CVE-2019-9583

Vulnerability

The eQ-3 Homematic CCU2 (versions 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15) and CCU3 (versions 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15) have a vulnerability where session IDs can be obtained without any authentication [1][2]. This is categorized as CWE-400 Uncontrolled Resource Consumption. The issue allows an attacker to generate and consume session resources without needing to log in.

Exploitation

An attacker can exploit this by sending requests to the device to generate session IDs without authentication [1][2]. No special network position is required; the attacker only needs network access to the device's web interface. The CVSSv3 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) indicates the attack is remotely exploitable with low complexity and no privileges required [1].

Impact

Successful exploitation leads to a denial-of-service condition as the device's resources are consumed by unauthenticated session ID generation [1]. The vulnerability also serves as a starting point for other attacks [1][2]. The CVSS score of 8.2 (High) reflects high availability impact and low integrity impact [1][2].

Mitigation

A partial fix was introduced starting from firmware versions 2.47.10 (CCU2) and 3.47.10 (CCU3) [1][2]. Users should update to the latest available firmware from eQ-3. There is no mention of workarounds for unpatched versions; the vendor reference is [HMCCU-274] in the changelog [1][2]. The vulnerability was not fully resolved in those versions, but further updates may be available.