Psytester

Name of the Vulnerable Software and Affected Versions: eibPort V3 versions prior to 3.9.1 Description: The issue allows unauthenticated attackers to access the /webif/SecurityModule to validate the hard-coded unique 'eibPort String', which acts as the root SSH key passphrase. This can be part of an attack chain to gain SSH root access. Recommendations: For versions prior to 3.9.1, update to version 3.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /webif/SecurityModule endpoint until a patch is available. Avoid using the hard-coded `eibPort String` as the root SSH key passphrase in the affected versions.

Name of the Vulnerable Software and Affected Versions: BAB TECHNOLOGIE GmbH eibPort V3 versions prior to 3.9.1 Description: The issue allows unauthenticated attackers to access the /tmp path, which contains sensitive data such as the device serial number. This information can be used to self-calculate a possible loginId, enabling a brute force attack against the BMX interface. This can be part of an attack chain to gain SSH root access. Recommendations: For versions prior to 3.9.1, update to version 3.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp path and the BMX interface to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: eibPort V3 versions prior to 3.9.1 Description: The issue allows unauthenticated attackers to request any internal and external server due to a basic Server-Side Request Forgery (SSRF) vulnerability. Recommendations: For versions prior to 3.9.1, update to version 3.9.1 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: BAB TECHNOLOGIE GmbH eibPort V3 versions prior to 3.9.1 Description: The issue allows unauthenticated attackers to access the login service at "/webif/SecurityModule" in a brute force attack. The password could be weak and the default username is known as `admin`. This can be part of an attack chain to gain SSH root access. Recommendations: For versions prior to 3.9.1, update to version 3.9.1 or later to resolve the issue. As a temporary workaround, consider changing the default username and password, and restricting access to the "/webif/SecurityModule" endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: BAB TECHNOLOGIE GmbH eibPort V3 versions prior to 3.9.1 Description: The issue allows users to set weak passwords because, although the password strength is displayed in the configuration tool, it is not enforced. This can be part of an attack chain to gain SSH root access. Recommendations: For versions prior to 3.9.1, update to version 3.9.1 or later to enforce strong password requirements and prevent potential exploitation.

Name of the Vulnerable Software and Affected Versions: BAB TECHNOLOGIE GmbH eibPort V3 Description: The issue concerns a hard-coded and weak root SSH key passphrase, known as 'eibPort string', which is unique to each device. This passphrase can be used to gain SSH root access, representing the final part of an attack chain. Recommendations: For BAB TECHNOLOGIE GmbH eibPort V3, consider changing the hard-coded root SSH key passphrase to a strong and unique password to prevent unauthorized access. As a temporary workaround, restrict SSH access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BAB TECHNOLOGIE GmbH eibPort V3 versions prior to 3.8.3 **Description** The issue allows for denial of service due to uncontrolled resource consumption. This can be triggered via requests to the lighttpd component. **Recommendations** For versions prior to 3.8.3, update to version 3.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ise smart connect KNX Vaillant version 1.2.839 **Description** The issue is related to a Denial of Service. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For version 1.2.839, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic Central Control Unit (CCU) versions 2 through 2.51.6 eQ-3 Homematic Central Control Unit (CCU3) versions 3 through 3.51.6 **Description** The issue allows Remote Code Execution in the JSON API Method `ReGa.runScript`, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup or factory reset. **Recommendations** For eQ-3 Homematic Central Control Unit (CCU) versions 2 through 2.51.6, disable the default auto-login feature to prevent exploitation. For eQ-3 Homematic Central Control Unit (CCU3) versions 3 through 3.51.6, disable the default auto-login feature to prevent exploitation. As a temporary workaround, consider disabling the `ReGa.runScript` method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 version 2.47.20 eQ-3 Homematic CCU3 version 3.47.18 **Description** The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the exec.cgi script, which executes TCL script content from an HTTP POST request. **Recommendations** For eQ-3 Homematic CCU2 version 2.47.20, update the system to remove or restrict access to the exec.cgi script to prevent remote code execution. For eQ-3 Homematic CCU3 version 3.47.18, update the system to remove or restrict access to the exec.cgi script to prevent remote code execution. As a temporary workaround, consider disabling the Script Parser AddOn until a patch is available.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 version 2.47.20 eQ-3 Homematic CCU3 version 3.47.18 eQ-3 Homematic HM-Print AddOn versions through 1.2a **Description** The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the `exec.cgi` and `exec1.cgi` scripts, which execute TCL script content from an HTTP POST request. **Recommendations** For eQ-3 Homematic CCU2 version 2.47.20, update to a version that fixes the remote code execution issue. For eQ-3 Homematic CCU3 version 3.47.18, update to a version that fixes the remote code execution issue. For eQ-3 Homematic HM-Print AddOn versions through 1.2a, update to a version that fixes the remote code execution issue. As a temporary workaround, consider restricting access to the `exec.cgi` and `exec1.cgi` scripts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 version 2.47.20 eQ-3 Homematic CCU3 version 3.47.18 E-Mail AddOn versions through 1.6.8.c **Description** The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the "save.cgi" script for payload upload and the "testtcl.cgi" script for its execution. **Recommendations** For eQ-3 Homematic CCU2 version 2.47.20, restrict access to the web interface to prevent unauthenticated attackers from exploiting the issue. For eQ-3 Homematic CCU3 version 3.47.18, consider disabling the save.cgi and testtcl.cgi scripts until a fix is available. For E-Mail AddOn versions through 1.6.8.c, avoid using the affected scripts in the web interface until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 versions prior to 2.47.18 eQ-3 Homematic CCU3 versions prior to 3.47.18 **Description** The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via an HTTP POST request to certain URLs related to the ReGa core process. **Recommendations** For eQ-3 Homematic CCU2 versions prior to 2.47.18, update to version 2.47.18 or later. For eQ-3 Homematic CCU3 versions prior to 3.47.18, update to version 3.47.18 or later.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 versions 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15 eQ-3 Homematic CCU3 versions 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15 **Description** The issue allows an attacker to obtain session IDs without logging in, potentially leading to a Denial of Service and serving as a starting point for other attacks. **Recommendations** For eQ-3 Homematic CCU2 versions 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15, update to a version that fixes the issue. For eQ-3 Homematic CCU3 versions 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15, update to a version that fixes the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 versions 2.35.16 through 2.47.15 **Description** The issue allows for Denial of Service due to outdated base software packages. **Recommendations** For version 2.35.16, update to a version newer than 2.35.16 to resolve the issue. For version 2.41.5, update to a version newer than 2.41.5 to resolve the issue. For version 2.41.8, update to a version newer than 2.41.8 to resolve the issue. For version 2.41.9, update to a version newer than 2.41.9 to resolve the issue. For version 2.45.6, update to a version newer than 2.45.6 to resolve the issue. For version 2.45.7, update to a version newer than 2.45.7 to resolve the issue. For version 2.47.10, update to a version newer than 2.47.10 to resolve the issue. For version 2.47.12, update to a version newer than 2.47.12 to resolve the issue. For version 2.47.15, update to a version newer than 2.47.15 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' versions prior to 2.4.5 **Description** The issue is related to improper access control for addons configuration pages and a missing check in rc.d/97NeoServer, allowing uncontrolled admin access to start or stop the Node.js process. This results in the ability to obtain mediola configuration details. **Recommendations** For versions prior to 2.4.5, update to version 2.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the addons configuration pages and the rc.d/97NeoServer script to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 **Description** The issue allows uncontrolled admin access, enabling attackers to obtain VPN profile details, shut down the VPN service, and delete the VPN service configuration. This is due to improper access control for all /addons/mh/ pages, specifically the API endpoints related to the "CloudMatic" add-on. **Recommendations** For eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3, consider restricting access to the /addons/mh/ pages as a temporary workaround until a patch is available. Avoid using the "CloudMatic" add-on until the issue is resolved to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 versions prior to 2.47.10 eQ-3 Homematic CCU3 versions prior to 3.47.10 **Description** The issue is related to Improper Access Control in the JSON API for Interface.***Metadata related operations. This allows unauthorized access to read, set, and delete Metadata. **Recommendations** For eQ-3 Homematic CCU2 versions prior to 2.47.10, update to version 2.47.10 or later to resolve the issue. For eQ-3 Homematic CCU3 versions prior to 3.47.10, update to version 3.47.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn versions prior to 2.3.0 **Description** The issue allows administrative operations to be performed by unauthenticated attackers who have access to the web interface. This is because certain features, such as the File-Browser and Shell Command, as well as the ability to "Set root password", are exposed. **Recommendations** For eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn versions prior to 2.3.0, update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed **Description** The issue allows for Remote Code Execution by unauthenticated attackers who have access to the web interface. This is possible because the web interface can access the CMD EXEC virtual device type 28. **Recommendations** For eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed, consider restricting access to the web interface to prevent unauthenticated attackers from exploiting this issue. As a temporary workaround, limit access to the CMD EXEC virtual device type 28 until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.