CVE-2018-7298

Vulnerability

The HomeMatic CCU2, version 2.29.22 and earlier, runs a cron job that executes /usr/local/etc/config/addons/mh/loopupd.sh at regular intervals. This script uses wget to download a firmware version file and update package from http://www.meine-homematic.de/ over plain HTTP, without any TLS or cryptographic integrity checks [1]. The affected component is the update mechanism embedded in the loopupd.sh script, which is reachable by default on all CCU2 devices running the stock firmware.

Exploitation

An attacker who can achieve a privileged network position — for example, by spoofing DNS responses for the domain www.meine-homematic.de or by compromising a network gateway — can intercept the HTTP request and respond with a crafted payload. The attacker does not need authentication on the CCU2 itself. Because the update script runs automatically via cron with root privileges, simply delivering a malicious file over the unencrypted channel is sufficient to trigger installation during the next update cycle [1]. No user interaction beyond the normal automatic update is required.

Impact

Successful exploitation allows the attacker to replace the legitimate firmware with arbitrary malicious firmware. This results in a full compromise of the CCU2 control unit, giving the attacker complete control over the device. The impact includes disclosure of sensitive data (e.g., home automation configuration, credentials) and the ability to manipulate all connected sensors and actuators [1].

Mitigation

eQ-3 AG has not released a fixed firmware version as of the publication date (2018-02-22). The vulnerability is inherent in the design of the update script; no official workaround or patch was provided in the available references. Users should consider network-level protections, such as monitoring for DNS spoofing, or blocking outbound HTTP connections to www.meine-homematic.de until a secure update mechanism is introduced [1].