CVE-2022-27805

Vulnerability

An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z. The device accepts commands received over an XMPP channel without proper authentication, assuming they are trustworthy from the secure connection. This allows an attacker to execute arbitrary XCMD commands by sending a specially-crafted network request containing a malicious XML payload [1].

Exploitation

An attacker can exploit this vulnerability by sending a malicious XML payload over the network to the iota device via the XMPP channel. No authentication or user interaction is required. The attack complexity is low, and the attacker needs network access to reach the device [1].

Impact

Successful exploitation leads to arbitrary command execution on the device with root privileges, resulting in full compromise of confidentiality, integrity, and availability (CIA). The attacker gains complete control over the iota All-In-One Security Kit [1].

Mitigation

As of the publication date (2022-10-25), no patched version has been released by Abode Systems, Inc. Users are advised to monitor for firmware updates. There are no known workarounds. The vulnerability is not listed on the CISA KEV catalog [1].