CVE-2022-33205

Vulnerability

Four OS command injection vulnerabilities exist in the /action/wirelessConnect web interface functionality of the Abode Systems, Inc. iota All-In-One Security Kit running firmware versions 6.9X and 6.9Z [1]. The flaw specifically resides in the unsafe use of the wpapsk_hex HTTP parameter to construct an OS command at offset 0x19b0ac of the /root/hpgw binary in firmware 6.9Z [1]. The web interface must be enabled and the attacker must have valid credentials to access the wirelessConnect endpoint.

Exploitation

An attacker with network access to the iota device can send a specially-crafted authenticated HTTP request to /action/wirelessConnect containing malicious payloads in the wpapsk_hex parameter [1]. No additional user interaction is required beyond the initial authentication. The input is not properly sanitized before being passed to an OS command execution function.

Impact

Successful exploitation allows an authenticated attacker to achieve arbitrary command execution as the root user on the device [1]. This gives the attacker full control over the iota gateway, including the ability to tamper with security alerts, disable the device, pivot to other devices on the local network, or exfiltrate sensitive data.

Mitigation

Abode Systems released firmware version 6.9Y on April 25, 2022 to address these vulnerabilities, and version 6.9Z was released on May 18, 2022, which further hardened the fix [1]. Users should update their iota All-In-One Security Kit to firmware version 6.9Z or later. The vendor also recommends disabling the local web interface if it is not required, as it can be disabled via the mobile application settings [1].