Details of VAR-201908-0656

ID

VAR-201908-0656

CVE

CVE-2019-14986

TITLE

eQ-3 Homematic CCU2 and CCU3 Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008025

DESCRIPTION

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed. eQ-3 Homematic CCU2 and CCU3 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 HomeMatic CCU2 are central control units of a smart home system from German eQ-3 company. There is a command injection vulnerability in eQ-3 Homematic CCU2 and CCU3. The vulnerability stems from the process of constructing executable commands from external input data. The network system or product does not properly filter the special elements. The attacker can use this vulnerability to execute illegal commands

Trust: 2.16

sources: NVD: CVE-2019-14986 // JVNDB: JVNDB-2019-008025 // CNVD: CNVD-2020-17029

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-17029

AFFECTED PRODUCTS

vendor:	eq 3	model:	homematic ccu2	scope:	lt	version:	2.3.0	Trust: 1.0
vendor:	eq 3	model:	homematic ccu3	scope:	lt	version:	2.3.0	Trust: 1.0
vendor:	eq 3	model:	ccu2	scope:	lt	version:	2.3.0	Trust: 0.8
vendor:	eq 3	model:	ccu3	scope:	lt	version:	2.3.0	Trust: 0.8
vendor:	eq 3	model:	homematic ccu2	scope:	-	version:	-	Trust: 0.6
vendor:	eq 3	model:	eq-3 homematic ccu3	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-17029 // JVNDB: JVNDB-2019-008025 // NVD: CVE-2019-14986

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-14986
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-14986
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-17029
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201908-913
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-14986
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-17029
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-14986
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2020-17029 // JVNDB: JVNDB-2019-008025 // CNNVD: CNNVD-201908-913 // NVD: CVE-2019-14986

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-77	Trust: 0.8

sources: JVNDB: JVNDB-2019-008025 // NVD: CVE-2019-14986

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-913

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-913

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008025

PATCH

title:	Top Page	url:	https://www.eq-3.com/	Trust: 0.8
title:	Patch for eQ-3 Homematic CCU2 and CCU3 command injection vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/208781	Trust: 0.6
title:	eQ-3 Homematic CCU2 and CCU3 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96598	Trust: 0.6

sources: CNVD: CNVD-2020-17029 // JVNDB: JVNDB-2019-008025 // CNNVD: CNNVD-201908-913

EXTERNAL IDS

db:	NVD	id:	CVE-2019-14986	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-008025	Trust: 0.8
db:	CNVD	id:	CNVD-2020-17029	Trust: 0.6
db:	CNNVD	id:	CNNVD-201908-913	Trust: 0.6

sources: CNVD: CNVD-2020-17029 // JVNDB: JVNDB-2019-008025 // CNNVD: CNNVD-201908-913 // NVD: CVE-2019-14986

REFERENCES

url:	https://psytester.github.io/cve-2019-14986/	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14986	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14986	Trust: 0.8

sources: CNVD: CNVD-2020-17029 // JVNDB: JVNDB-2019-008025 // CNNVD: CNNVD-201908-913 // NVD: CVE-2019-14986

SOURCES

db:	CNVD	id:	CNVD-2020-17029
db:	JVNDB	id:	JVNDB-2019-008025
db:	CNNVD	id:	CNNVD-201908-913
db:	NVD	id:	CVE-2019-14986

LAST UPDATE DATE

2024-11-23T21:59:47.530000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-17029	date:	2020-03-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-008025	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-913	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-14986	date:	2024-11-21T04:27:49.757

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-17029	date:	2020-03-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-008025	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-913	date:	2019-08-13T00:00:00
db:	NVD	id:	CVE-2019-14986	date:	2019-08-13T20:15:12.307