The iota All-In-One Security Kit from Abode Systems Inc. was found to have numerous vulnerabilities. On October 20, 2022 Cisco Talos Intelligence Group published an advisory mentioning about the vulnerabilities. The Abode system detects and notifies consumers of unlawful movement in their homes using geofencing, application control, and a security camera. Similar to smart home technologies like Alexa, Google Home, and Apple HomeKit, it operates through a smartphone app.

As mentioned in the advisory, threat actors will be able to change user account passwords, inject code, configure modifications, corrupt memory, leak information, and cause a denial of service scenario if they are successful in exploiting these vulnerabilities. Several of these vulnerabilities are of critical severity and have CVSS severity scores of 10.

The Abode iota Security Kit contains the following vulnerabilities:

• A ‘OS command injection’ vulnerabilities in the web interface /action/wirelessConnect – CVE-2022-33204, CVE-2022-33207 – Severity: critical, CVSS: 10
• A ‘OS command injection’ vulnerability in the XCMD setAlexa – CVE-2022-33189 – Severity: Critical, CVSS: 10.0
• A ‘OS command injection vulnerability in the web interface util_set_serial_mac –  CVE-2022-29472 – Severity: Critical, CVSS: 10.0
• A ‘OS command injection’ vulnerability in the web interface /action/iper – CVE-2022-30603 – Severity: Critical, CVSS: 10.0
• A ‘OS command injection’ vulnerabilities in the XCMD testWifiAP – CVE-2022-33192, CVE-2022-33195 – Severity: Critical, CVSS: 10.0
• A ‘OS command injection’ vulnerability in the XCMD setAlexa – CVE-2022-33189 – Severity: Critical, CVSS: 10.0
• A ‘OS command injection’ vulnerability in the XCMD setUPnP – CVE-2022-30541 – Severity: Critical, CVSS: 10.0
• A ‘OS command injection’ vulnerability in the XCMD doDebug – CVE-2022-32773 – Severity: Critical, CVSS: 10.0
• A ‘OS command injection’ vulnerability in the XCMD getVarHA – CVE-2022-35244 – Severity: Critical, CVSS: 9.8
• A ‘authentication bypass’ vulnerability in the GHOME control – CVE-2022-27805 – Severity: Critical, CVSS: 9.8
• A ‘integer overflow’ vulnerability in the web interface /action/ipcamRecordPost –  CVE-2022-32775 – Severity: Critical, CVSS: 9.0
• A ‘authentication bypass’ vulnerability in the web interface /action/factory* – CVE-2022-29477 – Severity: High, CVSS: 8.6):
• A ‘string injection’ in the web interface /action/wirelessConnect – CVE-2022-35884, CVE-2022-35887 – Severity: High, CVSS: 8.2
• A ‘string injection’ vulnerability in the ghome_process_control_packet – CVE-2022-33938 – Severity: High, CVSS: 8.2
• A ‘string injection’ vulnerabilities in the XCMD testWifiAP – CVE-2022-35874, CVE-2022-35877 – Severity: High, CVSS: 8.2
• A ‘OS command injection’ vulnerability in the console_main_loop :sys – CVE-2022-29520 – Severity: High, CVSS: 8.1
• A ‘OS command injection’ in the vulnerability web interface util_set_abode_code – CVE-2022-27804 – Severity: High, CVSS: 8.0
• A ‘OS command injection’ vulnerability in the web interface /action/ipcamRecordPost – CVE-2022-32586 – Severity: High, CVSS: 8.0
• A ‘double-free vulnerability’ vulnerability in the web interface /action/ipcamSetParamPost – CVE-2022-32574 – Severity: High, CVSS: 7.5
• A ‘information disclosure’ vulnerability in the XFINDER – CVE-2022-29475 – Severity: Low, CVSS: 4.7

According to Cisco’s vulnerability disclosure policy, Cisco Talos collaborated with Abode Systems to make sure that these problems were fixed and that impacted users could download an update. Users are advised to update these impacted products as soon as they can: Versions 6.9X and 6.9Z of the iota All-In-One Security Kit from Abode Systems. These security kit versions can be abused by these vulnerabilities, according to testing by Talos.

Source

https://blog.talosintelligence.com/vuln-spotlight-abode/

Recent Updates,

vm2 Sandbox Vulnerability allows RCE