VDE-2019-010
Vulnerability from csaf_mieleciekg - Published: 2019-05-20 06:58 - Updated: 2025-05-14 13:00Summary
Miele: Multiple Vulnerabilities in XGW 3000 ZigBee Gateway
Notes
Summary: Miele XGW 3000 is a ZigBee-TCP/IP gateway. The gateway connects Miele ZigBee-Appliances (called Miele@home) with local customer TCP/IP-Network and allows visualizing the appliance state on the web interface of the gateway, Miele SuperVision capable appliance, smartphone/tablet app or home automatization device.
An external security researcher reported two vulnerabilities in XGW 3000 gateway and provided a Proof-of-Concept. The combined exploitation of both vulnerabilities allow the circumvention of the authentication mechanisms of the XGW3000.
The Miele PSIRT managed to reproduce the findings and successfully exploited the gateway. Therefore, the existence of all vulnerabilities has been confirmed.
Impact: Vulnerability ID (Miele): PSIRT-2019-001-VI_02
CVSS-Score: 4.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C)
Vulnerability Type: CWE-285: Improper Authorization
Vulnerability / Issues: Bypass for "Password Change Function".In combination of vulnerability PSIRT-2019-001-VI_01 (CSRF), the administrator password can be changed without checking the old one
Vulnerability ID (Miele): PSIRT-2019-001-VI_01
CVSS-Score: 4.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C)
Vulnerability Type: CWE-352: Cross-Site Request Forgery (CSRF)
Vulnerability / Issues: A malicious website visited by an authenticated admin user or a malicious mail are allowed to issue arbitrary changes in the "admin panel".
Remediation: Install software version 2.4.0 via the automatic update function of the XGW 3000 ZigBee Gateway.
To do so, log into the local Miele@home Gateway Info Admin Panel. Afterwards, click on Settings -> Click on Update -> Click on Check for New Software. The latest version of the Gateway software will be suggested for installation. After the installation has been completed, verify if the installed version is 2.4.0 or larger. If this is not the case, the update process has to be started a second time.
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480.
9.8 (Critical)
Vendor Fix
Install software version 2.4.0 via the automatic update function of the XGW 3000 ZigBee Gateway.
To do so, log into the local Miele@home Gateway Info Admin Panel. Afterwards, click on Settings -> Click on Update -> Click on Check for New Software. The latest version of the Gateway software will be suggested for installation. After the installation has been completed, verify if the installed version is 2.4.0 or larger. If this is not the case, the update process has to be started a second time.
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin panel" because there is no CSRF protection.
8.8 (High)
Vendor Fix
Install software version 2.4.0 via the automatic update function of the XGW 3000 ZigBee Gateway.
To do so, log into the local Miele@home Gateway Info Admin Panel. Afterwards, click on Settings -> Click on Update -> Click on Check for New Software. The latest version of the Gateway software will be suggested for installation. After the installation has been completed, verify if the installed version is 2.4.0 or larger. If this is not the case, the update process has to be started a second time.
References
Acknowledgments
CERT@VDE
certvde.com
Maxim Rupp
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"organization": "Maxim Rupp",
"summary": "reported"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "Miele XGW 3000 is a ZigBee-TCP/IP gateway. The gateway connects Miele ZigBee-Appliances (called Miele@home) with local customer TCP/IP-Network and allows visualizing the appliance state on the web interface of the gateway, Miele SuperVision capable appliance, smartphone/tablet app or home automatization device.\n\nAn external security researcher reported two vulnerabilities in XGW 3000 gateway and provided a Proof-of-Concept. The combined exploitation of both vulnerabilities allow the circumvention of the authentication mechanisms of the XGW3000.\n\nThe Miele PSIRT managed to reproduce the findings and successfully exploited the gateway. Therefore, the existence of all vulnerabilities has been confirmed.",
"title": "Summary"
},
{
"category": "description",
"text": "Vulnerability ID (Miele): PSIRT-2019-001-VI_02\nCVSS-Score: 4.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C)\nVulnerability Type: CWE-285: Improper Authorization\nVulnerability / Issues: Bypass for \"Password Change Function\".In combination of vulnerability PSIRT-2019-001-VI_01 (CSRF), the administrator password can be changed without checking the old one\n\nVulnerability ID (Miele): PSIRT-2019-001-VI_01\nCVSS-Score: 4.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C)\nVulnerability Type: CWE-352: Cross-Site Request Forgery (CSRF)\nVulnerability / Issues: A malicious website visited by an authenticated admin user or a malicious mail are allowed to issue arbitrary changes in the \"admin panel\".",
"title": "Impact"
},
{
"category": "description",
"text": "Install software version 2.4.0 via the automatic update function of the XGW 3000 ZigBee Gateway.\n\nTo do so, log into the local Miele@home Gateway Info Admin Panel. Afterwards, click on Settings -\u003e Click on Update -\u003e Click on Check for New Software. The latest version of the Gateway software will be suggested for installation. After the installation has been completed, verify if the installed version is 2.4.0 or larger. If this is not the case, the update process has to be started a second time.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@miele.com",
"name": "Miele \u0026 Cie KG",
"namespace": "https://www.miele.com"
},
"references": [
{
"category": "external",
"summary": "Miele advisory overview at CERT@VDE",
"url": "https://certvde.com/en/advisories/vendor/miele/"
},
{
"category": "self",
"summary": "VDE-2019-010: Miele: Multiple Vulnerabilities in XGW 3000 ZigBee Gateway - HTML",
"url": "https://certvde.com/en/advisories/VDE-2019-010"
},
{
"category": "self",
"summary": "VDE-2019-010: Miele: Multiple Vulnerabilities in XGW 3000 ZigBee Gateway - CSAF",
"url": "https://miele.csaf-tp.certvde.com/.well-known/csaf/white/2019/vde-2019-010.json"
}
],
"title": "Miele: Multiple Vulnerabilities in XGW 3000 ZigBee Gateway",
"tracking": {
"aliases": [
"VDE-2019-010"
],
"current_release_date": "2025-05-14T13:00:15.000Z",
"generator": {
"date": "2025-02-26T15:51:59.496Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.19"
}
},
"id": "VDE-2019-010",
"initial_release_date": "2019-05-20T06:58:00.000Z",
"revision_history": [
{
"date": "2019-05-20T06:58:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-05-14T13:00:15.000Z",
"number": "2",
"summary": "Fix: added distribution"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "XGW 3000",
"product": {
"name": "XGW 3000",
"product_id": "CSAFPID-11001"
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.4.0",
"product": {
"name": "Software \u003c2.4.0",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "2.4.0",
"product": {
"name": "Software 2.4.0",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Miele"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Software \u003c2.4.0 installed on XGW 3000",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Software 2.4.0 installed on XGW 3000",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-11001"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-20481",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "description",
"text": "In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001"
],
"known_affected": [
"CSAFPID-31001"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Install software version 2.4.0 via the automatic update function of the XGW 3000 ZigBee Gateway.\n\nTo do so, log into the local Miele@home Gateway Info Admin Panel. Afterwards, click on Settings -\u003e Click on Update -\u003e Click on Check for New Software. The latest version of the Gateway software will be suggested for installation. After the installation has been completed, verify if the installed version is 2.4.0 or larger. If this is not the case, the update process has to be started a second time.",
"product_ids": [
"CSAFPID-31001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001"
]
}
],
"title": "CVE-2019-20481"
},
{
"cve": "CVE-2019-20480",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "description",
"text": "In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the \"admin panel\" because there is no CSRF protection.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001"
],
"known_affected": [
"CSAFPID-31001"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Install software version 2.4.0 via the automatic update function of the XGW 3000 ZigBee Gateway.\n\nTo do so, log into the local Miele@home Gateway Info Admin Panel. Afterwards, click on Settings -\u003e Click on Update -\u003e Click on Check for New Software. The latest version of the Gateway software will be suggested for installation. After the installation has been completed, verify if the installed version is 2.4.0 or larger. If this is not the case, the update process has to be started a second time.",
"product_ids": [
"CSAFPID-31001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001"
]
}
],
"title": "CVE-2019-20480"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…