Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub


Vulnerabilities discovered by Claudio Bozzato of Cisco Talos

Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.

Overview


Insteon Hub is a central controller, which allows an end user to use a smartphone to connect to and manage devices in their home remotely. To enable remote interaction via the internet, Insteon Hub uses an online service called PubNub.
End users install the "Insteon for Hub" application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub software development kit, which allows for bidirectional communication using PubNub's REST API.
Unless stated otherwise, the vulnerabilities were found in Insteon Hub 2245-222 running firmware version 1012. As of firmware version 1016, these vulnerabilities are fixed, versions previous to this may be vulnerable.

TALOS-2017-0483 - Message Handler Multiple Stack Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a stack-based buffer overflow, which overwrites arbitrary data due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

Note. CVE rules require that we assign a separate CVE to each instance of a vulnerability that can be fixed independently.

CVE: CVE-2017-16252 through CVE-2017-16337

Full technical advisory is available.

TALOS-2017-0484 - Message Handler Multiple Global Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a buffer overflow on a global section overwriting arbitrary data, due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-16338, CVE-2017-16339, CVE-2017-16340, CVE-2017-16341, CVE-2017-16342, CVE-2017-16343, CVE-2017-16344, CVE-2017-16345, CVE-2017-16346, CVE-2017-16347

Full technical advisory is available.

TALOS-2017-0485 - Reboot Task Denial Of Service Vulnerability

An exploitable DoS vulnerability exists in the device firmware, which allows an attacker to arbitrarily reboot the device without authentication. An attacker can send an UDP packet to trigger this vulnerability.

CVE: CVE-2017-16348

Full technical advisory is available.

TALOS-2017-0492 - HTTPExecuteGet Firmware Update Information Leak Vulnerability

The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the device's memory. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14443

Full technical advisory is available.

TALOS-2017-0493 - HTTPExecuteGet Firmware Update URL Parameter Code Execution Vulnerability

The HTTP server implementation incorrectly handles the URL parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, however. By using vulnerability TALOS-2017-0492, it is possible to bypass this protection and achieve code execution. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14444

Full technical advisory is available.

TALOS-2017-0494 - HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability

The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, which in this case, cannot be circumvented. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14445

Full technical advisory is available.

TALOS-2017-0495 - HTTPExecuteGet Parameters Extraction Code Execution Vulnerability

The HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. The vulnerability exists because the extraction of the arguments is made without ensuring size constraints. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14446

Full technical advisory is available.

TALOS-2017-0496 - Insteon Hub PubNub "ad" Channel Message Handler Code Execution Vulnerability

An exploitable buffer overflow vulnerability exists in the PubNub message handler for the "ad" channel. A specially crafted command sent through the PubNub service can cause a stack-based buffer overflow, overwriting arbitrary data. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14447

Full technical advisory is available.

TALOS-2017-0502 - Insteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the Hub handles the replies from PubNub, leading to the overwriting of arbitrary data in a global section. The attacker would need to impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.

CVE: CVE-2017-14452, CVE-2017-14453, CVE-2017-14454, CVE-2017-14455

Full technical advisory is available.

TALOS-2018-0511 - Insteon Hub PubNub MPFS Upload Firmware Update Vulnerability

The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker needs to have credentials that will be used to upload an MPFS binary via the "/mpfsupload" HTTP form and, later, upload the firmware via a POST request to "firmware.htm."

This vulnerability was found on firmware version 1013.

CVE: CVE-2018-3832

Full technical advisory is available.

TALOS-2018-0512 - Insteon Hub PubNub Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve any signed firmware image.

CVE: CVE-2018-3833

Full technical advisory is available.

TALOS-2018-0513 - Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability

An exploitable permanent DoS vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware image that is going to be installed, and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent unusable condition. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve a signed firmware image.

CVE: CVE-2018-3834

Full technical advisory is available.

Discussion


Our previous vulnerability research on IoT devices (Foscam C1 Vulnerabilities, Circle with Disney) has shown that these kinds of devices are often vulnerable.

Although several vulnerabilities were also found on Insteon Hub PubNub, some leading to remote code execution, it is worth mentioning that in order to exploit such vulnerabilities, the attacker needs to be in a privileged position. Some vulnerabilities require authentication into the PubNub portal. For others, the attacker needs to be in a position to perform a man-in-the-middle attack. Finally, the device itself also partially mitigates the vulnerability by limiting the size of the HTTP requests, which was proven effective in one of the vulnerabilities.

Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org

Snort Rules: 45441, 45422, 44863, 45049, 45086, 45087, 44863, 45088 


Tags: ,,
Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Older Post: Older Post
Date:
Edit this post

Discussion

Powered by Manual Template
Name

.NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
false
ltr
item
materialize material: Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub
Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub
materialize material
https://materialize-material.blogspot.com/2018/06/vulnerability-spotlight-multiple-remote.html
https://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/2018/06/vulnerability-spotlight-multiple-remote.html
true
1816414542238562206
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy