CVE-2019-9584 eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages
- CVE: CVE-2019-9584
- Author: psytester
- Title: eQ-3 Homematic AddOn ‘CloudMatic’ on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages
- Vulnerability Type: CWE-284: Improper Access Control
- CVSSv3 Base Score: 9.8
- CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Publishing Date: 25.07.2019
- Updated: –
- Vendor: eQ-3 AG for CCU Firmware contains from vendor EASY SmartHome GmbH the ‘CloudMatic’ AddOn
- Product: Homematic CCU2 and CCU3 ‘CloudMatic’ AddOn
- Vendor eQ-3 contacted: 13.02.2019
- Vendor eQ-3 response on 11.04.2019 with “not responsible for AddOns”
- Vendor EASY SmartHome contacted: 21.05.2019
- Vendor EASY SmartHome confirmation: 22.05.2019
- Vendor patch: n.a. in CCU2 and CCU3, but a first hotpatch as Github commit #76274aa
- Vendor EASY SmartHome Reference: Github issue #8
- Affected Firmware version of CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15, 2.47.18, 2.47.20, 2.49.17 tested
- Affected Firmware version of CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15, 3.47.18, 3.47.22, 3.49.17 tested
From EASY SmartHome GmbH translated:
Do you want to access your Smarthome via App and Web, with certified security, but without complex self-configurations? With your personal VPN access via CloudMatic Connect, you can access your Smarthome worldwide without having to acquire technical know-how and invest a lot of time and effort in your own configuration.
Your added value
- Secure remote access to the Smarthome
- Easy to set up
- Voice control via Amazon Alexa
- Remote control of other home power supplies (e.g. routers, NAS)
- Maintenance access for remote access by e.g. installers
- Connection to ConradConnect
- Link with IFTTT
- Communication between several control centers
- Remote control via various apps (e.g. Mediola, PocketControl, TinyMatic)
An important component of Smarthome systems is access security. Especially for remote access, security plays an important role and port forwarding etc. should not be used.
From eQ-3 vendor’s website for CCU2:
HomeMatic Central Control Unit CCU2
Homematic Central Control Unit is the central element of your Homematic system, offering a whole range of control, monitoring and configuration options for all the Homematic devices in your installation
From eQ-3 vendor’s website for CCU3:
The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.
Past eQ-3 press release about taking security updates seriously (in German only):
eQ-3 ist es wichtig, dass auch solche Lücken geschlossen werden, die für die meisten Installationen keine Rolle spielen.
Obwohl nur Nutzer betroffen sind, die gegen Sicherheitshinweise von eQ-3 verstoßen oder seit mehreren Jahren keine Sicherheitsupdates installiert haben, gibt eQ-3 solchen Fällen hohe Priorität und behebt entsprechende Sicherheitslücken schnellstmöglich nach Bekanntwerden in neuen Software-Versionen und Hotfixes.
While analyzing the CCU web interface based on given page files in file system path /www, this is another Improper Access Control resulting into Uncontrolled Resource Consumption and File Modification / Deletion vulnerability located in build-in ‘CloudMatic’ AddOn. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
The following HTTP requests in Web Browser illustrates the attack vectors:
- Information Disclosure
In case of
http://126.96.36.199/addons/mh/dotest2.cgishows up an user account not “none”:
Inhalt mhcfg userkennung= ..... here not "none" .....
The username could be found in search machines, directly linked to a person, which is living at town …..
- Denial of Service / File Deletion:
VPN setup is deleted by
http://188.8.131.52/addons/mh/dotest2.cgishows unset username and VPN key files where deleted
Inhalt mhcfg userkennung=none
- Denial of Service:
Shutting down the VPN service
Shutting down the Reverse proxy by
Shutting down the CloudMatic monitoring by
CVSSv3 Base Score
CVSSv3 Base Score: 9.8
CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.