CVE-2019-14423

Vulnerability

The CUx-Daemon addon (version 1.11a) for eQ-3 Homematic CCU firmware versions 2.35.16 through 2.45.6 contains a Remote Code Execution (RCE) vulnerability [1][2]. The bug resides in the index.ccc endpoint, where the cmd parameter is passed unsanitized to system commands executed with root privileges. No special configuration beyond default installation is required to reach the vulnerable code path [2].

Exploitation

An attacker with valid credentials to the Homematic web interface can send a crafted HTTP GET request to the /addons/cuxd/index.ccc endpoint with the maintenance parameter set to 9 and the cmd parameter containing arbitrary shell commands [2]. The attacker must be in a position to reach the web interface over the network. No additional user interaction or race condition is needed [2].

Impact

Successful exploitation grants the attacker remote command execution as root on the underlying Linux system [2]. This leads to full compromise of the Homematic CCU, including data exfiltration, installation of persistent backdoors, and potential pivoting to other devices on the home network [2].

Mitigation

The vulnerability is fixed in CUx-Daemon version 2.2.0 [2]. Users are advised to update the addon to the latest version. The Homematic CCU firmware itself is no longer actively developed, with eQ-3 focusing on the Homematic IP platform; however, security-relevant updates for Homematic will be provided for at least ten years from 2023 [1]. No workaround is available for users who cannot upgrade [2].