CVE-2022-33194

Vulnerability

Multiple OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z. The flaws are due to unsafe use of the WL_Key and WL_DefaultKeyID configuration values in the function at offset 0x1c7d28 of firmware 6.9Z, with command execution occurring at offset 0x1c7f6c. An attacker can send a sequence of malicious XCMD commands to exploit these vulnerabilities [1].

Exploitation

An unauthenticated attacker can send a specially crafted XCMD payload via the XMPP connection (or via UDP/55050 as noted in TALOS-2022-1552) to the iota device. The XCMD must contain a root ` element with a child specifying the target MAC address and a child with the attack parameters. By injecting OS commands into the WL_Key or WL_DefaultKeyID` configuration values, the attacker achieves arbitrary command execution [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the iota gateway with root privileges. This leads to complete compromise of confidentiality, integrity, and availability (CIA) of the device, including potential access to connected sensors and cloud communication [1].

Mitigation

As of the publication date (2022-10-25), no fix has been released by the vendor. The vulnerable versions 6.9X and 6.9Z are confirmed affected. Users should monitor for firmware updates from Abode Systems and restrict network access to the iota device (especially UDP/55050) until a patch is available [1].