Vulnerabilities > CVE-2018-3833 - Unspecified vulnerability in Insteon HUB 2245-222 Firmware 1013
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server 'cache.insteon.com' and serve any signed firmware image.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve any signed firmware image. ### Tested Versions Insteon Hub 2245-222 - Firmware version 1013 ### Product URLs http://www.insteon.com/insteon-hub ### CVSSv3 Score 8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N ### CWE CWE-284: Improper Access Control ### Details Insteon produces a series of devices aimed at controlling and monitoring a home: wall switches, led bulbs, thermostats, cameras, etc. One of those is Insteon Hub, a central controller which allows an end-user to use his smartphone to connect to his own house remotely and manage any other device through it. The Insteon Hub board utilizes several MCUs, the firmware in question is executed by a Microchip PIC32MX MCU, which has a MIPS32 architecture. The firmware uses Microchip's "Libraries for Applications" as core for the application code. Its functionality resides on a co-operative multitasking loop, which continuously executes all the existing tasks: the library already defines several tasks, e.g. for reading and sending network packets and calling the relative callbacks. Custom applications building on this library simply need to add new functions at the end of the loop, taking care of executing tasks as quickly as possible, or splitting them in several loop cycles, in order to let other tasks running smoothly. To enable remote interaction via the Internet, Insteon Hub uses an online service called PubNub (https://www.pubnub.com/). End-users install the "Insteon for Hub" application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub SDK, which allows for a bi-directional communication using PubNub's REST API. Using the phone application, an user can decide to force an update. In this case, the phone will first retrieve the latest firmware for a given device using an HTTP GET request: ``` # phone --> connect.insteon.com:443 GET /HubService/Firmware?HubID=112233 HTTP/1.1 # connect.insteon.com:443 --> phone [{"FW":"FW","Url":"cache.insteon.com\/software\/insteon\/hub2\/prod\/PROD_FW_03_33_1013.hex","Version":"1013","DevCat":"03","SubCat":"33"},{"FW":"PLM","Url":"cache.insteon.com\/software\/insteon\/hub2\/prod\/PROD_PLM_03_33_A3.hex","Version":"A3","DevCat":"03","SubCat":"33"}] ``` The answer contains the URL for the firmware in Intel HEX format. In this case there are 2 of them: one for the main PIC32MX MCU ("FW") and one for the PLM, we're interested in the former. The phone will then communicate with the device via PubNub, asking to perform a firmware update using the FW URL. ``` # phone --> pubsub.pubnub.com:443 GET /publish/pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3/sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe/0/112233-ad/0/{"u":"\/software\/insteon\/hub2\/prod\/PROD_FW_03_33_1013.hex","msgid":"1234567890-3","cmd":"up_firm","ser":"4","h":"cache.insteon.com"}?&auth=11223344556677889900AABBCCDDEEFF # pubsub.pubnub.com:443 --> phone [1,"Sent","1234567890"] When the device receives this message, it will fetch the firmware using a plain HTTP request to "http://cache.insteon.com/software/insteon/hub2/prod/PRODFW03331013.hex". ``` The device will then perform a signature check on the firmware, and if this check passes, the firmware will be flashed without verifying that the current firmware version is lower than the one downloaded. An attacker which is able impersonate the HTTP server for "cache.insteon.com" (e.g. via MITM) would be able to serve any old firmware and later exploit any vulnerability available for it. |
| id | SSV:97359 |
| last seen | 2018-06-26 |
| modified | 2018-06-22 |
| published | 2018-06-22 |
| reporter | My Seebug |
| title | Insteon Hub PubNub Firmware Downgrade Vulnerability (CVE-2018-3833) |
Talos
| id | TALOS-2018-0512 |
| last seen | 2019-05-29 |
| published | 2018-06-19 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0512 |
| title | Insteon Hub PubNub Firmware Downgrade Vulnerability |