CVE-2022-33204

Vulnerability

An OS command injection vulnerability exists in the web interface /action/wirelessConnect of Abode Systems, Inc. iota All-In-One Security Kit firmware versions 6.9X and 6.9Z. The flaw is specifically located at offset 0x19afc0 of the /root/hpgw binary, where the ssid_hex HTTP parameter is unsafely used to construct an operating system command [1]. This vulnerability is similar to CVE-2020-8105, which was reportedly patched in firmware 6.9X, but the patch appears incomplete as the new injection point was discovered [1].

Exploitation

An attacker must have network access to the device and be able to send authenticated HTTP requests to the /action/wirelessConnect endpoint. By supplying a specially-crafted ssid_hex parameter containing shell metacharacters, the attacker can inject arbitrary OS commands, which are then executed with root privileges [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands as root on the device. This can lead to full compromise of the security kit, including unauthorized access to sensitive data, modification of device settings, and potential use as a pivot point within the local network [1]. The CVSS score of 10.0 reflects the critical nature of the vulnerability.

Mitigation

As of the publication date, no official patch has been released by Abode Systems to address CVE-2022-33204. The vendor previously released firmware 6.9X to fix CVE-2020-8105, but the new injection vector remains unaddressed. Users are advised to restrict network access to the device and monitor for future firmware updates [1].