CVE-2019-14424

Vulnerability

The vulnerability is a Local File Inclusion (LFI) in the CUx-Daemon addon version 1.11a (and up to 2.2.0 according to reference [2]) of the Homematic CCU-Firmware versions 2.35.16 to 2.45.6 [2]. The issue resides in the index.ccc script which does not sanitize the file parameter, allowing traversal [2].

Exploitation

An attacker must be authenticated to the Homematic CCU web interface [2]. They can send a crafted HTTP GET request to /addons/cuxd/index.ccc?file=/etc/shadow (or any other file) [2]. No special privileges beyond standard authentication are required.

Impact

Successful exploitation allows reading arbitrary files on the system, such as /etc/shadow, leading to disclosure of sensitive user information (e.g., password hashes) that could facilitate further attacks [2]. The confidentiality of the system is compromised.

Mitigation

The vendor eQ-3 has announced discontinuation of Homematic, but security updates are promised for at least ten years [1]. However, no specific patch for this vulnerability is mentioned in the references. Users should ensure they are on the latest firmware version (2.45.6 or later) and consider using the more secure Homematic IP system [1]. Alternatively, disable or remove the CUx-Daemon addon if not needed [2].