CVE-2022-35878

Vulnerability

Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit versions 6.9Z and 6.9X. The flaw resides in the DoEnumUPnPService action handler, where the ST and Location HTTP response headers are passed as format arguments to the device's logging function. This allows an attacker to inject format specifiers into the log message, leading to memory corruption and information disclosure [1].

Exploitation

An attacker must be on the same local network as the target iota device and host a malicious UPnP service. When the iota device performs UPnP device enumeration, it sends a request to the attacker's service, which responds with a crafted UPnP response containing format string payloads in the ST or Location headers. The device's logging function processes these headers as format strings, triggering the vulnerability. No authentication is required, and no user interaction is needed beyond normal UPnP discovery [1].

Impact

Successful exploitation can result in memory corruption, information disclosure (leakage of stack memory), and denial of service. The CVSSv3 score is 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating a high availability impact and low integrity impact. While arbitrary code execution is not confirmed, memory corruption may enable further compromise [1].

Mitigation

As of the publication date (2022-10-25), no official patch has been released by Abode Systems. Users are advised to restrict network access to the iota device, disable UPnP if possible, and monitor for vendor updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].