Attackers from the Internet can abuse a security hole in the home automation server HomeMativ and in RaspberryMatic to inject and execute malicious code without prior authentication. An updated version of the smart home software from last week plugs the security leak.
Advertisement
There are several problems with the Java-based one HMIPServer.jar
component, the developer writes in the security notice (CVE-2024-24578, CVSS 10.0Risk “critical“). The HMIPServer can be accessed through URLs that start with /pages/jpages
begin. The class FirmwareController
However, it does not carry out a session ID check, which means access is possible without a valid session. Although the code read sid
-Value, but don't use it anymore.
RaspberryMatic: Several problems lead to critical gap
Die URL /pages/jpages/system/DeviceFirmware/addFirmware
This can be achieved by everyone on the internet without any further checks. Unauthenticated attackers can upload malicious .tgz archives there, which the server simply unpacks. This is due to insufficient filtering, for example ../
-Includes a path traversal gap in the path that allows breaking out of the predefined temporary directory. As a result, any files in the file system can be overwritten. The author gives the example of the possibility of… watchdog
-Script to override that through cron
is called every five minutes – with root
-Rights.
The gaps can be found in RaspberryMatic up to and including 3.73.9.20240130. Version 3.75.6.20240316 or newer corrects the security-related errors. If you use RaspberryMatic for your home automation, you should immediately download and install the updated version. This should be done quickly even if the RaspberryMatic server is not accessible externally, as the vulnerabilities allow attackers to establish themselves in the local network, even if they break in via other means.
The updated images are available for download on the RaspberryMatic release page. Almost exactly two years ago, RaspberryMatic was noticed due to a critical security hole. There, too, malicious actors were able to take control of a vulnerable device.
Update
19.03.2024,
14:46
Clock
The error is due to a security hole in the Homematic firmware CCU3. Their changelog lists the point as “Vulnerabilities related to, among other things, the upload of device firmware have been closed (CVE-2024-24578)”. The CVE entry currently only refers to RaspberryMatic. However, HomeMatic users should also make sure to update their devices. We have added references to HomeMatic to the text accordingly.
(dmk)