CVE-2022-29472

Vulnerability

An OS command injection vulnerability exists in the util_set_serial_mac function of the Abode Systems iota All-In-One Security Kit firmware versions 6.9X and 6.9Z [1]. The function is reachable via the /action/factorySerialMacPost HTTP endpoint, which does not properly sanitize user-supplied input before using it in a system command. Specially-crafted HTTP requests can inject arbitrary OS commands [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the /action/factorySerialMacPost endpoint without any authentication [1]. The Talos advisory notes that accessing this endpoint can be done without knowledge of username or password by leveraging other vulnerabilities (TALOS-2022-1554) [1]. The attacker needs only network access to the device's web interface; no user interaction is required [1].

Impact

Successful exploitation results in arbitrary command execution on the device with root privileges [1]. The full CVSS v3 score is 10.0, indicating the highest severity, with impacts on confidentiality, integrity, and availability, and the scope change to the entire system [1].

Mitigation

As of the publication date (2022-10-25), no fixed version has been released by the vendor [1]. Users should restrict network access to the web interface and monitor for vendor updates. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of that date.