CVE-2022-32574

Vulnerability

A double-free vulnerability (CWE-415) exists in the /action/ipcamSetParamPost functionality of the local web interface on Abode Systems, Inc. iota All-In-One Security Kit firmware versions 6.9X and 6.9Z. The flaw resides in the function web_ipcam_set_param_post at offset 0x1BCCEC in the /root/hpgw binary. This code path is reachable only when the WebServerEnable configuration parameter is enabled (disabled by default). An attacker must be an authenticated user of the web interface to trigger the vulnerable request [1].

Exploitation

An authenticated attacker sends a specially crafted HTTP POST request to the endpoint /action/ipcamSetParamPost. The request must be designed to trigger a double-free condition in memory management routines. The attacker does not require any special network position other than being able to reach the iota device's local web interface on the LAN. The web server must be enabled, which can be achieved via other vulnerabilities (e.g., TALOS-2022-1552 or TALOS-2022-1553) if not already active [1]. No user interaction beyond the initial authentication is needed.

Impact

Successful exploitation leads to memory corruption due to a double-free. The CVSSv3 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates no impact on confidentiality or integrity but a high impact on availability. An attacker can cause a denial of service (DoS), likely crashing the web server process or destabilizing the device, requiring a reboot to restore functionality [1].

Mitigation

As of the publication date (2022-10-25), no firmware update or patch from Abode Systems, Inc. has been announced for this vulnerability. The affected firmware versions 6.9X and 6.9Z remain vulnerable. A workaround is to ensure the web interface remains disabled (i.e., WebServerEnable set to false), as the vulnerable code path is only reachable when the local web server is enabled. The device is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].