CVE-2022-33938

Vulnerability

A format string injection vulnerability exists in the ghome_process_control_packet function of the Abode Systems, Inc. iota All-In-One Security Kit firmware versions 6.9X and 6.9Z. The flaw occurs when a specially-crafted XCMD is processed, allowing an attacker to inject format specifiers that are passed to a vsnprintf wrapper function, leading to memory corruption, information disclosure, and denial of service. Attackers can deliver the malicious payload via an XML-based command to the device [1].

Exploitation

The attacker sends a malicious XML payload containing a crafted XCMD to the iota device over the network. No authentication is required (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). The XCMD triggers a format string vulnerability in the device's logging mechanism, where user-controlled input is used as the format argument to vsnprintf, enabling the attacker to read from or write to arbitrary memory locations [1].

Impact

Successful exploitation can result in memory corruption, information disclosure (leakage of stack memory), and denial of service. While confidentiality impact is none per CVSS, integrity impact is low, and availability impact is high. The attacker could potentially execute arbitrary code or cause the device to crash [1].

Mitigation

As of the publication date (2022-10-25), no patch is available. The vendor has confirmed the vulnerability in versions 6.9X and 6.9Z. Mitigation options include restricting network access to the iota device and monitoring for unusual XML traffic. The device is not listed on the CISA KEV catalog [1].