CVE-2019-13030 eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addons configuration pages and a missing check in rc.d/97NeoServer

Overview

  • CVE: CVE-2019-13030
  • Author: psytester
  • Title: eQ-3 Homematic CCU3 AddOn ‘Mediola NEO Server for Homematic CCU3’ prior 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addon configuration pages and a missing check in rc.d/97NeoServer
  • Vulnerability Type: CWE-284: Improper Access Control
  • CVSSv3 Base Score: 8.2
  • CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
  • Publishing Date: 26.07.2019
  • Updated: –
  • Vendor: eQ-3 AG for CCU3 Firmware contains from mediola - connected living AG the ‘NEO Server’ AddOn
  • Product: Homematic CCU3 ‘NEO Server’ AddOn
  • Vendor eQ-3 contacted: 13.02.2019
  • Vendor eQ-3 response on 11.04.2019 with “not responsible for AddOns”
  • Vendor Mediola contacted: 12.04.2019
  • Vendor Mediola confirmation: 18.04.2019
  • Vendor patch: Just partly fixed since NEO Server for Homematic CCU3 v2.4.5
  • Vendor eQ-3 for Homematic CCU3 patch: CCU3 3.47.10 contains NEO Server v2.4.5
  • Vendor Mediola Reference: N.A.
  • Affected Firmware version of CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7 tested
  • Affected ‘NEO Server’ Addon version: prior 2.4.5

Background

From Mediola AIO CREATOR NEO translated:
The mediola® AIO CREATOR NEO is the universal and independent solution for controlling your Smart Home. With the extremely powerful and uniquely flexible software, you can easily design your own personal All-In-One Smart Home App and combine many incompatible devices and systems across brand and technology boundaries.

From eQ-3 vendor’s website for CCU3:
The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.
[….]

Past eQ-3 press release about taking security updates seriously (in German only):
[…]
eQ-3 ist es wichtig, dass auch solche Lücken geschlossen werden, die für die meisten Installationen keine Rolle spielen.
[…]
Obwohl nur Nutzer betroffen sind, die gegen Sicherheitshinweise von eQ-3 verstoßen oder seit mehreren Jahren keine Sicherheitsupdates installiert haben, gibt eQ-3 solchen Fällen hohe Priorität und behebt entsprechende Sicherheitslücken schnellstmöglich nach Bekanntwerden in neuen Software-Versionen und Hotfixes.
[…]

Issue Description

While analyzing the CCU web interface based on given page files in file system path /www, this is another Improper Access Control resulting into obtaining configuration data, node.js process (re)start and killing the node.js process vulnerability located in build-in ‘Neo Server’ AddOn. This vulnerability can be exploited by unauthenticated attackers with access to the web interface mainly.

Notice, if access to port 8088 is available too, the node.js itself in version 8.11.4 can be attacked, but this was not further analyzed, there are some known CVEs public.

The following HTTP requests in Web Browser illustrates the attack vectors:

  1. (Re)starting the node.js process
    Open http://1.2.3.4/addons/mediola/index.html for Neo Server confuguration page and click on “Activate” button to start the node.js process
    or call directly the related CGI call http://1.2.3.4/addons/mediola/bin/restart.cgi to (re)start the node.js process.
    The linked service script /usr/local/etc/config/rc.d/97NeoServer has a control weakness, resulting into starting the Neo Server although the “Disabled” indication is set.

/usr/local/etc/config/rc.d/97NeoServer start –> controls first for existens of a “Disabled” file and exits is the file was found.
/usr/local/etc/config/rc.d/97NeoServer restart –> goes directly to do_start without checking the “Disabled” file and starts the node.js process

If access to port 8088 is available too, there are other attacks possible, as no authentication is setup in node.js default configuration.

Analysing the index.htm there is a getLogs method call, which is found in /usr/local/addons/mediola/neo_server/node_modules/x.hub.js. This JavaScript contains all those GET and POST calls.
Calling http://1.2.3.4:8088/getLogs?at= is downloading the Neo Server logfiles and further configuration data. Calling http://1.2.3.4:8088/reset will stop the two runnig node.js processes without restarting them.

CVE

CVE-2019-13030

CVSSv3 Base Score

CVSSv3 Base Score: 8.2

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Credit

psytester

Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on July 26, 2019