CVE-2022-35877

Vulnerability

The Abode Systems iota All-In-One Security Kit versions 6.9X and 6.9Z contain a format string injection vulnerability in the testWifiAP XCMD handler. The default_key_id configuration parameter is used as a format string argument within the log function, which calls vsnprintf. An attacker who can modify configuration values can inject arbitrary format specifiers, leading to memory corruption and information disclosure [1].

Exploitation

An attacker with network access (no authentication required) can modify the default_key_id configuration value, then trigger the testWifiAP XCMD. The crafted value is passed as a format string, allowing the attacker to read and write arbitrary memory. The vulnerability can be exploited without user interaction [1].

Impact

Successful exploitation can lead to memory corruption, information disclosure, and denial of service. The CVSS v3 score is 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating high availability impact and low integrity impact. An attacker may be able to leak stack memory and cause device crashes [1].

Mitigation

As of the publication date, no software update has been released to fix this vulnerability. Users should restrict network access to the iota device and monitor for suspicious activity. The vendor has been notified via Talos [1].