CVE-2022-33206

Vulnerability

An OS command injection vulnerability exists in the web interface's /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit firmware versions 6.9X and 6.9Z. The key and default_key_id HTTP parameters are unsafely used to construct an OS command at offset 0x19b1f4 of the /root/hpgw binary. This is reminiscent of a previously patched vulnerability (CVE-2020-8105), but the patch in firmware 6.9X did not fully address the issue, leaving these four injection points exploitable. [1]

Exploitation

An attacker must be authenticated to the device's web interface. They can send a specially-crafted HTTP request to /action/wirelessConnect with malicious input in the key or default_key_id parameters. The request triggers command injection, allowing arbitrary OS commands to be executed. No additional user interaction is required beyond authentication. [1]

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary commands on the device with root privileges, leading to full compromise of the iota security kit. This can result in disclosure of sensitive information, modification of device configuration, and potential lateral movement within the network. The CVSSv3 score is 10.0 (Critical). [1]

Mitigation

As of the advisory publication date (October 25, 2022), no patch was available. The vendor was notified, but the status of a fix is not disclosed. Users should restrict network access to the web interface and ensure only trusted users have authentication credentials. The vulnerability is not listed in CISA KEV as of the advisory. [1]