CVE-2022-35886

Vulnerability

Four format string injection vulnerabilities exist in the /action/wirelessConnect handler of the Abode Systems, Inc. iota All-In-One Security Kit versions 6.9Z and 6.9X. The vulnerabilities are triggered via the default_key_id and key HTTP parameters, which are passed to a logging function that uses vsnprintf with an attacker-controlled format string. This allows an authenticated attacker to inject format specifiers into the log output, leading to memory corruption, information disclosure, and denial of service [1].

Exploitation

An attacker must first authenticate to the device's web interface. No additional privileges or user interaction are required beyond authentication. The attacker sends a specially-crafted HTTP request to the /action/wirelessConnect endpoint, embedding format string tokens (e.g., %x, %n) in the default_key_id or key parameters. The device's logging function then processes these parameters as a format string, enabling the attacker to read from or write to arbitrary memory locations [1].

Impact

Successful exploitation can result in memory corruption, disclosure of sensitive stack data, and denial of service. The CVSSv3 score is 8.2 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H, indicating low integrity impact but high availability impact. An attacker could potentially achieve arbitrary write primitives, escalating to full device compromise [1].

Mitigation

As of the publication date (2022-10-25), no official fix has been released by Abode Systems. Users should restrict network access to the iota device to trusted networks only and monitor vendor updates for a patched firmware version. The affected versions (6.9X and 6.9Z) remain vulnerable until a security update is provided [1].