CVE-2022-35876

Vulnerability

Four format string injection vulnerabilities exist in the testWifiAP XCMD functionality of the Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z. The bug is located in a logging wrapper function that uses vsnprintf with a format string that an attacker can partially control via the default_key_id and key configuration parameters. When the device generates a log message using these values as part of the format argument, specially-crafted content can lead to memory corruption, information disclosure, or denial of service [1].

Exploitation

An attacker must be able to modify a configuration value (specifically default_key_id or key) and then trigger the testWifiAP XCMD command. No authentication is required to reach the vulnerable code path according to the CVSS vector (AV:N/AC:L/PR:N/UI:N). By injecting format string specifiers (e.g., %x, %n) into the configuration values, the attacker influences the format argument passed to the internal logging function, causing arbitrary read or write operations on the stack or heap [1].

Impact

Successful exploitation can result in memory corruption, information disclosure (leaking stack or heap data), and denial of service due to crashes. The disclosed information may include sensitive data such as cryptographic keys or other device secrets. The overall impact is rated with a CVSSv3 score of 8.2 (High), with a partial loss of integrity (C:N/I:L/A:H) and no requirement for user interaction [1].

Mitigation

As of the publication date (October 25, 2022), no fixed version has been publicly released. The vendor was informed via the TALOS-2022-1581 report; users should monitor for firmware updates addressing the format string vulnerabilities. No workarounds are described in the available references. If no patch becomes available, impacted devices remain vulnerable to exploitation [1].