CVE-2022-35876 There are 3 format string vulnerabilities in the XCMD testWifiAP functionality of the Abode Systems, Inc. iota All-In-One Security Kit.

when configuring a key. An attacker can inject a specially-crafted value into the `default_key_id` or `key` configuration parameter to execute code with elevated privileges. Specially-crafted XCMDs can be used to cause denial of service, unauthorized access, information disclosure, and memory corruption. The trigger for this vulnerability can be found in the `testWifiAP` XCMD handler when configuring a key with a specially-crafted `default_key_id` or `key`. xtraCut, xtraCopy and xtraMove are standard Python functions. This issue can be exploited when these functions are called via an XCMD to execute code with elevated privileges.

Configuring a WPA2 Key

When setting up a wireless network, one of the most common things to do is configure a WPA2 key. In many scenarios, this involves copying the WPA2 passphrase from a configuration file and pasting it into an interactive command line tool.
The default_key_id parameter is a string which may be used as the ID of a pre-shared key (PSK). The default value is "default".
This issue can be exploited when configuring a key with specific values for the `default_key_id` and `key` parameters. For example, using "1234567890" as the value for both parameters will allow code execution with elevated privileges.

Mitigation Strategies

This issue can be mitigated by securing the `default_key_id` and `key` configuration parameters. xtraCut, xtraCopy and xtraMove are standard Python functions. This issue can be exploited when these functions are called via an XCMD to execute code with elevated privileges.

Configuring a key using xtraCut and xtraCopy:

This issue can be exploited when xtraCut, xtraCopy and xtraMove are called with a specially-crafted argument.
For example, the following XCMD will cause an attacker to execute code with elevated privileges:

/usr/bin/xcopy /tmp/test.txt /tmp/test2.txt %s
%s
The trigger for this vulnerability can be found in the `testWifiAP` XCMD handler when configuring a key with a specially-crafted `default_key_id` or `key`.

Description of the xtraCut, xtraCopy and xtraMove XCMDs

CNCF ID: 2022-35876

Access Restrictions

Certain workflows will require restricted access to the system. This is a common requirement that can be fulfilled by utilizing a key manager. However, developers often don't configure the key parameters properly, potentially leading to vulnerabilities such as this one, CVE-2022-35876.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 01:28:00 UTC

References

• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1581
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35876