CVE-2024-24578
📋 TL;DR
CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT operating systems. Attackers can exploit the HMIPServer.jar component via /pages/jpages URLs without authentication to execute arbitrary code as root. All RaspberryMatic/OCCU users with affected versions are vulnerable to complete system compromise.
💻 Affected Systems
- RaspberryMatic
- OCCU (Open-source CCU)
📦 What is this software?
Raspberrymatic by Raspberrymatic
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root privileges, allowing attackers to install persistent malware, steal credentials, pivot to other network devices, or render the IoT device unusable.
Likely Case
Attackers gain full control of the IoT device, potentially using it as a foothold into the local network or as part of a botnet for DDoS attacks.
If Mitigated
If network segmentation and strict firewall rules are in place, impact may be limited to the compromised device only.
🎯 Exploit Status
Exploitation is straightforward via HTTP requests to vulnerable endpoints. Public advisory includes technical details that facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.75.6.20240316
Vendor Advisory: https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-q967-q4j8-637h
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update RaspberryMatic/OCCU to version 3.75.6.20240316 or later via the web interface or package manager. 3. Restart the system. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
linuxBlock external access to RaspberryMatic web interface using firewall rules.
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Reverse Proxy with Authentication
allPlace RaspberryMatic behind a reverse proxy that requires authentication before forwarding requests.
🧯 If You Can't Patch
- Isolate the device on a separate VLAN with strict network segmentation
- Implement strict firewall rules to allow only necessary traffic to/from the device
🔍 How to Verify
Check if Vulnerable:
Check if accessing /pages/jpages/* endpoints without authentication returns data or allows actions that should require login.Check Version:
Check web interface dashboard or run: cat /VERSION on the deviceVerify Fix Applied:
Verify version is 3.75.6.20240316 or later and test that unauthenticated access to /pages/jpages endpoints is properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to /pages/jpages/* from unauthorized IPs
- Java process spawning unexpected child processes
Network Indicators:
- HTTP POST/GET requests to /pages/jpages/* endpoints without prior authentication
- Unusual outbound connections from the IoT device
SIEM Query:
source="raspberrymatic" AND (url="/pages/jpages/*" AND NOT user_agent="legitimate-client")