CVE-2018-7298

Name of the Vulnerable Software and Affected Versions eQ-3 AG HomeMatic CCU2 version 2.29.22

Description The issue concerns the download of software update packages via the HTTP protocol, which lacks cryptographic protection. An attacker with a privileged network position can exploit this to provide malicious firmware updates, potentially resulting in a full system compromise.

Recommendations For eQ-3 AG HomeMatic CCU2 version 2.29.22, consider disabling the loopupd.sh script in /usr/local/etc/config/addons/mh/ as a temporary workaround until a patch is available. Restrict access to the device to minimize the risk of exploitation.