CVE-2019-18939

Vulnerability

The HM-Print AddOn versions 1.2a and prior, installed on eQ-3 Homematic CCU2 firmware 2.47.20 and CCU3 firmware 3.47.18, contains improper access control (CWE-284) in the exec.cgi and exec1.cgi scripts. These scripts execute arbitrary TCL script content received via HTTP POST requests without any authentication, allowing unauthenticated remote code execution [1].

Exploitation

An unauthenticated attacker with network access to the web interface of the affected Homematic CCU can send a crafted HTTP POST request to either exec.cgi or exec1.cgi containing arbitrary TCL code. No prior authentication or user interaction is required. The TCL code is executed by the server with the privileges of the web server process [1].

Impact

Successful exploitation results in full remote code execution with the highest privileges, leading to complete compromise of confidentiality, integrity, and availability. The CVSSv3 base score is 10.0 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H [1].

Mitigation

The HM-Print AddOn developer released version 2.3 on 03.11.2020, which fixes the vulnerability. Users should update to version 2.3 or later. The vendor eQ-3 stated they are not responsible for AddOns, so the fix must come from the AddOn developer. No workaround is available for unpatched versions [1].