PT-2022-22995 · Abode Systems · Iota All-In-One Security Kit

Matt Wiseman

Published

2022-10-25

Updated

2022-10-27

CVE-2022-35885

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Abode Systems, Inc. iota All-In-One Security Kit versions 6.9Z and 6.9X

Description The issue arises from format string injection via the wpapsk hex HTTP parameter in the /action/wirelessConnect handler. A specially-crafted HTTP request can lead to memory corruption, information disclosure, and denial of service. An attacker can make an authenticated HTTP request to trigger this issue.

Recommendations For versions 6.9Z and 6.9X, avoid using the wpapsk hex parameter in the /action/wirelessConnect endpoint until a fix is available. As a temporary workaround, consider restricting access to the /action/wirelessConnect functionality to minimize the risk of exploitation.

Exploit

Fix

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

CVE-2022-35885

Affected Products

Iota All-In-One Security Kit

PT-2022-22995 · Abode Systems · Iota All-In-One Security Kit

CVE-2022-35885

Weakness Enumeration

Related Identifiers

Affected Products

References · 3