A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Due to missing input validation/sanitization and the use of dangerous CGI functionality, the file upload mechanism allows remote unauthenticated attackers with network-wise access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string.
Impact
The vulnerability can be exploited via a simple HTTP request. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions starting from 2.31.25.20180428 until 3.61.7.20220226 are affected.
Patches
Users should update to RaspberryMatic version 3.63.8.20220330 or newer which integrates a fix for the aforementioned security issue.
Workarounds
There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.
Technical details
The file upload CGI script, designed as helper code for uploading firmware updates, is exposed via the WebUI interface of RaspberryMatic on port 80/443 (lighttpd) by default. The script fails to perform adequate input filtering on user-supplied data that is passed to a dangerous function which can be used to execute arbitrary shell code within the general root user context of the WebUI.
The security issue was fixed with commit 3485465.
For more information
If you have any questions or comments about this advisory:
A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Due to missing input validation/sanitization and the use of dangerous CGI functionality, the file upload mechanism allows remote unauthenticated attackers with network-wise access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string.
Impact
The vulnerability can be exploited via a simple HTTP request. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions starting from
2.31.25.20180428until3.61.7.20220226are affected.Patches
Users should update to RaspberryMatic version
3.63.8.20220330or newer which integrates a fix for the aforementioned security issue.Workarounds
There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.
Technical details
The file upload CGI script, designed as helper code for uploading firmware updates, is exposed via the WebUI interface of RaspberryMatic on port 80/443 (lighttpd) by default. The script fails to perform adequate input filtering on user-supplied data that is passed to a dangerous function which can be used to execute arbitrary shell code within the general root user context of the WebUI.
The security issue was fixed with commit 3485465.
For more information
If you have any questions or comments about this advisory: