Description
A critical vulnerability, identified as CVE-2024-24578, has been discovered in RaspberryMatic, an open-source operating system utilized by HomeMatic internet-of-things (IoT) devices. The issue is due to flaws in the Java-based `HMIPServer.jar` component. Specifically, unauthenticated remote code execution (RCE) can be achieved through improperly validated file upload processes, enabling unauthorized attackers to compromise the system entirely by gaining root-level access.
Affected Product(s)
- RaspberryMatic (versions prior to 3.75.6.20240316)
Technical Details
The vulnerability resides in the Java-based `HMIPServer.jar` component of RaspberryMatic’s HomeMatic management system. Known as CVE-2024-24578, the vulnerability allows unauthenticated remote code execution due to insufficient validation and authentication processes. The HMIPServer component in RaspberryMatic is accessible via URLs prefixed with `/pages/jpages`.
A particular Java class named `FirmwareController` is responsible for managing system firmware updates. However, it fails to enforce proper session ID authentication checks, enabling unauthorized access to its functions. This flaw is further exacerbated by a related vulnerability often referred to as a Zip Slip vulnerability. The implementation of the file upload mechanism for firmware updates lacks rigorous validation, permitting attackers to upload malicious `.tgz` (tarball archive) files. These archives are automatically extracted by the system without proper safeguards, making it possible for unauthorized attackers to introduce harmful content into critical directories.
The exploitation path typically involves:
- **Crafting a Malicious Archive:** The attacker creates a `.tgz` file with malicious payloads that include “../sequences” to bypass directory restrictions.
- **Uploading the File:** Using the `/pages/jpages/system/DeviceFirmware/addFirmware` endpoint, the attacker uploads the crafted archive without requiring authentication.
- **Triggering the Payload Execution:** The archive is unzipped automatically by the system, leading to the overwriting of key system files. For example, the watchdog script located at `/usr/local/addons/mediola/bin/` is replaced. This script executes every five minutes via a cron job, effectively executing the malicious code as the root user.
By exploiting this vulnerability, attackers gain full administrative permissions on the affected IoT devices, resulting in a complete takeover of the system. Versions of RaspberryMatic up to and including `3.73.9.20240130` are vulnerable, with the issue primarily affecting installations utilizing the HomeMatic OCCU (Open Central Control Unit) framework.
Weakness
The vulnerability stems from the following associated weaknesses:
- **Relative Path Traversal (CWE-23):** The system permits files to be extracted outside the designated directories by using `../sequences` in uploaded archives, bypassing directory constraints.
- **Missing Authentication for Critical Function (CWE-306):** The `FirmwareController` class fails to validate session IDs, enabling unauthorized access to critical firmware update features.
Impact Assessment
If this vulnerability is exploited, it could lead to severe consequences, including:
- Unauthorized attackers gaining root-level access to compromised devices.
- Complete system compromise, enabling attackers to execute arbitrary commands, steal sensitive data, and control the device’s functionality.
- The potential abuse of the device for launching further attacks in a networked environment, such as Distributed Denial of Service (DDoS). Given the critical nature of these impacts, this vulnerability is rated as a CVSS v3 score of 10.0 (CRITICAL).
Active Exploitation
There is evidence of active exploitation of the unauthenticated RCE vulnerability in RaspberryMatic. Unauthorized attackers leverage the endpoint `/pages/jpages/system/DeviceFirmware/addFirmware` for uploading malicious archives. The process involves exploiting the file extraction mechanism to overwrite critical files with malicious scripts, subsequently gaining root-level access and establishing complete control over the affected system. Affected installations running vulnerable versions are known to be at immediate risk.
Ransomware Association
No direct connection between this vulnerability and ransomware has been reported yet. However, by gaining root permissions, hostile actors could potentially install ransomware to encrypt device contents or use the compromised system as a foothold for broader ransomware campaigns.
Mitigation and Resolution
The developers of RaspberryMatic have released a patch in version `3.75.6.20240316` that addresses this vulnerability. Users are strongly encouraged to update their installations immediately to secure their systems from possible exploitation. The patch includes rectification of validation mechanisms during file uploads and reinforces authentication procedures.
Recommendations
- Apply the newly released patch immediately by upgrading RaspberryMatic to version `3.75.6.20240316`. You can download the update from the official distribution site.
- Disable unprotected internet access to your RaspberryMatic until the patch is applied to prevent exploitation from external actors.
- Ensure that all IoT devices are monitored and audited for unusual activities that could indicate exploitation attempts.
- Conduct regular firmware updates and ensure that device software is kept up to date.
- Employ network segmentation for IoT devices to limit their exposure and impact on the broader network in case of compromise.
- Disable unused features or services—such as file uploads—if they are not essential to your use case.
- Perform regular penetration testing and vulnerability scans on IoT environments to identify any other potential issues.
- Educate security teams on the indicators of compromise (IoCs) for this vulnerability and implement security analytics frameworks to detect intrusions.
References