CVE-2022-35244

Vulnerability

A format string injection vulnerability exists in the getVarHA functionality of abode systems, inc. iota All-In-One Security Kit versions 6.9X and 6.9Z [1]. The vulnerability is triggered by a specially-crafted XCMD (command message) that contains format string specifiers in the XML payload. The XCMD is processed by the device's hpgw application over an XMPP connection, or via UDP port 55050 which allows unauthenticated access [1].

Exploitation

An attacker can send a malicious XML payload to the vulnerable device without authentication, utilizing the UDP service on port 55050 or through the XMPP channel if accessible [1]. The XCMD must include a root ` element with a child (containing the target device MAC) and a child with a name attribute set to getVarHA` and a format string in the payload [1]. The format string is then processed by the vulnerable function, leading to arbitrary memory read/write.

Impact

Successful exploitation can lead to memory corruption, information disclosure, and denial of service due to the format string vulnerability [1]. The CVSS score of 9.8 indicates a critical impact on confidentiality, integrity, and availability, allowing an attacker to potentially execute arbitrary code or crash the device [1].

Mitigation

As of the advisory publication date (October 2022), the vendor abode systems was contacted but did not provide a fix [1]. Users should limit network exposure by restricting access to UDP port 55050 and the XMPP interface, and monitor for firmware updates from the vendor [1]. No patched version has been released.