CVE-2022-35880

Vulnerability

The vulnerability is a format string injection in the UPnP logging functionality of Abode Systems iota All-In-One Security Kit versions 6.9Z and 6.9X. The bug resides in the DoUpdateUPnPbyService action handler, where the NewInternalClient XML tag is used as a format string argument to a logging function. This allows an attacker to inject format specifiers. The logging function is a wrapper around vsnprintf, so injected format strings can lead to memory corruption and information disclosure. [1]

Exploitation

An attacker must host a malicious UPnP service on the same network as the iota device. The device's UPnP client will negotiate with the malicious service, sending a specially crafted NewInternalClient value containing format string specifiers. No authentication is required, and no user interaction is needed beyond the device automatically discovering and interacting with the UPnP service. [1]

Impact

Successful exploitation can lead to memory corruption, information disclosure (leaking stack memory), and denial of service. The attacker can potentially read arbitrary memory or cause the device to crash. The impact is limited to the device itself, with no privilege escalation beyond the device's existing context. [1]

Mitigation

As of the publication date (2022-10-25), no patch has been released by Abode Systems. The affected versions are 6.9Z and 6.9X. Users should monitor for firmware updates from Abode. A workaround is to disable UPnP on the iota device if possible, or restrict network access to the device to prevent malicious UPnP services from being reachable. [1]