CVE-2022-33193

Vulnerability

Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of the Abode Systems, Inc. iota All-In-One Security Kit firmware versions 6.9X and 6.9Z. The vulnerability specifically focuses on the unsafe use of the WL_WPAPSK configuration value in the function located at offset 0x1c7d28 of firmware 6.9Z. The device receives XCMDs via an XMPP connection, and a service on UDP/55050 allows unauthenticated access to execute these XCMDs [1].

Exploitation

An attacker can send a sequence of malicious commands over the network to the iota device without authentication. The attack requires no user interaction and can be executed remotely. The attacker sends a crafted XCMD payload targeting the testWifiAP function, including a malicious WL_WPAPSK parameter that injects OS commands [1].

Impact

Successful exploitation leads to arbitrary OS command execution with root privileges. The attacker can fully compromise the device, achieving complete loss of confidentiality, integrity, and availability (CIA). The scope is changed as the attacker can impact resources beyond the vulnerable component, potentially using the device as a pivot point [1].

Mitigation

As of the publication date of the advisory (2022-10-25), no fixed version has been released by the vendor. The vulnerabilities affect firmware versions 6.9X and 6.9Z. Users should monitor vendor updates for a patch. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].