CVE-2022-35884

Vulnerability

Four format string injection vulnerabilities exist in the /action/wirelessConnect endpoint of Abode Systems, Inc. iota All-In-One Security Kit versions 6.9Z and 6.9X. The flaw lies in how the ssid_hex HTTP parameter is processed by the web interface, allowing an attacker to control the format string argument passed to a logging function (vsnprintf). This can lead to memory corruption and potential information leakage.

Exploitation

An attacker must first authenticate to the iota web interface. Then, by sending a specially-crafted HTTP request to /action/wirelessConnect with a malicious ssid_hex value containing format specifiers (e.g., %x, %n), the attacker can trigger the format string vulnerability. No user interaction beyond authentication is required, and the attack is remotely exploitable over the network.

Impact

Successful exploitation can result in memory corruption, leading to information disclosure (leaking stack memory) and denial of service (device crash or hang). The attacker does not need any special privileges beyond valid authentication. The CVSSv3 score is 8.2, indicating high severity.

Mitigation

No official fix or workaround has been disclosed in the available references. Users should contact the vendor for updated firmware. As of the publication date (2022-10-25), no patched version has been announced. The vulnerabilities are not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

[1]