CVE-2018-7299

Vulnerability

A remote code execution vulnerability exists in the addon installation process of eQ-3 AG Homematic CCU2 firmware version 2.29.2 and earlier [1]. The web interface allows authenticated users to upload addon packages. These packages contain an update_script file that is executed during installation without proper validation [1]. This enables an attacker to create or overwrite arbitrary files or install malicious software on the device [1].

Exploitation

An attacker must be an authenticated user with access to the Homematic CCU2 web interface [1]. The exploitation requires the attacker to craft a malicious addon package containing a specifically crafted update_script file, upload it via the web interface, and then trigger the installation process [1]. No additional user interaction is required beyond the initial authentication and upload [1].

Impact

Successful exploitation results in arbitrary code execution on the CCU2 device [1]. The attacker can overwrite system files, such as /usr/local/crontabs/root to establish persistence, or install entirely new malicious software [1]. This compromises the confidentiality, integrity, and availability of the device and potentially the entire smart home system [1].

Mitigation

No official fix has been disclosed for this vulnerability in the available references [1]. Users are advised to avoid installing addons from untrusted sources, as the current addon installation process does not enforce any signing mechanism [1]. It is recommended to implement code signing for trusted addons and to warn users when installing unsigned packages [1].