CVE-2019-9582

Vulnerability

The eQ-3 Homematic CCU2 ships with outdated base software packages, including BusyBox version 1.20.2 from 2012 and Buildroot 2012.08, among others like OpenSSH 6.0p1 and lighttpd 1.4.31 [1][2]. This allows an attacker to trigger uncontrolled resource consumption (CWE-400) leading to a Denial of Service. Affected firmware versions include 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15, and 2.47.20 [1].

Exploitation

An unauthenticated attacker can exploit known vulnerabilities in the outdated packages from a remote network position. By sending specially crafted network requests, the attacker can exhaust system resources such as memory or CPU, causing the device to become unresponsive [1][2]. No user interaction or prior authentication is required.

Impact

Successful exploitation results in a Denial of Service (DoS), making the Homematic CCU2 unavailable for its intended functions. The CVSS v3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a high impact on availability, with no impact on confidentiality or integrity [1][2].

Mitigation

The vendor released firmware version 2.49.17 on 2019-12-09 to address this issue [1][2]. Users should upgrade to this version or later. If upgrading is not immediately possible, restrict network access to the CCU2 to trusted hosts only. Outdated packages are no longer supported, making patching critical [1].