Sign-up

ID

VAR-201908-0258


CVE

CVE-2019-9584


TITLE

eQ-3 Homematic CCU2 and CCU3 Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008362

DESCRIPTION

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages. eQ-3 Homematic CCU2 and CCU3 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 1.71

sources: NVD: CVE-2019-9584 // JVNDB: JVNDB-2019-008362 // VULHUB: VHN-161019

AFFECTED PRODUCTS

vendor:eq 3model:homematic ccu2scope:lteversion:2.47.15

Trust: 1.0

vendor:eq 3model:homematic ccu3scope:lteversion:3.47.15

Trust: 1.0

vendor:eq 3model:ccu2scope: - version: -

Trust: 0.8

vendor:eq 3model:ccu3scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-008362 // NVD: CVE-2019-9584

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-9584
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-9584
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201908-1089
value: CRITICAL

Trust: 0.6

VULHUB: VHN-161019
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-9584
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-161019
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-9584
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-161019 // JVNDB: JVNDB-2019-008362 // CNNVD: CNNVD-201908-1089 // NVD: CVE-2019-9584

PROBLEMTYPE DATA

problemtype:CWE-425

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-161019 // JVNDB: JVNDB-2019-008362 // NVD: CVE-2019-9584

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1089

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201908-1089

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008362

PATCH
title:Top Pageurl:https://www.eq-3.com/
Trust: 0.8
title:eQ-3 Homematic CCU2  and eQ-3 Homematic CCU3 Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96756
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008362 // 
            
            
            
            CNNVD: CNNVD-201908-1089

EXTERNAL IDS
db:NVDid:CVE-2019-9584
Trust: 2.5
db:JVNDBid:JVNDB-2019-008362
Trust: 0.8
db:CNNVDid:CNNVD-201908-1089
Trust: 0.7
db:VULHUBid:VHN-161019
Trust: 0.1
sources:
            
            
            VULHUB: VHN-161019 // 
            
            
            
            JVNDB: JVNDB-2019-008362 // 
            
            
            
            CNNVD: CNNVD-201908-1089 // 
            
            
            
            NVD: CVE-2019-9584

REFERENCES
url:https://github.com/psytester/psytester.github.io/blob/master/_posts/hacking_and_pentests/cves/2019-03-27-cve-2019-9584.md
Trust: 2.5
url:https://psytester.github.io/cve-2019-9584/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-9584
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9584
Trust: 0.8
sources:
            
            
            VULHUB: VHN-161019 // 
            
            
            
            JVNDB: JVNDB-2019-008362 // 
            
            
            
            CNNVD: CNNVD-201908-1089 // 
            
            
            
            NVD: CVE-2019-9584

SOURCES
db:VULHUBid:VHN-161019
db:JVNDBid:JVNDB-2019-008362
db:CNNVDid:CNNVD-201908-1089
db:NVDid:CVE-2019-9584

LAST UPDATE DATE
2024-11-23T22:11:56.293000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-161019date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-008362date:2019-08-29T00:00:00
db:CNNVDid:CNNVD-201908-1089date:2020-08-25T00:00:00
db:NVDid:CVE-2019-9584date:2024-11-21T04:51:54.330

SOURCES RELEASE DATE
db:VULHUBid:VHN-161019date:2019-08-14T00:00:00
db:JVNDBid:JVNDB-2019-008362date:2019-08-29T00:00:00
db:CNNVDid:CNNVD-201908-1089date:2019-08-14T00:00:00
db:NVDid:CVE-2019-9584date:2019-08-14T21:15:19.250