CVE-2022-35875

Vulnerability

A format string injection vulnerability exists in the testWifiAP XCMD handler of the Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z [1]. The flaw is triggered when specially-crafted configuration values are supplied via the wpapsk configuration parameter, which is then used as the format argument to a logging function that wraps vsnprintf. This allows an attacker to control the format string and perform arbitrary read/write operations on stack memory [1].

Exploitation

An attacker with network access to the device can modify the wpapsk configuration value without requiring authentication, according to the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U) [1]. After setting the malicious configuration, the attacker must trigger the testWifiAP XCMD to execute the vulnerable code path, which will call the logging function with the attacker-controlled format string [1].

Impact

Successful exploitation can lead to memory corruption, information disclosure (leaking stack memory), and denial of service [1]. The CVSSv3 score is 8.2, with impacts to integrity (low) and availability (high); confidentiality is not directly impacted per the score, though information disclosure is noted in the description [1].

Mitigation

Abode Systems, Inc. has not released a patched version as of the publication date (2022-10-25); no workaround is documented in the available references [1]. Affected users should monitor vendor advisories for updates.