CVE-2022-33204

Name of the Vulnerable Software and Affected Versions Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z

Description The issue is related to OS command injection vulnerabilities in the web interface /action/wirelessConnect functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities, which focuses on the unsafe use of the ssid hex HTTP parameter to construct an OS Command at offset 0x19afc0 of the /root/hpgw binary included in firmware 6.9Z.

Recommendations For version 6.9X, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For version 6.9Z, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /action/wirelessConnect functionality to minimize the risk of exploitation. Avoid using the ssid hex parameter in the affected HTTP request until the issue is resolved.