CVE-2019-1912
published 2019-08-07CVE-2019-1912: A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload…
PriorityP275critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
17.04%
96.7th percentile
A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. This vulnerability affects Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 with the web management interface enabled. The web management interface is enabled via both HTTP and HTTPS by default.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_small_business_220_series_smart_plus_switches | >= unspecified < 1.1.4.4 | 1.1.4.4 |
| cisco | sf-220-24_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sf220-24p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sf220-48_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sf220-48p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-26_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-26p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-28_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-28mp_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-50_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-50p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-52_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | small_business_220_series_smart_switches | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Snort SIDs: 51293, 51294, 51295, 51298, 51299, 51300, 51306, 51307
- →Exploit targets specific URI paths in the web management interface of Cisco Small Business 220 Series switches; monitor for unauthenticated HTTP/HTTPS POST requests to management interface endpoints that include file upload payloads. ↗
- →Fingerprint vulnerable Cisco Sx220 targets via HTTP ETag header values 225-51973 (v1.1.3.1) and 225-60080 (v1.1.4.1); the PoC uses static ETag values to uniquely identify remote targets before exploitation. ↗
- →Successful exploitation may result in reverse shell injection; monitor for unexpected outbound connections from Cisco Small Business 220 Series switches, particularly MIPS Big Endian shellcode activity. ↗
- →The PoC exploit uses ASLR disabling via CMD injection on the stack before shellcode execution; detect command injection attempts targeting the switch web interface. ↗
- →Unauthorized 'running-config' updates via the web interface can be used to add or delete credentials; monitor for unauthenticated configuration upload requests. ↗
- ·The vulnerability is exploitable only when the web management interface is enabled; it is enabled via both HTTP and HTTPS by default, so all unpatched devices with default config are exposed. ↗
- ·Only Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 are affected; devices on 1.1.4.4 or later are not vulnerable. ↗
- ·There are no workarounds available for this vulnerability; patching to the fixed firmware is the only mitigation. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_cisco9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability
vendor_cisco·2019-08-06·CVSS 9.1
CVE-2019-1912 [CRITICAL] CWE-863 Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability
Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability
A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.
The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.
Cisco has released software updates that address this vulnerability. There are no workaro
Cisco
Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-1912 Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability
CVE-2019-1912: Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability
A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. Cisco has released software updates that address this vulnerability. There
GHSA
GHSA-q6mv-m62h-7q28: A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to u
ghsa_unreviewed·2022-05-24
CVE-2019-1912 [CRITICAL] CWE-285 GHSA-q6mv-m62h-7q28: A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to u
A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. This vulnerability affects Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 with the web management interface enabled. The web manag
No detection rules found.
Talos
Threat Source newsletter (Aug. 22)
blogs_talos·2019-08-29
Threat Source newsletter (Aug. 22)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
What’s old is new again.
Our research this week centers around a series of long-lasting threat actors and malware that have been given new life.
China Chopper, a 9-year-old web shell, is more prevalent than ever now that the source code is out there, so any threat actor could conceivably use it. We recently discovered three distinct campaigns using it for a variety of malicious activities.
We’ve also discovered threat actors using two of the most popular RATs — Orcus RAT and RevengeRAT — to target government entities, financial services organizations, information technology service providers and consultancies.
We also have ou
Tenable
Critical Cisco Vulnerabilities Across Multiple Products, Exploit Code for CVE-2019-1913 Reportedly Released
blogs_tenable·2019-08-22·CVSS 9.8
[CRITICAL] Critical Cisco Vulnerabilities Across Multiple Products, Exploit Code for CVE-2019-1913 Reportedly Released
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypasshttp://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass
2019-08-07
Published