Lucene search

[email protected]CVE-2019-9583

HistoryAug 14, 2019 - 8:15 p.m.

CVE-2019-9583

2019-08-1420:15:11

CWE-400

[email protected]

web.nvd.nist.gov

cve-2019-9583

eq-3

homematic

ccu2

ccu3

session id

denial of service

nvd

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.2%

JSON

eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15.

Affected configurations

NVD

Node

eq-3homematic_ccu3_firmwareMatch3.41.11

eq-3homematic_ccu3_firmwareMatch3.43.16

eq-3homematic_ccu3_firmwareMatch3.45.5

eq-3homematic_ccu3_firmwareMatch3.45.7

eq-3homematic_ccu3_firmwareMatch3.47.10

eq-3homematic_ccu3_firmwareMatch3.47.15

AND

eq-3homematic_ccu3Match-

Node

eq-3homematic_ccu2_firmwareMatch-

eq-3homematic_ccu2_firmwareMatch2.35.16

eq-3homematic_ccu2_firmwareMatch2.41.5

eq-3homematic_ccu2_firmwareMatch2.41.8

eq-3homematic_ccu2_firmwareMatch2.41.9

eq-3homematic_ccu2_firmwareMatch2.45.6

eq-3homematic_ccu2_firmwareMatch2.45.7

eq-3homematic_ccu2_firmwareMatch2.47.10

eq-3homematic_ccu2_firmwareMatch2.47.12

eq-3homematic_ccu2_firmwareMatch2.47.15

AND

eq-3homematic_ccu2Match-

CPENameOperatorVersion
eq-3:homematic_ccu3_firmwareeq-3 homematic ccu3 firmwareeq3.41.11
eq-3:homematic_ccu3_firmwareeq-3 homematic ccu3 firmwareeq3.43.16
eq-3:homematic_ccu3_firmwareeq-3 homematic ccu3 firmwareeq3.45.5
eq-3:homematic_ccu3_firmwareeq-3 homematic ccu3 firmwareeq3.45.7
eq-3:homematic_ccu3_firmwareeq-3 homematic ccu3 firmwareeq3.47.10
eq-3:homematic_ccu3_firmwareeq-3 homematic ccu3 firmwareeq3.47.15

CPE	Name	Operator	Version
eq-3:homematic_ccu3_firmware	eq-3 homematic ccu3 firmware	eq	3.41.11
eq-3:homematic_ccu3_firmware	eq-3 homematic ccu3 firmware	eq	3.43.16
eq-3:homematic_ccu3_firmware	eq-3 homematic ccu3 firmware	eq	3.45.5
eq-3:homematic_ccu3_firmware	eq-3 homematic ccu3 firmware	eq	3.45.7
eq-3:homematic_ccu3_firmware	eq-3 homematic ccu3 firmware	eq	3.47.10
eq-3:homematic_ccu3_firmware	eq-3 homematic ccu3 firmware	eq	3.47.15

References

github.com/psytester/psytester.github.io/blob/master/_posts/hacking_and_pentests/CVEs/2019-03-27-CVE-2019-9583.md

psytester.github.io/CVE-2019-9583/

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.2%

JSON

Related for CVE-2019-9583

cvelist3 prion3 nvd3 cve2