CVE-2019-13030

Vulnerability

The Mediola NEO Server AddOn for eQ-3 Homematic CCU3 prior to version 2.4.5 suffers from improper access control (CWE-284) on the addons configuration pages and a missing check in rc.d/97NeoServer [1][2]. This allows an unauthenticated attacker to start or stop the Node.js process without proper authorization. Affected CCU3 firmware versions include 3.41.11, 3.43.16, 3.45.5, and 3.45.7 [1][2].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable addons configuration pages on the CCU3 device. No authentication or user interaction is required, as the CVSS vector indicates network-based access with low complexity and no privileges needed [1]. The missing access control check allows the attacker to start or stop the Node.js process, which is part of the Mediola NEO Server [1][2].

Impact

Successful exploitation enables the attacker to obtain mediola configuration details, leading to information disclosure (confidentiality impact: low). Additionally, the ability to stop the Node.js process can cause a denial of service (availability impact: high) [1]. The attacker does not gain integrity impact, but the combination of information disclosure and service disruption poses a significant risk to the smart home system.

Mitigation

The vulnerability is fixed in Mediola NEO Server version 2.4.5, which is included in Homematic CCU3 firmware version 3.47.10 [1][2]. Users should update the CCU3 firmware to at least 3.47.10 to receive the patched AddOn. No workarounds are documented; the vendor Mediola provided the fix after being contacted, while eQ-3 initially stated they were not responsible for AddOns [1][2].