CVE-2022-27804

Vulnerability

An OS command injection vulnerability exists in the util_set_abode_code function of the Abode Systems, Inc. iota All-In-One Security Kit, specifically in the /action/factorySerialMacPost endpoint. The device, models 6.9X and 6.9Z, does not properly sanitize input when setting the ABODE_CODE bootargs variable, allowing an attacker to inject arbitrary operating system commands. The code path is reachable when the web interface is enabled, which can be achieved via separate vulnerabilities (TALOS-2022-1552 or TALOS-2022-1553). [1]

Exploitation

An attacker must first gain access to the web interface, which can be accomplished without authentication using TALOS-2022-1554. Subsequently, a specially crafted HTTP request to the /action/factorySerialMacPost endpoint is sent, containing malicious input that bypasses command sanitization. No special user interaction beyond sending the request is required; the attacker needs network access to the device. [1]

Impact

Successful exploitation leads to arbitrary command execution on the underlying operating system with root privileges. This results in full compromise of the device's confidentiality, integrity, and availability. An attacker can install malware, exfiltrate sensitive data, pivot to other network devices, or render the security kit inoperable. [1]

Mitigation

As of the publication date (2022-10-25), no official patch or firmware update has been released by Abode Systems for versions 6.9X and 6.9Z. Users are advised to restrict network access to the device's web interface and monitor for vendor updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]