CVE-2022-35887

Vulnerability

A format string injection vulnerability exists in the /action/wirelessConnect handler of the Abode Systems, Inc. iota All-In-One Security Kit firmware versions 6.9Z and 6.9X. The flaw resides in the default_key_id HTTP parameter, which is passed as a format string to a logging function that wraps vsnprintf. An attacker who can supply format specifiers (e.g., %x, %n) in this parameter can cause the device to interpret attacker-controlled data as a format string, leading to memory corruption. The vulnerable code path is reachable when an authenticated user sends a crafted HTTP request to the web interface [1].

Exploitation

An attacker must first obtain valid authentication credentials for the iota device's web interface. With authenticated access, the attacker sends a specially-crafted HTTP request to /action/wirelessConnect containing format string specifiers in the default_key_id parameter. No additional user interaction is required beyond the initial authentication. The device's logging function then processes the malicious format string, potentially reading from or writing to arbitrary stack locations [1].

Impact

Successful exploitation can result in memory corruption, information disclosure (leakage of stack memory), and denial of service (device crash or hang). The attacker may be able to read sensitive data from the device's memory or corrupt critical data structures, potentially leading to further compromise. The impact is limited to the device itself; network-level privileges are not escalated beyond the authenticated session [1].

Mitigation

As of the publication date (2022-10-25), no patched firmware version has been disclosed in the available references. Users should monitor the vendor's advisory channels for updates. Until a fix is released, restricting network access to the web interface and ensuring strong authentication credentials can reduce the attack surface. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].