CVE-2022-30541

Vulnerability

The setUPnP XCMD in the Abode Systems iota All-In-One Security Kit (versions 6.9X and 6.9Z) fails to properly sanitize user-supplied input, leading to an OS command injection vulnerability (CWE-78). The device processes XCMDs received over XMPP or via an unauthenticated UDP service on port 55050. A specially crafted XML payload containing the setUPnP command can inject arbitrary operating system commands. [1]

Exploitation

An unauthenticated attacker with network access to the iota device can exploit this vulnerability by sending a malicious XML payload to UDP port 55050. The payload must include the setUPnP XCMD with injected OS commands. No user interaction or prior authentication is required. The device executes the injected commands with the privileges of the hpgw application. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the iota device, leading to full compromise. This can result in disclosure of sensitive information, modification of device configuration, or use of the device as a pivot point within the network. The CVSSv3 score is 10.0 (Critical) with network attack vector, low complexity, and no required privileges or user interaction. [1]

Mitigation

As of the publication date of the advisory (October 25, 2022), no patch or firmware update has been released by Abode Systems to address this vulnerability. Users are advised to restrict network access to the iota device, particularly UDP port 55050, and monitor for any vendor updates. The affected versions 6.9X and 6.9Z remain vulnerable. [1]