CVE-2022-1581: 
WordPress vulnerability analysis and mitigation

Multiple format string injection vulnerabilities were discovered in the Abode Systems iota All-In-One Security Kit versions 6.9X and 6.9Z. The vulnerabilities exist in the XCMD testWifiAP functionality, where specially-crafted configuration values can lead to memory corruption, information disclosure and denial of service. An attacker can modify a configuration value and then execute an XCMD to trigger these vulnerabilities (Talos Report).

The vulnerabilities exist in the device's handling of Wi-Fi configuration values that can be modified through multiple vectors including the mobile application, web application, setWifiAP XCMD, and local web interface endpoints. None of these mechanisms implement proper sanitization of the values. When these configuration values are later used in log function calls within the testWifiAP XCMD handler, they can be exploited as format string injection points. The vulnerabilities have a CVSS score of 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and are classified as CWE-134 (Use of Externally-Controlled Format String) (Talos Report).

The vulnerabilities could allow attackers to leak stack memory, write to arbitrary memory locations, and potentially achieve code execution. While the output from format string injections is only available to physically present attackers with access to the UART console, the ability to manipulate device configuration remains a significant security concern (Talos Report).

Abode Systems has released patches to address these vulnerabilities. Users are encouraged to update their iota All-In-One Security Kit devices to versions newer than 6.9Z (Talos Report).