CVE-2022-35881

Vulnerability

Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit versions 6.9Z and 6.9X. The flaw resides in the DoUpdateUPnPbyService action handler, where the errorCode and errorDescription XML tags are used as format strings without sanitization. This allows an attacker to inject format specifiers into log messages, leading to memory corruption and information disclosure [1].

Exploitation

An attacker can host a malicious UPnP service on the same network (adjacent network position) and trigger the vulnerability by sending specially crafted UPnP negotiation messages. No authentication is required, and no user interaction is needed. The attacker crafts the errorCode or errorDescription fields with format string specifiers to exploit the logging function [1].

Impact

Successful exploitation can lead to memory corruption, arbitrary memory read (information disclosure), and denial of service. The attacker may gain the ability to read sensitive data from the device's memory or cause the device to crash. The CVSSv3 score is 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) [1].

Mitigation

As of the publication date (2022-10-25), no official patch has been released by Abode Systems. Users are advised to monitor vendor updates and consider restricting UPnP services on the local network to reduce exposure. The affected versions are 6.9X and 6.9Z [1].