One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 7584736 |
| Date de publication | 2022-10-20 09:30:53 (vue: 2022-10-20 14:08:23) |
| Titre | Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them |
| Texte |  Matt Wiseman of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors. The devices communicate with the user via a website or app on their mobile device and can connect to smart hubs like Google Home, Amazon Alexa and Apple Homekit. The vulnerabilities Talos discovered could lead to a variety of conditions, including providing attackers with the ability to change users' login passwords, inject code onto the device, manipulate sensitive device configurations, and cause the system to shut down. The devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure and a denial of service. An attacker could send a malicious XML payload to trigger these vulnerabilities. TALOS-2022-1585 (CVE-2022-35884 - CVE-2022-35887) TALOS-2022-1584 (CVE-2022-33938) TALOS-2022-1581 (CVE-2022-35874 - CVE-2022-35877) TALOS-2022-1568 (CVE-2022-33204 – CVE-2022-33207) TALOS-2022-1561 (CVE-2022-29520) TALOS-2022-1558 (CVE-2022-33189) There are four other vulnerabilities - TALOS-2022-1567 (CVE-2022-27804), TALOS-2022-1566 (CVE-2022-29472), TALOS-2022-1563 (CVE-2022-32586) and TALOS-2022-1562 (CVE-2022-30603) - that can also lead to code execution, though it requires the adversary to send a specially crafted HTTP request, rather than XML. TALOS-2022-1559 (CVE-2022-33192 - CVE-2022-33195), TALOS-2022-1558 (CVE-2022-33189), TALOS-2022-1557 (CVE-2022-30541) and |
| Envoyé | Oui |
| Condensat | talos the an cisco lastly talos the there users 1552 1553 1554 1556 1557 1558 1559 1561 1562 1563 1564 1565 1566 1567 1568 1581 1582 1584 1585 2022 27804 27805 29472 29475 29477 29520 30541 30603 32574 32586 32773 32775 33189 33192 33195 33204 33207 33938 35244 35874 35877 35884 35887 60096 60099 60100 60106 60123 60126 60215 60217 60287 60288 60309 60311 60329 60336 ability abode access account actual additional adherence administrative adversary affected against alert alexa all allow allows also amazon among another app apple arbitrary are attached attack attacker attackers attempts authenticated authentication authorization available blog but bypass camera cameras can case cause center change changes changing cisco code coded commands communicate conditions configuration configurations confirmed connect contain control corruption could counter crafted crash current customers cve cvss denial detect device devices disable disarming disclosure discovered doors double down enabling encouraged ensure execute execution exploit exploitation exploited factory fields firepower following format four free functions future google handling hard have header heap home homekit homes http hub hubs includes including information inject injection interface iota issues its jon kit knowledge lead leads like local login main make malicious man management manipulate matt maximum may memory middle mobile most motion movement munshaw one onto org other out over particular password passwords payload payloads pending please policy possible: privileges products program proper providing rather reading rebooting recently refer released remote remotely replay request requires reset resolved responsible resulting root rule rules score security send sending sends sensitive sensors series serious service setting several severity shut simply smart snort software soon specially spotlight: string subject system systems take talos tested than them these though time trigger triggered triggering udp unwanted update user username users value values variety various versions vulnerabilities vulnerability vulnerability: ways web website which who will windows wiseman without worked would writing xcmd xml your |
| Tags | Guideline Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.