CVE-2018-7296

Vulnerability

A directory traversal vulnerability exists in the User.getLanguage method of eQ-3 AG Homematic CCU2 firmware version 2.29.2 and earlier. The method constructs a file path by concatenating /etc/config/userprofiles/ with the user-supplied args(userName) parameter and a .lang suffix, without sanitizing path traversal sequences (../). This allows an unauthenticated attacker to read the first line of an arbitrary file on the device's filesystem. The vulnerable code is located in api/methods/user/getlanguage.tcl [1].

Exploitation

An attacker with network access to the CCU2's web interface can exploit this issue by sending a crafted HTTP request to the JSON API method User.getLanguage with a userName parameter containing path traversal sequences (e.g., ../../../../etc/passwd). No authentication is required; the method is accessible anonymously [1]. The web server runs as root, so any file readable by root can be accessed.

Impact

Successful exploitation allows an unauthenticated remote attacker to read the first line of any file on the CCU2's filesystem. This can lead to disclosure of sensitive information such as system passwords, configuration secrets, or cryptographic keys, potentially enabling further compromise of the device and the smart home network [1].

Mitigation

As of the publication date (2018-02-22), no patch had been released by eQ-3 AG. Users should monitor for firmware updates and apply them when available. Until a fix is deployed, restrict network access to the CCU2's web interface to trusted hosts only, and consider placing the device behind a firewall or VPN to limit exposure to unauthenticated attackers [1].