CVE-2022-29477

Vulnerability

An authentication bypass vulnerability exists in the web_auth_check function of the local web interface on Abode Systems iota All-In-One Security Kit versions 6.9X and 6.9Z [1]. The vulnerability affects the /action/factory* endpoints, which rely on a hard-coded HTTP header for authentication instead of proper credentials [1]. The web server must be enabled by setting the WebServerEnable configuration parameter, but remote attackers can enable it using related vulnerabilities (TALOS-2022-1552 or TALOS-2022-1553) [1].

Exploitation

An unauthenticated attacker with network access to the device can trigger the bypass by sending an HTTP request containing a specially-crafted header that is accepted by the web_auth_check function [1]. No authentication or user interaction is required if the web server is enabled; if disabled, exploitation requires first enabling the web server via one of the two linked vulnerabilities [1]. The attack complexity is low and can be performed over the network [1].

Impact

Successful exploitation allows an attacker to bypass authentication and access factory endpoints on the web interface [1]. Depending on the functionality of those endpoints, this could lead to disclosure of sensitive device information, modification of device settings, or a high impact on availability (CVSSv3.0 score 8.6, AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H) [1]. The compromise is at the level of the web application, potentially providing control over factory-reset or other privileged operations.

Mitigation

As of the publication date (2022-10-25), no patched firmware version has been released by Abode Systems [1]. Users who cannot immediately update should ensure the local web interface remains disabled (WebServerEnable set to false) and block network access to port 8080/TCP from untrusted networks [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of this writing.