RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.
The vulnerability results from two related issues in the Java-based `HMIPServer.jar` component. The `FirmwareController` class, accessible via URL paths starting with `/pages/jpages`, does not perform any session identifier verification (lack of authentication control, CWE-306). Additionally, there is a path traversal vulnerability (CWE-23) that, combined with the lack of authentication, allows an attacker to remotely execute code as the root user without possessing a valid session.
An attacker gains the ability to remotely execute arbitrary code with root privileges, leading to full system compromise, including access to data, modification of configuration, and potential takeover of connected HomeMatic IoT devices.
RaspberryMatic should be updated to version 3.75.6.20240316 or later, which contains a patch eliminating the described vulnerabilities. The patch is available in the project repository on GitHub.
RaspberryMatic / OCCU in all versions prior to 3.75.6.20240316
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HRaspberrymatic
OSRaspberrymatic< 3.75.6.20240316