Sign-up

ID

VAR-202107-0865


CVE

CVE-2021-33032


TITLE

eQ-3 HomeMatic CCU2  Firmware and  CCU3  In firmware  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-009690

DESCRIPTION

A Remote Code Execution (RCE) vulnerability in the WebUI component of the eQ-3 HomeMatic CCU2 firmware up to and including version 2.57.5 and CCU3 firmware up to and including version 3.57.5 allows remote unauthenticated attackers to execute system commands as root via a simple HTTP request. eQ-3 HomeMatic CCU2 Firmware and CCU3 For firmware, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Trust: 1.71

sources: NVD: CVE-2021-33032 // JVNDB: JVNDB-2021-009690 // VULMON: CVE-2021-33032

AFFECTED PRODUCTS

vendor:eq 3model:homematic ccu3scope:lteversion:3.57.5

Trust: 1.0

vendor:eq 3model:homematic ccu2scope:lteversion:2.57.5

Trust: 1.0

vendor:eq 3model:homematic ccu2scope: - version: -

Trust: 0.8

vendor:eq 3model:homematic ccu3scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-009690 // NVD: CVE-2021-33032

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-33032
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-33032
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202107-1739
value: CRITICAL

Trust: 0.6

VULMON: CVE-2021-33032
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-33032
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2021-33032
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-33032
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2021-33032 // JVNDB: JVNDB-2021-009690 // CNNVD: CNNVD-202107-1739 // NVD: CVE-2021-33032

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-009690 // NVD: CVE-2021-33032

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202107-1739

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202107-1739

PATCH

title:HM-CCU2-Changelog.2.59.7.pdf Changelogurl:https://www.eq-3.de/downloads/software/HM-CCU2-Firmware_Updates/HM-CCU-2.59.7/HM-CCU2-Changelog.2.59.7.pdf

Trust: 0.8

title:EQ-3 eQ-3 HomeMatic CCU2 and CCU3 Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158322

Trust: 0.6

sources: JVNDB: JVNDB-2021-009690 // CNNVD: CNNVD-202107-1739

EXTERNAL IDS

db:NVDid:CVE-2021-33032

Trust: 3.3

db:JVNDBid:JVNDB-2021-009690

Trust: 0.8

db:CNNVDid:CNNVD-202107-1739

Trust: 0.6

db:VULMONid:CVE-2021-33032

Trust: 0.1

sources: VULMON: CVE-2021-33032 // JVNDB: JVNDB-2021-009690 // CNNVD: CNNVD-202107-1739 // NVD: CVE-2021-33032

REFERENCES

url:https://novag.github.io/posts/homematic-unauthenticated-remote-code-execution/

Trust: 2.5

url:https://www.eq-3.de/downloads/software/firmware/ccu3-firmware/ccu3-changelog.3.59.6.pdf

Trust: 1.7

url:https://www.eq-3.de/downloads/software/hm-ccu2-firmware_updates/hm-ccu-2.59.7/hm-ccu2-changelog.2.59.7.pdf

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-33032

Trust: 1.4

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2021-33032 // JVNDB: JVNDB-2021-009690 // CNNVD: CNNVD-202107-1739 // NVD: CVE-2021-33032

SOURCES

db:VULMONid:CVE-2021-33032
db:JVNDBid:JVNDB-2021-009690
db:CNNVDid:CNNVD-202107-1739
db:NVDid:CVE-2021-33032

LAST UPDATE DATE

2024-08-14T14:25:17.229000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-33032date:2021-09-21T00:00:00
db:JVNDBid:JVNDB-2021-009690date:2022-05-17T07:46:00
db:CNNVDid:CNNVD-202107-1739date:2021-08-02T00:00:00
db:NVDid:CVE-2021-33032date:2021-09-21T16:18:17.080

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-33032date:2021-07-22T00:00:00
db:JVNDBid:JVNDB-2021-009690date:2022-05-17T00:00:00
db:CNNVDid:CNNVD-202107-1739date:2021-07-22T00:00:00
db:NVDid:CVE-2021-33032date:2021-07-22T18:15:23.177