Headline
CVE-2022-27805: TALOS-2022-1552 || Cisco Talos Intelligence Group
An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD execution. An attacker can send a malicious XML payload to trigger this vulnerability.
SUMMARY
An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD execution. An attacker can send a malicious XML payload to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
abode systems, inc. iota All-In-One Security Kit 6.9X
abode systems, inc. iota All-In-One Security Kit 6.9Z
PRODUCT URLS
iota All-In-One Security Kit - https://goabode.com/product/iota-security-kit
CVSSv3 SCORE
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-284 - Improper Access Control
DETAILS
The iota All-In-One Security Kit is a home security gateway containing an HD camera, infrared motion detection sensor, Ethernet, WiFi and Cellular connectivity. The iota gateway orchestrates communications between sensors (cameras, door and window alarms, motion detectors, etc.) distributed on the LAN and the Abode cloud. Users of the iota can communicate with the device through mobile application or web application.
The iota can be controlled remotely by the owner or authorized user via a mobile application or a web application. When this is done, requests are initially sent via HTTPS to Abode Systems, Inc. where they are checked for authentication and authorization before the request is then proxied to the target device via an XMPP channel established during the start-up of the /root/hpgw binary. This XMPP connection is initiated by the device, protected from man-in-the-middle style attacks by TLS certificate validation. A review of the available commands that can be transmitted over this XMPP channel turned up no commands that contain authentication material within them. Any command received over this XMPP connection is assumed to be authentic and trustworthy, with trust inherited from the security of the XMPP connection. These commands are referred to within the application as ‘XCMDs’, so we will adopt that terminology for this report.
There is a service listening locally on UDP/55050 that allows for submission of XCMDs, referred to in logs as GHOME. This service receives XCMDs and dispatches them to the same function which handles trusted XMCDs received over the XMPP connection.
An unauthenticated attacker who can communicate to UDP/55050 can transmit an XCMD which will be handled, without any authorization checks, in the same manner as an XCMD received via the trusted XMPP connection. As of version 6.9Z there are 222 different XCMDs, including all of those features which are available to the user via the mobile or web applications, as well as several others that do not appear to map to any functionality of the applications.
Several of these XCMDs have immediate negative security impacts: There are XCMDs which allow for arming and disarming the system, reading and writing sensitive configuration values, rebooting the device, enabling the local web interface, changing the local web interface’s administrative account username and password and many others.
TIMELINE
2022-07-13 - Initial Vendor Contact
2022-07-14 - Vendor Disclosure
2022-10-20 - Public Release
Discovered by Matt Wiseman of Cisco Talos.
Related news
Matt Wiseman of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors. The devices communicate with the user via a website or app on their mobile device and can connect to smart hubs like Google Home, Amazon Alexa and Apple Homekit. The vulnerabilities Talos discovered could lead to a variety of conditions, including providing attackers with the ability to change users’ login passwords, inject code onto the device, manipulate sensitive device configurations, and cause the system to shut down. The devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure and a denial of servic...
Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit.
Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit.