CVE-2022-35874

Vulnerability

Four format string injection vulnerabilities exist in the testWifiAP XCMD functionality of Abode Systems, Inc. iota All-In-One Security Kit firmware versions 6.9X and 6.9Z. The vulnerabilities are triggered via the ssid and ssid_hex configuration parameters, which are used unsafely in a variadic log function that passes user-controlled format strings to vsnprintf [1].

Exploitation

An attacker does not require prior authentication (CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and can remotely modify configuration values if they have network access to the device. By setting a crafted ssid or ssid_hex value and then executing the testWifiAP XCMD, the format string payload is processed, leading to memory corruption or information disclosure [1].

Impact

Successful exploitation can result in memory corruption, unauthorized information disclosure (leakage of stack memory), and denial of service due to the format string vulnerability. The CVSSv3.0 base score is 8.2, with high impact on availability and low impact on integrity [1].

Mitigation

As of the publication date (2022-10-25), no patch or fix has been released by Abode Systems, Inc. Users are advised to restrict network access to the iota device and monitor for any configuration changes from untrusted sources. The product may be end-of-life; consult the vendor for further guidance [1].