Insteon Hub PubNub \"cc\" Channel Message Handler Multiple Stack Overflow Code Execution Vulnerabilities", "description": "### Summary\n\nMultiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \u201ccc\u201d channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nInsteon Hub 2245-222 - Firmware version 1012\n\n### Product URLs\n\n<http://www.insteon.com/insteon-hub>\n\n### CVSSv3 Score\n\n8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nInsteon produces a series of devices aimed at controlling and monitoring a home: wall switches, led bulbs, thermostats, cameras, etc. One of those is Insteon Hub, a central controller which allows an end-user to use his smartphone to connect to his own house remotely and manage any other device through it. The Insteon Hub board utilizes several MCUs, the firmware in question is executed by a Microchip PIC32MX MCU, which has a MIPS32 architecture.\n\nThe firmware uses Microchip\u2019s \u201cLibraries for Applications\u201d as core for the application code. Its functionality resides on a co-operative multitasking loop, which continuously executes all the existing tasks: the library already defines several tasks, e.g. for reading and sending network packets and calling the relative callbacks. Custom applications building on this library simply need to add new functions at the end of the loop, taking care of executing tasks as quickly as possible, or splitting them in several loop cycles, in order to let other tasks running smoothly.\n\nTo enable remote interaction via the Internet, Insteon Hub uses an online service called PubNub (<https://www.pubnub.com/>). End-users install the \u201cInsteon for Hub\u201d application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub SDK, which allows for a bi-directional communication using PubNub\u2019s REST API.\n\nThe interaction with PubNub happens by means of publish/subscribe methods. Each device has a series of channels it can subscribe to, in order to receive published messages. To subscribe to a specific channel it\u2019s enough to call the function `pubnub_subscribe` (defined in the PubNub SDK), passing as parameter the channel name and a callback function that will be called when a message is received on the specified channel.\n\nThe device defines a function which parses messages received from PubNub on channel \u201ccc\u201d: `sub_9d014b1c`. The function uses the `cJSON` library for parsing \u201cJSON\u201d messages and receives a `cJSON` object as parameter, which corresponds to the message sent from an authenticated smartphone application. As an example, this is a valid JSON message which is used to change the username/password pair of the device:\n \n \n {\n \"ser\": \"\",\n \"cmd\": \"s_auth\",\n \"usr\": \"myuser\",\n \"pwd\": \"mypwd\"\n }\n \n\nThe function initially checks the `cmd` parameter, and depending on that it proceeds to extract other expected parameters, in this case `usr` and `pwd`. The information is then either cached to be handled on the next multitasking loop, or immediately applied from within the current function.\n\nThe vulnerable code exists while parsing any JSON element, the following example is the disassembly of the path for the \u201cs_auth\u201d command:\n \n \n seg000:9D014B1C sub_9d014b1c:\n seg000:9D014B1C\n seg000:9D014B1C var_418 = -0x418\n seg000:9D014B1C var_414 = -0x414\n seg000:9D014B1C var_410 = -0x410\n ...\n seg000:9D014B1C var_14 = -0x14\n seg000:9D014B1C var_10 = -0x10\n seg000:9D014B1C var_C = -0xC\n seg000:9D014B1C var_8 = -8\n seg000:9D014B1C var_4 = -4\n seg000:9D014B1C\n seg000:9D014B1C 000 D8 FB BD 27 addiu $sp, -0x428\n seg000:9D014B20 428 24 04 BF AF sw $ra, 0x428+var_4($sp)\n seg000:9D014B24 428 20 04 BE AF sw $fp, 0x428+var_8($sp)\n seg000:9D014B28 428 1C 04 B7 AF sw $s7, 0x428+var_C($sp)\n seg000:9D014B2C 428 18 04 B6 AF sw $s6, 0x428+var_10($sp)\n seg000:9D014B30 428 14 04 B5 AF sw $s5, 0x428+var_14($sp)\n seg000:9D014B34 428 10 04 B4 AF sw $s4, 0x428+var_18($sp)\n seg000:9D014B38 428 0C 04 B3 AF sw $s3, 0x428+var_1C($sp)\n seg000:9D014B3C 428 08 04 B2 AF sw $s2, 0x428+var_20($sp)\n seg000:9D014B40 428 04 04 B1 AF sw $s1, 0x428+var_24($sp)\n seg000:9D014B44 428 00 04 B0 AF sw $s0, 0x428+var_28($sp)\n seg000:9D014B48 428 21 90 80 00 move $s2, $a0 # ptr to cJSON object\n seg000:9D014B4C 428 21 98 A0 00 move $s3, $a1\n ...\n seg000:9D014C60 428 21 20 40 02 move $a0, $s2\n seg000:9D014C64 428 06 9D 05 3C lui $a1, 0x9D06\n seg000:9D014C68 428 F3 43 41 0F jal cJSON_GetObjectItem\n seg000:9D014C6C 428 24 28 A5 24 la $a1, aCmd # \"cmd\"\n seg000:9D014C70 428 0F 00 40 54 bnezl $v0, loc_9D014CB0\n ...\n seg000:9D014CB0 loc_9D014CB0:\n seg000:9D014CB0 428 06 9D 05 3C lui $a1, 0x9D06\n seg000:9D014CB4 428 F3 43 41 0F jal cJSON_GetObjectItem\n seg000:9D014CB8 428 24 28 A5 24 la $a1, aCmd # \"cmd\"\n seg000:9D014CBC 428 1C 01 A4 27 addiu $a0, $sp, 0x428+var_30C\n seg000:9D014CC0 428 1F DF 41 0F jal strcpy\n seg000:9D014CC4 428 10 00 45 8C lw $a1, 0x10($v0)\n ...\n seg000:9D0153F4 loc_9D0153F4:\n seg000:9D0153F4 428 06 9D 05 3C lui $a1, 0x9D06\n seg000:9D0153F8 428 87 E7 41 0F jal strcmp\n seg000:9D0153FC 428 54 2A A5 24 la $a1, aS_auth # \"s_auth\"\n seg000:9D015400 428 B2 00 40 14 bnez $v0, loc_9D0156CC # goto next cmd\n seg000:9D015404 428 1C 01 A4 27 addiu $a0, $sp, 0x428+var_30C\n seg000:9D015408 428 21 20 40 02 move $a0, $s2\n seg000:9D01540C 428 06 9D 05 3C lui $a1, 0x9D06\n seg000:9D015410 428 F3 43 41 0F jal cJSON_GetObjectItem\n seg000:9D015414 428 5C 2A A5 24 la $a1, aUsr # \"usr\"\n seg000:9D015418 428 0F 00 40 10 beqz $v0, loc_9D015458 # goto fail\n seg000:9D01541C 428 21 20 40 02 move $a0, $s2\n seg000:9D015420 428 06 9D 05 3C lui $a1, 0x9D06\n seg000:9D015424 428 F3 43 41 0F jal cJSON_GetObjectItem\n seg000:9D015428 428 5C 2A A5 24 la $a1, aUsr # \"usr\"\n seg000:9D01542C 428 90 02 A4 27 addiu $a0, $sp, 0x428+var_198\n seg000:9D015430 428 1F DF 41 0F jal strcpy\n seg000:9D015434 428 10 00 45 8C lw $a1, 0x10($v0)\n seg000:9D015438 428 21 20 40 02 move $a0, $s2\n seg000:9D01543C 428 06 9D 05 3C lui $a1, 0x9D06\n seg000:9D015440 428 F3 43 41 0F jal cJSON_GetObjectItem\n seg000:9D015444 428 60 2A A5 24 la $a1, aPwd # \"pwd\"\n seg000:9D015448 428 07 00 40 14 bnez $v0, loc_9D015468\n seg000:9D01544C 428 21 20 40 02 move $a0, $s2\n seg000:9D015450 428 28 55 40 0B j loc_9D0154A0 # goto fail\n seg000:9D015454 428 00 00 00 00 nop\n seg000:9D015458\n seg000:9D015458 loc_9D015458:\n seg000:9D015458 428 BD 43 40 0F jal insteon_pubnub_send_fail\n seg000:9D01545C 428 21 28 60 02 move $a1, $s3\n seg000:9D015460 428 49 7C 40 0B j loc_9D01F124\n seg000:9D015464 428 24 04 BF 8F lw $ra, 0x428+var_4($sp)\n seg000:9D015468\n seg000:9D015468 loc_9D015468:\n seg000:9D015468 428 06 9D 05 3C lui $a1, 0x9D06\n seg000:9D01546C 428 F3 43 41 0F jal cJSON_GetObjectItem\n seg000:9D015470 428 60 2A A5 24 la $a1, aPwd # \"pwd\"\n seg000:9D015474 428 B0 02 A4 27 addiu $a0, $sp, 0x428+var_178\n seg000:9D015478 428 1F DF 41 0F jal strcpy\n seg000:9D01547C 428 10 00 45 8C lw $a1, 0x10($v0)\n ...\n seg000:9D0154A0 loc_9D0154A0:\n seg000:9D0154A0 428 BD 43 40 0F jal insteon_pubnub_send_fail\n seg000:9D0154A4 428 21 28 60 02 move $a1, $s3\n seg000:9D0154A8 428 49 7C 40 0B j loc_9D01F124\n seg000:9D0154AC 428 24 04 BF 8F lw $ra, 0x428+var_4($sp)\n \n\nLooking at the pseudocode:\n \n \n if (cJSON_GetObjectItem(obj, \"cmd\")) {\n strcpy(buf_cmd, cJSON_GetObjectItem(obj, \"cmd\")->valuestring);\n if (!strcmp(buf_cmd, \"...\"))\n ...\n else if (!strcmp(buf_cmd, \"...\"))\n ...\n else if (!strcmp(buf_cmd, \"s_auth\")) {\n if (!cJSON_GetObjectItem(obj, \"usr\")) goto fail;\n strcpy(buf_usr, cJSON_GetObjectItem(obj, \"usr\")->valuestring);\n if (!cJSON_GetObjectItem(obj, \"pwd\")) goto fail;\n strcpy(buf_pwd, cJSON_GetObjectItem(obj, \"pwd\")->valuestring);\n ...\n }\n ...\n }\n \n\nThe `src` parameter for `strcpy` is unconstrained, and can lead to a buffer overflow, in the above example a stack-based one. This same sequence of vulnerable instructions is present for every supported keyword in the message handler.\n\nTo send a message, an HTTP GET should be used which embeds the JSON string in the \u201cpath\u201d portion of the URL:\n \n \n $ curl https://pubsub.pubnub.com/publish/<pub>/<sub>/<callback>/<channel>/<payload>?auth=<auth-key>\n \n <pub>: PubNub's publishKey. The device uses pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3\n <sub>: PubNub's subscribeKey. The device uses sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe\n <callback>: can be set to 0\n <channel>: composed by \"<insteon-id>-<channel-suffix>\". <insteon-id> corresponds to the lower 3 octets of the MAC address and <channel-suffix> is the actual channel name, in this case \"cc\" (example of full channel name: 112233-cc)\n <payload>: contains the JSON message string, the minimal JSON for Insteon is {\"ser\":\"\"}\n <auth-key>: key for access control, 16 bytes hex-encoded\n \n\nExample:\n \n \n $ curl 'https://pubsub.pubnub.com/publish/pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3/sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe/0/112233-cc/\n 0/\\{\"ser\":\"\",\"cmd\":\"s_auth\",\"usr\":\"newusr\",\"pwd\":\"newpwd\"\\}?auth=00112233445566778899AABBCCDDEEFF'\n \n\nThe following is a list of vulnerable `strcpy` calls and their Proof-of-Concept. Each PoC shows only the payload portion of the request and uses the placeholder \u201cOVERFLOW\u201d to highlight the vulnerable parameter, which can be replaced with `\"A\"*0x400` to make the device crash. All buffer overflows below happen on the stack, and allow for overwriting arbitrarily all $s-registers, saved-pc and saved-fp. A key with value \u201cx\u201d means that its value is irrelevant.\n\n#### CVE-2017-16252 - cmd key\n\nAt 0x9d014cc0 the value for the `cmd` key is copied using `strcpy` to the buffer at `$sp+0x11c`. This buffer is 20 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16253 - cmd sn_sx, id key\n\nAt 0x9d014dd8 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_sx\", \"id\": \"OVERFLOW\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"x\"}\n \n\n#### CVE-2017-16254 - cmd sn_sx, flg key\n\nAt 0x9d014e4c the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_sx\", \"id\": \"x\", \"flg\": \"OVERFLOW\", \"cmd1\": \"x\", \"cmd2\": \"x\"}\n \n\n#### CVE-2017-16255 - cmd sn_sx, cmd1 key\n\nAt 0x9d014e84 the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_sx\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"OVERFLOW\", \"cmd2\": \"x\"}\n \n\n#### CVE-2017-16256 - cmd sn_sx, cmd2 key\n\nAt 0x9d014ebc the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_sx\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16257 - cmd sn_sx, cmd3 key\n\nAt 0x9d014f28 the value for the `cmd3` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_sx\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"x\", \"cmd3\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16258 - cmd sn_sx, cmd4 key\n\nAt 0x9d014f7c the value for the `cmd4` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_sx\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"x\", \"cmd4\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16259 - cmd s_auth, usr key\n\nAt 0x9d015430 the value for the `usr` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_auth\", \"usr\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16260 - cmd s_auth, pwd key\n\nAt 0x9d015478 the value for the `pwd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_auth\", \"usr\": \"x\", \"pwd\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16261 - cmd g_b, grp key\n\nAt 0x9d015714 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"g_b\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16262 - cmd g_b, id key\n\nAt 0x9d015864 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"g_b\", \"grp\": \"x\", \"id\": \"OVERFLOW\"}\n \n\nNote: `grp` needs to be either a hex number lower than 0x3e9 (e.g. \u201cgrp\u201d: \u201c3e8\u201d), or any invalid hex digit.\n\n#### CVE-2017-16263 - cmd g_b, val key\n\nAt 0x9d015a8c the value for the `val` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"g_b\", \"grp\": \"x\", \"val\": \"OVERFLOW\"}\n \n\nNote: `grp` needs to be either a hex number lower than 0x3e9 (e.g. \u201cgrp\u201d: \u201c3e8\u201d), or any invalid hex digit.\n\n#### CVE-2017-16264 - cmd l_b, grp key\n\nAt 0x9d015cfc the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"l_b\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16265 - cmd l_bt, grp key\n\nAt 0x9d016104 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"l_bt\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16266 - cmd s_b, grp key\n\nAt 0x9d016530 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_b\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16267 - cmd s_b, val key\n\nAt 0x9d016578 the value for the `val` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_b\", \"grp\": \"x\", \"val\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16268 - cmd s_b, id key\n\nAt 0x9d0165c0 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_b\", \"grp\": \"x\", \"val\": \"x\", \"id\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16269 - cmd s_b, s_speaker key\n\nAt 0x9d01672c the value for the `s_speaker` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_b\", \"grp\": \"x\", \"val\": \"x\", \"id\": \"x\", \"s_speaker\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16270 - cmd s_b, s_sonos_cmd key\n\nAt 0x9d01679c the value for the `s_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_b\", \"grp\": \"x\", \"val\": \"x\", \"id\": \"x\", \"s_sonos_cmd\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16271 - cmd e_l, as_c key\n\nAt 0x9d016c94 the value for the `as_c` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"e_l\", \"as_c\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16272 - cmd e_l, grp key\n\nAt 0x9d016cf0 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"e_l\", \"as_c\": \"1\", \"grp\": \"OVERFLOW\"}\n \n\nNote: `as_c` needs to be exactly \u201c1\u201d\n\n#### CVE-2017-16273 - cmd e_ml, grp key\n\nAt 0x9d016fa8 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"e_ml\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16274 - cmd e_u, grp key\n\nAt 0x9d017364 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"e_u\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16275 - cmd sn_grp, grp key\n\nAt 0x9d01758c the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_grp\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16276 - cmd sn_grp, gbt key\n\nAt 0x9d0175f4 the value for the `gbt` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_grp\", \"grp\": \"x\", \"gbt\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16277 - cmd sn_grp, gcmd key\n\nAt 0x9d017658 the value for the `gcmd` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_grp\", \"grp\": \"x\", \"gbt\": \"x\", \"gcmd\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16278 - cmd s_net, ip key\n\nAt 0x9d01815c the value for the `ip` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_net\", \"ip\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16279 - cmd s_net, port key\n\nAt 0x9d0181a4 the value for the `port` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_net\", \"ip\": \"x\", \"port\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16280 - cmd s_net, gate key\n\nAt 0x9d0181ec the value for the `gate` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_net\", \"ip\": \"x\", \"port\": \"x\", \"gate\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16281 - cmd s_net, sub key\n\nAt 0x9d018234 the value for the `sub` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_net\", \"ip\": \"x\", \"port\": \"x\", \"gate\": \"x\", \"sub\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16282 - cmd s_net, dhcp key\n\nAt 0x9d01827c the value for the `dhcp` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_net\", \"ip\": \"x\", \"port\": \"x\", \"gate\": \"x\", \"sub\": \"x\", \"dhcp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16283 - cmd s_name, name key\n\nAt 0x9d0188a8 the value for the `name` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_name\", \"name\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16284 - cmd s_name, city key\n\nAt 0x9d018958 the value for the `city` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_name\", \"city\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16285 - cmd s_time, offset key\n\nAt 0x9d018e58 the value for the `offset` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_time\", \"offset\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16286 - cmd s_time, dststart key\n\nAt 0x9d018ea0 the value for the `dststart` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_time\", \"offset\": \"x\", \"dststart\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16287 - cmd s_time, dstend key\n\nAt 0x9d018f00 the value for the `dstend` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_time\", \"offset\": \"x\", \"dststart\": \"xxxxx\", \"dstend\": \"OVERFLOW\"}\n \n\nNote: \u2018dststart\u2019 must be 5 characters long.\n\n#### CVE-2017-16288 - cmd s_time, dst key\n\nAt 0x9d018f60 the value for the `dst` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_time\", \"offset\": \"x\", \"dststart\": \"xxxxx\", \"dstend\": \"xxxxx\", \"dst\": \"OVERFLOW\"}\n \n\nNote: both \u2018dststart\u2019 and \u2018dstend\u2019 must be 5 characters long.\n\n#### CVE-2017-16289 - cmd s_utc, offset key\n\nAt 0x9d0193ac the value for the `offset` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_utc\", \"offset\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16290 - cmd s_sun, sunrise key\n\nAt 0x9d01980c the value for the `sunrise` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sun\", \"sunrise\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16291 - cmd s_sun, sunset key\n\nAt 0x9d019854 the value for the `sunset` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sun\", \"sunrise\": \"x\", \"sunset\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16292 - cmd g_schd, grp key\n\nAt 0x9d019c50 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"g_schd\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16293 - cmd s_schd, grp key\n\nAt 0x9d01a010 the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_schd\", \"grp\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16294 - cmd s_schd, on key\n\nAt 0x9d01a144 the value for the `on` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_schd\", \"grp\": \"x\", \"on\": \"OVERFLOW\"}\n \n\nNote: `grp` needs to be either a hex number lower than 0x3e9 (e.g. \u201cgrp\u201d: \u201c3e8\u201d), or any invalid hex digit.\n\n#### CVE-2017-16295 - cmd s_schd, off key\n\nAt 0x9d01a18c the value for the `off` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_schd\", \"grp\": \"x\", \"on\": \"x\", \"off\": \"OVERFLOW\"}\n \n\nNote: `grp` needs to be either a hex number lower than 0x3e9 (e.g. \u201cgrp\u201d: \u201c3e8\u201d), or any invalid hex digit.\n\n#### CVE-2017-16296 - cmd s_schd, days key\n\nAt 0x9d01a1d4 the value for the `days` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_schd\", \"grp\": \"x\", \"on\": \"x\", \"off\": \"x\", \"days\": \"OVERFLOW\"}\n \n\nNote: `grp` needs to be either a hex number lower than 0x3e9 (e.g. \u201cgrp\u201d: \u201c3e8\u201d), or any invalid hex digit.\n\n#### CVE-2017-16297 - cmd s_schd, oncmd key\n\nAt 0x9d01a21c the value for the `oncmd` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_schd\", \"grp\": \"x\", \"on\": \"x\", \"off\": \"x\", \"days\": \"x\", \"oncmd\": \"OVERFLOW\"}\n \n\nNote: `grp` needs to be either a hex number lower than 0x3e9 (e.g. \u201cgrp\u201d: \u201c3e8\u201d), or any invalid hex digit.\n\n#### CVE-2017-16298 - cmd s_schd, offcmd key\n\nAt 0x9d01a264 the value for the `offcmd` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_schd\", \"grp\": \"x\", \"on\": \"x\", \"off\": \"x\", \"days\": \"x\", \"oncmd\": \"x\", \"offcmd\": \"OVERFLOW\"}\n \n\nNote: `grp` needs to be either a hex number lower than 0x3e9 (e.g. \u201cgrp\u201d: \u201c3e8\u201d), or any invalid hex digit.\n\n#### CVE-2017-16299 - cmd sn_raw, d key\n\nAt 0x9d01aad8 the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_raw\", \"d\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16300 - cmd sn_ex, id key\n\nAt 0x9d01ac74 the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_ex\", \"id\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16301 - cmd sn_ex, flg key\n\nAt 0x9d01ad14 the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_ex\", \"id\": \"x\", \"flg\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16302 - cmd sn_ex, cmd1 key\n\nAt 0x9d01ad78 the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_ex\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16303 - cmd sn_ex, cmd2 key\n\nAt 0x9d01addc the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_ex\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16304 - cmd sn_ex, d key\n\nAt 0x9d01ae40 the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_ex\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"x\", \"d\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16305 - cmd sn_exw, id key\n\nAt 0x9d01b20c the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_exw\", \"id\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16306 - cmd sn_exw, flg key\n\nAt 0x9d01b2ac the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x280`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_exw\", \"id\": \"x\", \"flg\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16307 - cmd sn_exw, cmd1 key\n\nAt 0x9d01b310 the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x2d0`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_exw\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16308 - cmd sn_exw, cmd2 key\n\nAt 0x9d01b374 the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_exw\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16309 - cmd sn_exw, d key\n\nAt 0x9d01b3d8 the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"sn_exw\", \"id\": \"x\", \"flg\": \"x\", \"cmd1\": \"x\", \"cmd2\": \"x\", \"d\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16310 - cmd s_ch, ch key\n\nAt 0x9d01b7b0 the value for the `ch` key is copied using `strcpy` to the buffer at `$sp+0x334`. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_ch\", \"ch\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16311 - cmd UpdateCheck, type key\n\nAt 0x9d01bb64 the value for the `type` key is copied using `strcpy` to the buffer at `$sp+0x270`. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"UpdateCheck\", \"host\": \"x\", \"uri\": \"x\", \"type\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16312 - cmd s_sonos, sn_discover key\n\nAt 0x9d01c028 the value for the `sn_discover` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"sn_discover\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16313 - cmd s_sonos, s_ddelay key\n\nAt 0x9d01c084 the value for the `s_ddelay` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"sn_discover\": \"0\", \"s_ddelay\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\nNote: `sn_discover` needs to be a hex number lower than 0x100.\n\n#### CVE-2017-16314 - cmd s_sonos, s_speaker key\n\nAt 0x9d01c1cc the value for the `s_speaker` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"s_speaker\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16315 - cmd s_sonos, s_state key\n\nAt 0x9d01c3a0 the value for the `s_state` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"s_state\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16316 - cmd s_sonos, g_meta_page key\n\nAt 0x9d01c898 the value for the `g_meta_page` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"g_meta_page\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16317 - cmd s_sonos, g_group key\n\nAt 0x9d01d068 the value for the `g_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"g_group\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16318 - cmd s_sonos, g_group_off key\n\nAt 0x9d01d16c the value for the `g_group_off` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"g_group\": \"0\", \"g_group_off\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\nNote: \u201cg_group\u201d can be either \u201c0\u201d or \u201c00\u201d\n\n#### CVE-2017-16319 - cmd s_sonos, g_sonos_index key\n\nAt 0x9d01d7a8 the value for the `g_sonos_index` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"g_sonos_index\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16320 - cmd s_sonos, s_sonos_cmd key\n\nAt 0x9d01ddd4 the value for the `s_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x290`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"s_sonos_cmd\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16321 - cmd s_sonos, s_sonos_index key\n\nAt 0x9d01e050 the value for the `s_sonos_index` key is copied using `strcpy` to the buffer at `$sp+0x1b4`. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"s_sonos_cmd\": \"x\", \"s_sonos_index\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16322 - cmd s_sonos, c_group key\n\nAt 0x9d01e228 the value for the `c_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"c_group\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16323 - cmd s_sonos, s_group key\n\nAt 0x9d01e2f4 the value for the `s_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"s_group\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16324 - cmd s_sonos, s_group_vol key\n\nAt 0x9d01e368 the value for the `s_group_vol` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"s_group\": \"x\", \"s_group_vol\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16325 - cmd s_sonos, s_group_cmd key\n\nAt 0x9d01e3a8 the value for the `s_group_cmd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"s_group\": \"x\", \"s_group_cmd\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16326 - cmd s_sonos, sn_sonos_cmd key\n\nAt 0x9d01e5f4 the value for the `sn_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_sonos\", \"sn_sonos_cmd\": \"OVERFLOW\"}\n \n\nNote: in place of the cmd `s_sonos`, it\u2019s also possible to use `g_sonos_players`, `g_sonos_preset`, `g_sonos_metadata`, `g_sonos_groups`, `g_sonos_bindex`, `g_sonos_vol`.\n\n#### CVE-2017-16327 - cmd s_init_event, s_event_offset key\n\nAt 0x9d01ea88 the value for the `s_event_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_init_event\", \"s_event_offset\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16328 - cmd s_event_alarm, s_event_offset key\n\nAt 0x9d01eb08 the value for the `s_event_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event_alarm\", \"s_event_offset\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16329 - cmd s_event_alarm, s_event_delay key\n\nAt 0x9d01eb44 the value for the `s_event_delay` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event_alarm\", \"s_event_delay\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16330 - cmd s_event_alarm, s_event_group key\n\nAt 0x9d01eb8c the value for the `s_event_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event_alarm\", \"s_event_group\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16331 - cmd s_event_alarm, s_tid key\n\nAt 0x9d01ebd4 the value for the `s_tid` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event_alarm\", \"s_tid\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16332 - cmd s_event_alarm, s_aid key\n\nAt 0x9d01ec34 the value for the `s_aid` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event_alarm\", \"s_aid\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16333 - cmd s_event, s_offset key\n\nAt 0x9d01ed7c the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event\", \"s_offset\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16334 - cmd s_event, s_raw key\n\nAt 0x9d01edb8 the value for the `s_raw` key is copied using `strcpy` to the buffer at `$sp+0x10`. This buffer is 244 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event\", \"s_offset\": \"x\", \"s_raw\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16335 - cmd s_event_var, s_offset key\n\nAt 0x9d01ee70 the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event_var\", \"s_offset\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16336 - cmd s_event_var, s_value key\n\nAt 0x9d01eeb0 the value for the `s_value` key is copied using `strcpy` to the buffer at `$sp+0x10`. This buffer is 244 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"s_event_var\", \"s_offset\": \"x\", \"s_value\": \"OVERFLOW\"}\n \n\n#### CVE-2017-16337 - cmd g_event, s_offset key\n\nAt 0x9d01ef24 the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.\n \n \n {\"cmd\": \"g_event\", \"s_offset\": \"OVERFLOW\"}\n \n\n### Timeline\n\n2017-11-27 - Vendor Disclosure \n2017-11-28 - Vendor Acknowledged \n2018-01-02 - 30 day follow up with vendor for status \n2018-01-18 - Vendor advised issues under evaluation \n2018-02-12 - 60 day follow up with vendor \n2018-03-09 - Vendor advised working on course of action \n2018-04-06 - Follow up with vendor on timeline for fix \n2018-04-12 - Vendor advised issues addressed & plan for beta testing \n2018-06-19 - Public disclosure\n", "published": "2018-06-19T00:00:00", "modified": "2018-06-19T00:00:00", "epss": [{"cve": "CVE-2017-16252", "epss": 0.00083, "percentile": 0.33819, "modified": "2023-06-05"}, {"cve": "CVE-2017-16253", "epss": 0.00099, "percentile": 0.39798, "modified": "2023-06-05"}, {"cve": "CVE-2017-16254", "epss": 0.00099, "percentile": 0.39798, "modified": "2023-06-05"}, {"cve": "CVE-2017-16255", "epss": 0.00069, "percentile": 0.28434, "modified": "2023-06-05"}, {"cve": "CVE-2017-16256", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16257", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16258", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16259", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16260", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16261", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16262", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16263", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16264", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16265", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16266", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16267", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16268", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16269", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16270", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16271", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16272", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16273", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16274", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16275", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16276", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16277", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16278", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16279", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16280", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16281", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16282", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16283", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16284", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16285", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16286", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16287", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16288", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16289", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16290", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16291", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16292", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16293", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16294", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16295", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16296", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16297", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16298", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16299", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16300", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16301", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16302", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16303", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16304", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16305", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16306", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16307", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16308", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16309", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16310", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16311", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16312", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16313", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16314", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16315", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16316", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16317", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16318", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16319", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16320", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16321", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16322", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16323", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16324", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16325", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16326", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16327", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16328", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16329", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16330", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16331", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16332", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16333", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16334", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16335", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16336", "epss": 0.00047, "percentile": 0.14354, "modified": "2023-06-05"}, {"cve": "CVE-2017-16337", "epss": 0.00101, "percentile": 0.40291, "modified": "2023-06-05"}], "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0483", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2017-16252", "CVE-2017-16253", "CVE-2017-16254", "CVE-2017-16255", "CVE-2017-16256", "CVE-2017-16257", "CVE-2017-16258", "CVE-2017-16259", "CVE-2017-16260", "CVE-2017-16261", "CVE-2017-16262", "CVE-2017-16263", "CVE-2017-16264", "CVE-2017-16265", "CVE-2017-16266", "CVE-2017-16267", "CVE-2017-16268", "CVE-2017-16269", "CVE-2017-16270", "CVE-2017-16271", "CVE-2017-16272", "CVE-2017-16273", "CVE-2017-16274", "CVE-2017-16275", "CVE-2017-16276", "CVE-2017-16277", "CVE-2017-16278", "CVE-2017-16279", "CVE-2017-16280", "CVE-2017-16281", "CVE-2017-16282", "CVE-2017-16283", "CVE-2017-16284", "CVE-2017-16285", "CVE-2017-16286", "CVE-2017-16287", "CVE-2017-16288", "CVE-2017-16289", "CVE-2017-16290", "CVE-2017-16291", "CVE-2017-16292", "CVE-2017-16293", "CVE-2017-16294", "CVE-2017-16295", "CVE-2017-16296", "CVE-2017-16297", "CVE-2017-16298", "CVE-2017-16299", "CVE-2017-16300", "CVE-2017-16301", "CVE-2017-16302", "CVE-2017-16303", "CVE-2017-16304", "CVE-2017-16305", "CVE-2017-16306", "CVE-2017-16307", "CVE-2017-16308", "CVE-2017-16309", "CVE-2017-16310", "CVE-2017-16311", "CVE-2017-16312", "CVE-2017-16313", "CVE-2017-16314", "CVE-2017-16315", "CVE-2017-16316", "CVE-2017-16317", "CVE-2017-16318", "CVE-2017-16319", "CVE-2017-16320", "CVE-2017-16321", "CVE-2017-16322", "CVE-2017-16323", "CVE-2017-16324", "CVE-2017-16325", "CVE-2017-16326", "CVE-2017-16327", "CVE-2017-16328", "CVE-2017-16329", "CVE-2017-16330", "CVE-2017-16331", "CVE-2017-16332", "CVE-2017-16333", "CVE-2017-16334", "CVE-2017-16335", "CVE-2017-16336", "CVE-2017-16337"], "immutableFields": [], "lastseen": "2023-06-05T15:13:58", "viewCount": 163, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-16252", "CVE-2017-16253", "CVE-2017-16254", "CVE-2017-16255", "CVE-2017-16256", "CVE-2017-16257", "CVE-2017-16258", "CVE-2017-16259", "CVE-2017-16260", "CVE-2017-16261", "CVE-2017-16262", "CVE-2017-16263", "CVE-2017-16264", "CVE-2017-16265", "CVE-2017-16266", "CVE-2017-16267", "CVE-2017-16268", "CVE-2017-16269", "CVE-2017-16270", "CVE-2017-16271", "CVE-2017-16272", "CVE-2017-16273", "CVE-2017-16274", "CVE-2017-16275", "CVE-2017-16276", "CVE-2017-16277", "CVE-2017-16278", "CVE-2017-16279", "CVE-2017-16280", "CVE-2017-16281", "CVE-2017-16282", "CVE-2017-16283", "CVE-2017-16284", "CVE-2017-16285", "CVE-2017-16286", "CVE-2017-16287", "CVE-2017-16288", "CVE-2017-16289", "CVE-2017-16290", "CVE-2017-16291", "CVE-2017-16292", "CVE-2017-16293", "CVE-2017-16294", "CVE-2017-16295", "CVE-2017-16296", "CVE-2017-16297", "CVE-2017-16298", "CVE-2017-16299", "CVE-2017-16300", "CVE-2017-16301", "CVE-2017-16302", "CVE-2017-16303", "CVE-2017-16304", "CVE-2017-16305", "CVE-2017-16306", "CVE-2017-16307", "CVE-2017-16308", "CVE-2017-16309", "CVE-2017-16310", "CVE-2017-16311", "CVE-2017-16312", "CVE-2017-16313", "CVE-2017-16314", "CVE-2017-16315", "CVE-2017-16316", "CVE-2017-16317", "CVE-2017-16318", "CVE-2017-16319", "CVE-2017-16320", "CVE-2017-16321", "CVE-2017-16322", "CVE-2017-16323", "CVE-2017-16324", "CVE-2017-16325", "CVE-2017-16326", "CVE-2017-16327", "CVE-2017-16328", "CVE-2017-16329", "CVE-2017-16330", "CVE-2017-16331", "CVE-2017-16332", "CVE-2017-16333", "CVE-2017-16334", "CVE-2017-16335", "CVE-2017-16336", "CVE-2017-16337"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB2AAA2E62EF3827DD86FE6704A534FE"]}]}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-16252"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB2AAA2E62EF3827DD86FE6704A534FE"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-16252", "epss": 0.0007, "percentile": 0.28776, "modified": "2023-05-06"}, {"cve": "CVE-2017-16253", "epss": 0.00084, "percentile": 0.3431, "modified": "2023-05-06"}, {"cve": "CVE-2017-16254", "epss": 0.00084, "percentile": 0.3431, "modified": "2023-05-06"}, {"cve": "CVE-2017-16255", "epss": 0.00059, "percentile": 0.22887, "modified": "2023-05-06"}, {"cve": "CVE-2017-16256", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16257", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16258", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16259", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16260", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16261", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16262", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16263", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16264", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16265", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16266", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16267", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16268", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16269", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16270", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16271", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16272", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16273", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16274", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16275", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16276", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16277", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16278", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16279", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16280", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16281", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16282", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16283", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16284", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16285", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16286", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16287", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16288", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16289", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16290", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16291", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16292", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16293", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16294", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16295", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16296", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16297", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16298", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16299", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16300", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16301", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16302", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16303", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16304", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16305", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16306", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16307", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16308", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16309", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16310", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16311", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16312", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16313", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16314", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16315", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16316", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16317", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16318", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16319", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16320", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16321", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16322", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16323", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16324", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16325", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16326", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16327", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16328", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16329", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16330", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16331", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16332", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16333", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16334", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16335", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16336", "epss": 0.00047, "percentile": 0.14321, "modified": "2023-05-06"}, {"cve": "CVE-2017-16337", "epss": 0.00086, "percentile": 0.3502, "modified": "2023-05-06"}], "vulnersScore": -0.0}, "_state": {"dependencies": 1685978914, "score": 1685978356, "epss": 0}, "_internal": {"score_hash": "37a65e5bc6594295dc105f9048a9f1b4"}}

{"cve": [{"lastseen": "2023-06-05T15:03:03", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01e228, the value for the `c_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16322", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16322"], "modified": "2023-01-23T18:13:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16322", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16322", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:51", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_auth, at 0x9d015478, the value for the `pwd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16260", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16260"], "modified": "2023-01-23T17:04:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16260", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16260", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:55", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_net, at 0x9d0181ec, the value for the `gate` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16280", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16280"], "modified": "2023-02-07T18:54:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16280", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16280", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:04", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01c3a0, the value for the `s_state` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16315", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16315"], "modified": "2023-01-19T21:40:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16315", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16315", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:05", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event_alarm, at 0x9d01ebd4, the value for the `s_tid` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16331", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16331"], "modified": "2023-01-20T16:08:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16331", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16331", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:04", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01e368, the value for the `s_group_vol` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16324", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16324"], "modified": "2023-01-20T19:04:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16324", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16324", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:03", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01e050, the value for the `s_sonos_index` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16321", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16321"], "modified": "2023-01-19T21:30:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16321", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:01", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01c898, the value for the `g_meta_page` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16316", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16316"], "modified": "2023-01-19T21:40:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16316", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16316", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:01", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd UpdateCheck, at 0x9d01bb64, the value for the `type` key is copied using `strcpy` to the buffer at `$sp+0x270`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16311", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16311"], "modified": "2023-01-19T20:56:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16311", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16311", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:53", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_b, at 0x9d016530, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16266", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16266"], "modified": "2023-01-23T17:06:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16266", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16266", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:53", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd l_b, at 0x9d015cfc, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16264", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16264"], "modified": "2023-01-23T17:07:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16264", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16264", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:51", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd g_b, at 0x9d015864, the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16262", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16262"], "modified": "2023-01-23T17:07:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16262", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16262", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:06", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01ddd4, the value for the `s_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16320", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16320"], "modified": "2023-01-19T21:45:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16320", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16320", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:01", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01c028, the value for the `sn_discover` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16312", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16312"], "modified": "2023-01-19T20:56:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16312", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16312", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:01", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01c084, the value for the `s_ddelay` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16313", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16313"], "modified": "2023-01-19T21:37:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16313", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16313", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:53", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_b, at 0x9d016578, the value for the `val` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16267", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16267"], "modified": "2023-01-23T17:09:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16267", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16267", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:51", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_auth, at 0x9d015430, the value for the `usr` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16259", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16259"], "modified": "2023-01-23T18:12:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16259", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16259", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:05", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event, at 0x9d01edb8, the value for the `s_raw` key is copied using `strcpy` to the buffer at `$sp+0x10`.This buffer is 244 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16334", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16334"], "modified": "2023-01-20T14:19:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16334", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16334", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:04", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01e3a8, the value for the `s_group_cmd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16325", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16325"], "modified": "2023-01-20T19:03:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16325", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16325", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:51", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd g_b, at 0x9d015714, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16261", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16261"], "modified": "2023-01-20T01:11:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16261", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16261", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:54", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_b, at 0x9d01679c, the value for the `s_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16270", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16270"], "modified": "2023-01-23T18:02:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16270", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:06", "description": "On Insteon Hub 2245-222 devices with firmware version 1012, specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. At 0x9d01ef24 the value for the s_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-23T15:29:00", "type": "cve", "title": "CVE-2017-16337", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16337"], "modified": "2022-12-09T02:29:00", "cpe": ["cpe:/o:insteon:hub_2245-222_firmware:1012"], "id": "CVE-2017-16337", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16337", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:insteon:hub_2245-222_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:01", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01c1cc, the value for the `s_speaker` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16314", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16314"], "modified": "2023-01-19T21:37:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16314", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16314", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:54", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd e_ml, at 0x9d016fa8, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16273", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16273"], "modified": "2023-01-19T20:20:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16273", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:54", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd e_u, at 0x9d017364, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16274", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16274"], "modified": "2023-02-07T18:54:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16274", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16274", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:55", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_name, at 0x9d018958, the value for the `city` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16284", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16284"], "modified": "2023-01-19T20:29:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16284", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16284", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:54", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd e_l, at 0x9d016c94, the value for the `as_c` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16271", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16271"], "modified": "2023-01-19T20:25:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16271", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_net, at 0x9d0181a4, the value for the `port` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16279", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16279"], "modified": "2023-01-19T20:26:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16279", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:00", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_grp, at 0x9d017658, the value for the `gcmd` key is copied using `strcpy` to the buffer at `$sp+0x270`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16277", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16277"], "modified": "2023-01-19T20:16:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16277", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16277", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:04", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01e5f4, the value for the `sn_sonos_cmd` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16326", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16326"], "modified": "2023-01-20T18:57:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16326", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16326", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:05", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event_alarm, at 0x9d01ec34, the value for the `s_aid` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16332", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16332"], "modified": "2023-01-20T13:56:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16332", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16332", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:05", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event, at 0x9d01ed7c, the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16333", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16333"], "modified": "2023-01-20T13:54:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16333", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16333", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:52", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd g_b, at 0x9d015a8c, the value for the `val` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16263", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16263"], "modified": "2023-01-23T17:07:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16263", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16263", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:51", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_sx, at 0x9d014f7c, the value for the `cmd4` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16258", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16258"], "modified": "2023-01-23T17:05:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16258", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16258", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:55", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_net, at 0x9d01827c, the value for the `dhcp` key is copied using `strcpy` to the buffer at `$sp+0x270`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16282", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16282"], "modified": "2023-01-19T20:26:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16282", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16282", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:51", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_sx, at 0x9d014f28, the value for the `cmd3` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16257", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16257"], "modified": "2023-01-23T17:05:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16257", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16257", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:03", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01d16c, the value for the `g_group_off` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16318", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16318"], "modified": "2023-01-19T21:45:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16318", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16318", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:03", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01d068, the value for the `g_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16317", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16317"], "modified": "2023-01-19T21:44:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16317", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16317", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:02", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_b, at 0x9d0165c0, the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x270`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16268", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16268"], "modified": "2023-01-23T17:09:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16268", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16268", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:53", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd e_l, at 0x9d016cf0, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16272", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16272"], "modified": "2023-01-19T20:24:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16272", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:55", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_net, at 0x9d018234, the value for the `sub` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16281", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16281"], "modified": "2023-01-19T17:10:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16281", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16281", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:56", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_time, at 0x9d018ea0, the value for the `dststart` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16286", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16286"], "modified": "2023-01-19T20:31:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16286", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:07", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event_alarm, at 0x9d01eb8c, the value for the `s_event_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16330", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16330"], "modified": "2023-01-20T16:09:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16330", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16330", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:53", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd l_bt, at 0x9d016104, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16265", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16265"], "modified": "2023-01-23T17:06:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16265", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16265", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:55", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_name, at 0x9d0188a8, the value for the `name` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16283", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16283"], "modified": "2023-01-19T20:28:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16283", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16283", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:04", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_init_event, at 0x9d01ea88, the value for the `s_event_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16327", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16327"], "modified": "2023-01-20T18:57:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16327", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16327", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:59", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_time, at 0x9d018e58, the value for the `offset` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16285", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16285"], "modified": "2023-01-19T20:31:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16285", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16285", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:50", "description": "An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012 for the cc channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP request At 0x9d014dd8 the value for the id key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-03-21T17:29:00", "type": "cve", "title": "CVE-2017-16253", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16253"], "modified": "2022-12-09T02:33:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16253", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16253", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:49", "description": "Specially crafted commands sent through the PubNub service in Insteon Hub 2245-222 with firmware version 1012 can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability.At 0x9d014cc0 the value for the cmd key is copied using strcpy to the buffer at $sp+0x11c. This buffer is 20 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-08-06T21:29:00", "type": "cve", "title": "CVE-2017-16252", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16252"], "modified": "2022-12-09T02:35:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16252", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16252", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:50", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_sx, at 0x9d014ebc, the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16256", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16256"], "modified": "2023-01-23T17:05:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16256", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16256", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:53", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_b, at 0x9d01672c, the value for the `s_speaker` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16269", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16269"], "modified": "2023-01-23T17:09:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16269", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16269", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:04", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event_alarm, at 0x9d01eb44, the value for the `s_event_delay` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16329", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16329"], "modified": "2023-01-20T16:09:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16329", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16329", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:05", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event_var, at 0x9d01eeb0, the value for the `s_value` key is copied using `strcpy` to the buffer at `$sp+0x10`.This buffer is 244 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16336", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16336"], "modified": "2023-01-20T15:01:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16336", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16336", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:05", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01d7a8, the value for the `g_sonos_index` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16319", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16319"], "modified": "2023-01-19T21:45:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16319", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16319", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:03", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sonos, at 0x9d01e2f4, the value for the `s_group` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16323", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16323"], "modified": "2023-01-20T19:04:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16323", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16323", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:57", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_net, at 0x9d01815c, the value for the `ip` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16278", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16278"], "modified": "2023-01-19T20:26:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16278", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16278", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:00", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_exw, at 0x9d01b2ac, the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16306", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16306"], "modified": "2023-01-19T21:06:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16306", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16306", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:59", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_ex, at 0x9d01ae40, the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16304", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16304"], "modified": "2023-01-19T20:50:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16304", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16304", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:57", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sun, at 0x9d01980c, the value for the `sunrise` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16290", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16290"], "modified": "2023-01-19T20:35:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16290", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16290", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:00", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_exw, at 0x9d01b310, the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16307", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16307"], "modified": "2023-01-19T21:06:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16307", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16307", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:00", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_exw, at 0x9d01b374, the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16308", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16308"], "modified": "2023-01-19T21:07:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16308", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16308", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:00", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_exw, at 0x9d01b3d8, the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16309", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16309"], "modified": "2023-01-19T20:55:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16309", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16309", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a264, the value for the `offcmd` key is copied using `strcpy` to the buffer at `$sp+0x334`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16298", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16298"], "modified": "2023-01-23T16:52:00", "cpe": ["cpe:/o:insteon:insteon_hub_firmware:1012"], "id": "CVE-2017-16298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16298", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:00", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_exw, at 0x9d01b20c, the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16305", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16305"], "modified": "2023-01-19T21:06:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16305", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16305", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:01", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_ch, at 0x9d01b7b0, the value for the `ch` key is copied using `strcpy` to the buffer at `$sp+0x334`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16310", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16310"], "modified": "2023-01-19T20:56:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16310", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16310", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_ex, at 0x9d01ad78, the value for the `cmd1` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16302", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16302"], "modified": "2023-01-23T17:50:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16302", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16302", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:56", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_utc, at 0x9d0193ac, the value for the `offset` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16289", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16289"], "modified": "2023-01-19T20:34:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16289", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16289", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:56", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_time, at 0x9d018f00, the value for the `dstend` key is copied using `strcpy` to the buffer at `$sp+0x270`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16287", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16287"], "modified": "2023-01-19T20:32:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16287", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16287", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_raw, at 0x9d01aad8, the value for the `d` key is copied using `strcpy` to the buffer at `$sp+0x334`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16299", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16299"], "modified": "2023-01-23T16:51:00", "cpe": ["cpe:/o:insteon:insteon_hub_firmware:1012"], "id": "CVE-2017-16299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16299", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:56", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_time, at 0x9d018f60, the value for the `dst` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16288", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16288"], "modified": "2023-01-19T20:32:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16288", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16288", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:10", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event_alarm, at 0x9d01eb08, the value for the `s_event_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16328", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16328"], "modified": "2023-01-20T16:09:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16328", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16328", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:02", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_ex, at 0x9d01addc, the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16303", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16303"], "modified": "2023-02-07T18:54:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16303", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16303", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a010, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16293", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16293"], "modified": "2023-01-23T18:08:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16293", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16293", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:57", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_sun, at 0x9d019854, the value for the `sunset` key is copied using `strcpy` to the buffer at `$sp+0x334`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16291", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16291"], "modified": "2023-01-19T20:37:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16291", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16291", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:57", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd g_schd, at 0x9d019c50, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16292", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16292"], "modified": "2023-01-19T20:39:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16292", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16292", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a1d4, the value for the `days` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16296", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16296"], "modified": "2023-01-23T16:53:00", "cpe": ["cpe:/o:insteon:insteon_hub_firmware:1012"], "id": "CVE-2017-16296", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16296", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:11", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a21c, the value for the `oncmd` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16297", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16297"], "modified": "2023-01-23T16:52:00", "cpe": ["cpe:/o:insteon:insteon_hub_firmware:1012"], "id": "CVE-2017-16297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16297", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a144, the value for the `on` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16294", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16294"], "modified": "2023-01-23T17:08:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16294", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16294", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_schd, at 0x9d01a18c, the value for the `off` key is copied using `strcpy` to the buffer at `$sp+0x270`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16295", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16295"], "modified": "2023-01-23T16:55:00", "cpe": ["cpe:/o:insteon:insteon_hub_firmware:1012"], "id": "CVE-2017-16295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16295", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:56", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_grp, at 0x9d01758c, the value for the `grp` key is copied using `strcpy` to the buffer at `$sp+0x1b4`.This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16275", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16275"], "modified": "2023-02-07T18:54:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16275", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16275", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_ex, at 0x9d01ad14, the value for the `flg` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16301", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16301"], "modified": "2023-01-23T18:22:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16301", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:58", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_ex, at 0x9d01ac74, the value for the `id` key is copied using `strcpy` to the buffer at `$sp+0x290`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16300", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16300"], "modified": "2023-01-23T16:50:00", "cpe": ["cpe:/o:insteon:insteon_hub_firmware:1012"], "id": "CVE-2017-16300", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16300", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:insteon_hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:50", "description": "An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP request at At 0x9d014e84 the value for the cmd1 key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-03-21T17:29:00", "type": "cve", "title": "CVE-2017-16255", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16255"], "modified": "2022-12-09T02:30:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16255", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16255", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:50", "description": "An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP request at 0x9d014e4c the value for the flg key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-03-21T17:29:00", "type": "cve", "title": "CVE-2017-16254", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16254"], "modified": "2022-12-09T02:31:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16254", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16254", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:03:12", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd s_event_var, at 0x9d01ee70, the value for the `s_offset` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16335", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16335"], "modified": "2023-01-20T14:34:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16335", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16335", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:02:55", "description": "Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the \"cc\" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_grp, at 0x9d0175f4, the value for the `gbt` key is copied using `strcpy` to the buffer at `$sp+0x280`.This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-11T22:15:00", "type": "cve", "title": "CVE-2017-16276", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16276"], "modified": "2023-02-07T18:54:00", "cpe": ["cpe:/o:insteon:hub_firmware:1012"], "id": "CVE-2017-16276", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16276", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:insteon:hub_firmware:1012:*:*:*:*:*:*:*"]}], "talosblog": [{"lastseen": "2018-07-10T22:29:40", "bulletinFamily": "blog", "cvelist": ["CVE-2017-14443", "CVE-2017-14444", "CVE-2017-14445", "CVE-2017-14446", "CVE-2017-14447", "CVE-2017-14452", "CVE-2017-14453", "CVE-2017-14454", "CVE-2017-14455", "CVE-2017-16252", "CVE-2017-16337", "CVE-2017-16338", "CVE-2017-16339", "CVE-2017-16340", "CVE-2017-16341", "CVE-2017-16342", "CVE-2017-16343", "CVE-2017-16344", "CVE-2017-16345", "CVE-2017-16346", "CVE-2017-16347", "CVE-2017-16348", "CVE-2018-3832", "CVE-2018-3833", "CVE-2018-3834"], "description": "Vulnerabilities discovered by Claudio Bozzato of Cisco Talos \n \n\n\nTalos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow. \n\n \n\n\n### Overview\n\n \n\n\nInsteon Hub is a central controller, which allows an end user to use a smartphone to connect to and manage devices in their home remotely. To enable remote interaction via the internet, [Insteon Hub](<https://www.insteon.com/>) uses an online service called PubNub.\n\nEnd users install the \"Insteon for Hub\" application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub software development kit, which allows for bidirectional communication using PubNub's REST API.\n\nUnless stated otherwise, the vulnerabilities were found in Insteon Hub 2245-222 running firmware version 1012. As of firmware version 1016, these vulnerabilities are fixed, versions previous to this may be vulnerable.\n\n \n\n\n##### \n\n#### TALOS-2017-0483 - Message Handler Multiple Stack Overflow Remote Code Execution Vulnerabilities\n\nAn exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a stack-based buffer overflow, which overwrites arbitrary data due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.\n\n \nNote. CVE rules require that we assign a separate CVE to each instance of a vulnerability that can be fixed independently. \n \nCVE: CVE-2017-16252 through CVE-2017-16337 \n \nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0483>). \n \n\n\n#### TALOS-2017-0484 - Message Handler Multiple Global Overflow Remote Code Execution Vulnerabilities\n\nAn exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a buffer overflow on a global section overwriting arbitrary data, due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.\n\n \nCVE: CVE-2017-16338, CVE-2017-16339, CVE-2017-16340, CVE-2017-16341, CVE-2017-16342, CVE-2017-16343, CVE-2017-16344, CVE-2017-16345, CVE-2017-16346, CVE-2017-16347 \n \nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0484>). \n \n\n\n#### TALOS-2017-0485 - Reboot Task Denial Of Service Vulnerability\n\nAn exploitable DoS vulnerability exists in the device firmware, which allows an attacker to arbitrarily reboot the device without authentication. An attacker can send an UDP packet to trigger this vulnerability.\n\n \nCVE: CVE-2017-16348 \n \nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0485>). \n \n\n\n#### TALOS-2017-0492 - HTTPExecuteGet Firmware Update Information Leak Vulnerability\n\nThe HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the device's memory. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.\n\n \nCVE: CVE-2017-14443 \n \nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0492>). \n \n\n\n#### TALOS-2017-0493 - HTTPExecuteGet Firmware Update URL Parameter Code Execution Vulnerability\n\nThe HTTP server implementation incorrectly handles the URL parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, however. By using vulnerability TALOS-2017-0492, it is possible to bypass this protection and achieve code execution. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.\n\n \nCVE: CVE-2017-14444 \n \nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0493>). \n \n\n\n#### TALOS-2017-0494 - HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability\n\nThe HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, which in this case, cannot be circumvented. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.\n\n \n\n\nCVE: CVE-2017-14445\n\n \n\n\nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0494>).\n\n \n\n\n#### TALOS-2017-0495 - HTTPExecuteGet Parameters Extraction Code Execution Vulnerability\n\nThe HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. The vulnerability exists because the extraction of the arguments is made without ensuring size constraints. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.\n\n \n\n\nCVE: CVE-2017-14446\n\n \n\n\nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0495>).\n\n \n\n\n#### TALOS-2017-0496 - Insteon Hub PubNub \"ad\" Channel Message Handler Code Execution Vulnerability\n\nAn exploitable buffer overflow vulnerability exists in the PubNub message handler for the \"ad\" channel. A specially crafted command sent through the PubNub service can cause a stack-based buffer overflow, overwriting arbitrary data. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.\n\n \n\n\nCVE: CVE-2017-14447\n\n \n\n\nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0496>).\n\n \n\n\n#### TALOS-2017-0502 - Insteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities\n\nAn exploitable buffer overflow vulnerability exists in the way the Hub handles the replies from PubNub, leading to the overwriting of arbitrary data in a global section. The attacker would need to impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.\n\n \n\n\nCVE: CVE-2017-14452, CVE-2017-14453, CVE-2017-14454, CVE-2017-14455\n\n \n\n\nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0502>).\n\n \n\n\n#### TALOS-2018-0511 - Insteon Hub PubNub MPFS Upload Firmware Update Vulnerability\n\nThe HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker needs to have credentials that will be used to upload an MPFS binary via the \"/mpfsupload\" HTTP form and, later, upload the firmware via a POST request to \"firmware.htm.\"\n\n \n\n\nThis vulnerability was found on firmware version 1013.\n\n \n\n\nCVE: CVE-2018-3832\n\n \n\n\nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0511>).\n\n \n\n\n#### TALOS-2018-0512 - Insteon Hub PubNub Firmware Downgrade Vulnerability\n\nAn exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server \"cache.insteon.com\" and serve any signed firmware image.\n\n \n\n\nCVE: CVE-2018-3833\n\n \n\n\nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0512>).\n\n \n\n\n#### TALOS-2018-0513 - Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability\n\nAn exploitable permanent DoS vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware image that is going to be installed, and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent unusable condition. To trigger this vulnerability, an attacker needs to impersonate the remote server \"cache.insteon.com\" and serve a signed firmware image.\n\n \n\n\nCVE: CVE-2018-3834\n\n \n\n\nFull technical advisory is [available](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0513>).\n\n \n\n\n### Discussion\n\n \n\n\nOur previous vulnerability research on IoT devices ([Fosca](<http://blog.talosintelligence.com/2017/06/foscam-vuln-details.html>)[m C1](<http://blog.talosintelligence.com/2017/06/foscam-vuln-details.html>)[ Vulnerabilities](<http://blog.talosintelligence.com/2017/06/foscam-vuln-details.html>), [Circle with Disney](<http://blog.talosintelligence.com/2017/10/vulnerability-spotlight-circle.html>)) has shown that these kinds of devices are often vulnerable. \n\n \n\n\nAlthough several vulnerabilities were also found on Insteon Hub PubNub, some leading to remote code execution, it is worth mentioning that in order to exploit such vulnerabilities, the attacker needs to be in a privileged position. Some vulnerabilities require authentication into the PubNub portal. For others, the attacker needs to be in a position to perform a man-in-the-middle attack. Finally, the device itself also partially mitigates the vulnerability by limiting the size of the HTTP requests, which was proven effective in one of the vulnerabilities.\n\n \n\n\n### Coverage\n\n \n\n\nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or [Snort.org](<http://snort.org/>)\n\n \n\n\nSnort Rules: 45441, 45422, 44863, 45049, 45086, 45087, 44863, 45088 \n\n \n\n\n \n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/cPFlRcCfw9o)", "modified": "2018-06-19T15:32:34", "published": "2018-06-19T08:25:00", "id": "TALOSBLOG:DB2AAA2E62EF3827DD86FE6704A534FE", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/cPFlRcCfw9o/multiple-vuln-insteon.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub", "cvss": {"score": 0.0, "vector": "NONE"}}]}

Insteon Hub PubNub "cc" Channel Message Handler Multiple Stack Overflow Code Execution Vulnerabilities

Description

Related