Details of VAR-201709-1333

ID

VAR-201709-1333

CVE

CVE-2017-14454

TITLE

Insteon Hub Classic buffer overflow vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2017-015197

DESCRIPTION

Multiple exploitable buffer overflow vulnerabilities exists in the PubNub message handler for the "control" channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. The `strcpy` at [18] overflows the buffer `insteon_pubnub.channel_al`, which has a size of 16 bytes. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2017-14454 // JVNDB: JVNDB-2017-015197 // VULMON: CVE-2017-14454

IOT TAXONOMY

category:	['home & office device']	sub_category:	smart home device	Trust: 0.1
category:	['home & office device']	sub_category:	smart home controller	Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	insteon	model:	hub	scope:	eq	version:	1012	Trust: 1.8
vendor:	insteon	model:	hub	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2017-015197 // NVD: CVE-2017-14454

CVSS

SEVERITY

CVSSV2

CVSSV3

talos-cna@cisco.com:	CVE-2017-14454
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2017-14454
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-14454
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201709-614
value:	HIGH
Trust: 0.6

talos-cna@cisco.com:	CVE-2017-14454
baseSeverity:	HIGH
baseScore:	8.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	6.0
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2017-14454
baseSeverity:	HIGH
baseScore:	8.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: JVNDB: JVNDB-2017-015197 // CNNVD: CNNVD-201709-614 // NVD: CVE-2017-14454 // NVD: CVE-2017-14454

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	Classic buffer overflow (CWE-120) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2017-015197 // NVD: CVE-2017-14454

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-614

PATCH

title:	Insteon Hub	url:	https://www.insteon.com/insteon-hub	Trust: 0.8
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2017-14454	Trust: 0.1

sources: VULMON: CVE-2017-14454 // JVNDB: JVNDB-2017-015197

EXTERNAL IDS

db:	NVD	id:	CVE-2017-14454	Trust: 3.4
db:	TALOS	id:	TALOS-2017-0502	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-015197	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-614	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULMON	id:	CVE-2017-14454	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2017-14454 // JVNDB: JVNDB-2017-015197 // CNNVD: CNNVD-201709-614 // NVD: CVE-2017-14454

REFERENCES

url:	https://talosintelligence.com/vulnerability_reports/talos-2017-0502	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14454	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2017-14454/	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/120.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2017-14454	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2017-14454 // JVNDB: JVNDB-2017-015197 // CNNVD: CNNVD-201709-614 // NVD: CVE-2017-14454

SOURCES

db:	OTHER	id:	-
db:	VULMON	id:	CVE-2017-14454
db:	JVNDB	id:	JVNDB-2017-015197
db:	CNNVD	id:	CNNVD-201709-614
db:	NVD	id:	CVE-2017-14454

LAST UPDATE DATE

2025-01-30T20:04:07.218000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2017-14454	date:	2023-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-015197	date:	2023-05-31T01:34:00
db:	CNNVD	id:	CNNVD-201709-614	date:	2023-01-28T00:00:00
db:	NVD	id:	CVE-2017-14454	date:	2023-01-20T19:12:37.490

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2017-14454	date:	2023-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-015197	date:	2023-05-31T00:00:00
db:	CNNVD	id:	CNNVD-201709-614	date:	2017-09-15T00:00:00
db:	NVD	id:	CVE-2017-14454	date:	2023-01-12T00:15:08.627