CVE-2019-9584 eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages

Overview

CVE: CVE-2019-9584
Author: psytester
Title: eQ-3 Homematic AddOn ‘CloudMatic’ on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages
Vulnerability Type: CWE-284: Improper Access Control
CVSSv3 Base Score: 9.8
CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Publishing Date: 25.07.2019
Updated: –
Vendor: eQ-3 AG for CCU Firmware contains from vendor EASY SmartHome GmbH the ‘CloudMatic’ AddOn
Product: Homematic CCU2 and CCU3 ‘CloudMatic’ AddOn
Vendor eQ-3 contacted: 13.02.2019
Vendor eQ-3 response on 11.04.2019 with “not responsible for AddOns”
Vendor EASY SmartHome contacted: 21.05.2019
Vendor EASY SmartHome confirmation: 22.05.2019
Vendor patch CCU2: N.A.
Vendor patch CCU3: 3.53.26 since 18.08.2020
Vendor patch: n.a. in CCU2 and CCU3, but a first hotpatch as Github commit #76274aa
Vendor EASY SmartHome Reference: Github issue #8
Affected Firmware version of CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15, 2.47.18, 2.47.20, 2.49.17 tested
Affected Firmware version of CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15, 3.47.18, 3.47.22, 3.49.17 tested

Background

From EASY SmartHome GmbH translated:
Do you want to access your Smarthome via App and Web, with certified security, but without complex self-configurations? With your personal VPN access via CloudMatic Connect, you can access your Smarthome worldwide without having to acquire technical know-how and invest a lot of time and effort in your own configuration.

Your added value

Secure remote access to the Smarthome
Easy to set up
Voice control via Amazon Alexa
Remote control of other home power supplies (e.g. routers, NAS)
Maintenance access for remote access by e.g. installers
Connection to ConradConnect
Link with IFTTT
Communication between several control centers
Remote control via various apps (e.g. Mediola, PocketControl, TinyMatic)
Your safety
An important component of Smarthome systems is access security. Especially for remote access, security plays an important role and port forwarding etc. should not be used.

From eQ-3 vendor’s website for CCU2:
HomeMatic Central Control Unit CCU2

Homematic Central Control Unit is the central element of your Homematic system, offering a whole range of control, monitoring and configuration options for all the Homematic devices in your installation
[….]

From eQ-3 vendor’s website for CCU3:
The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.
[….]

Past eQ-3 press release about taking security updates seriously (in German only):
[…]
eQ-3 ist es wichtig, dass auch solche Lücken geschlossen werden, die für die meisten Installationen keine Rolle spielen.
[…]
Obwohl nur Nutzer betroffen sind, die gegen Sicherheitshinweise von eQ-3 verstoßen oder seit mehreren Jahren keine Sicherheitsupdates installiert haben, gibt eQ-3 solchen Fällen hohe Priorität und behebt entsprechende Sicherheitslücken schnellstmöglich nach Bekanntwerden in neuen Software-Versionen und Hotfixes.
[…]

Issue Description

While analyzing the CCU web interface based on given page files in file system path /www, this is another Improper Access Control resulting into Uncontrolled Resource Consumption and File Modification / Deletion vulnerability located in build-in ‘CloudMatic’ AddOn. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.

The following HTTP requests in Web Browser illustrates the attack vectors:

Information Disclosure
In case of http://1.2.3.4/addons/mh/dotest2.cgi shows up an user account not “none”:
```
Inhalt mhcfg
 userkennung= ..... here not "none" .....
```
The username could be found in search machines, directly linked to a person, which is living at town …..
Denial of Service / File Deletion:
VPN setup is deleted by http://1.2.3.4/addons/mh/cleanup.cgi
Afterwards http://1.2.3.4/addons/mh/dotest2.cgi shows unset username and VPN key files where deleted
```
Inhalt mhcfg
 userkennung=none
```
Denial of Service:
Shutting down the VPN service by http://1.2.3.4/addons/mh/dienstaus.cgi
Shutting down the Reverse proxy by http://1.2.3.4/addons/mh/dienstausngx.cgi
Shutting down the CloudMatic monitoring by http://1.2.3.4/addons/mh/dienstauszbx.cgi

CVE

CVE-2019-9584

CVSSv3 Base Score

CVSSv3 Base Score: 9.8

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Firmware update since August 2020

On CCU3:
With firmware 3.53.26 the CloudMatic add-on v20191127 is shipped.
There is still no build-in user authentication! It’s a work around only.
This vulnerability can be still exploited by unauthenticated attackers with LOCAL access to the web interface or any environment with NATing where the source IP is replaced by router.
Affected CGI files got a check (refer to Github commit #76274aa ) for common local ip ranges and will exit in case of internet IP addresses:

global env
set private 0

foreach key [array names env] {
  if {$key == "REMOTE_ADDR"} {
  	set octets [split $env($key) "."]
    if {($private == 0 && [lindex $octets 0] == "172") && ([lindex $octets 1] == "16" || [lindex $octets 1] == "17" || [lindex $octets 1] == "18" || [lindex $octets 1] == "19" || [lindex $octets 1] == "20" || [lindex $octets 1] == "21" || [lindex $octets 1] == "22" || [lindex $octets 1] == "23" || [lindex $octets 1] == "24" || [lindex $octets 1] == "25" || [lindex $octets 1] == "26" || [lindex $octets 1] == "27" || [lindex $octets 1] == "28" || [lindex $octets 1] == "29" || [lindex $octets 1] == "30" || [lindex $octets 1] == "31")} { set private 1 }
    if {$private == 0 && [lindex $octets 0] == "192" && [lindex $octets 1] == "168"} { set private 1 }
    if {$private == 0 && [lindex $octets 0] == "10"} { set private 1 } 
    if {$private == 0 && [lindex $octets 0] == "127"} { set private 1 }
  }
}

if {$private == 0} { exit }

On CCU2:
not yet released

Credit

psytester

Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

Written on March 27, 2019 | Last modified on August 20, 2020