CVE-2019-1913
published 2019-08-07CVE-2019-1913: Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to…
PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.94%
97.7th percentile
Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_small_business_220_series_smart_plus_switches | >= unspecified < 1.1.4.4 | 1.1.4.4 |
| cisco | sf-220-24_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sf220-24p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sf220-48_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sf220-48p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-26_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-26p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-28_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-28mp_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-50_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-50p_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | sg220-52_firmware | < 1.1.4.4 | 1.1.4.4 |
| cisco | small_business_220_series_smart_switches | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
51293 – 51295
snort↗
51298 – 51300
snort↗
51306 - 51307
- →Exploit targets the web management interface over HTTP or HTTPS; malicious requests exploit a stack overflow via a 'one byte read-write loop' without boundary check in Boa/Hydra web server (Realtek RTL83xx additional coding). Monitor for anomalous POST/GET requests to the switch web management interface on ports 80 and 443. ↗
- →The exploit uses the ETag response header to fingerprint the target device and firmware version. Detect reconnaissance by monitoring for repeated HEAD/GET requests harvesting ETag values from the switch web interface. ↗
- →The PoC uses CMD injection to disable ASLR on the target before exploitation. Monitor for command injection patterns in HTTP request parameters to the switch management interface. ↗
- →Successful exploitation results in a MIPS Big Endian reverse shell. Monitor for unexpected outbound TCP connections from Cisco Small Business 220 series switches, particularly to attacker-controlled LHOST:LPORT combinations. ↗
- →The exploit may attempt unauthorized updates to 'running-config' to add or delete credentials on the switch GUI/CLI. Monitor for unauthenticated configuration change requests. ↗
- →Log files '/mntlog/flash.log' and '/var/log/flash.log' may be created on the device during exploitation. Check for unexpected log file creation at these paths as a post-exploitation indicator. ↗
- ·Exploitation path depends on whether the web management interface is configured for HTTP or HTTPS; both are vulnerable. Ensure detection rules cover both protocols (ports 80 and 443). ↗
- ·The vulnerability is in Realtek RTL83xx additional coding layered on top of Boa/Hydra web servers, not in Boa/Hydra themselves. All firmware versions and multiple vendors sharing this codebase are affected. ↗
- ·NETGEAR GS728TPv2/GS728TPPv2/GS752TPv2/GS752TPP (ETag 639-98866 and 639-73124) are vulnerable but the two-buffer jump method is not directly applicable due to heap address range and password obfuscation; they remain exploitable via the base Boa/Hydra vulnerability. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f4rj-gx93-q8jm: Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote atta
ghsa_unreviewed·2022-05-24
CVE-2019-1913 [CRITICAL] CWE-119 GHSA-f4rj-gx93-q8jm: Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote atta
Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.
Cisco
Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities
vendor_cisco·2019-08-06·CVSS 9.8
CVE-2019-1913 [CRITICAL] CWE-119 Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities
Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities
Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to
overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.
The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an
affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.
Cisco has released software updates t
Cisco
Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities
vendor_cisco·CVSS 3.0
CVE-2019-1913 Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities
CVE-2019-1913: Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities
Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS. Cisco has released soft
No detection rules found.
Talos
Threat Source newsletter (Aug. 22)
blogs_talos·2019-08-29
Threat Source newsletter (Aug. 22)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
What’s old is new again.
Our research this week centers around a series of long-lasting threat actors and malware that have been given new life.
China Chopper, a 9-year-old web shell, is more prevalent than ever now that the source code is out there, so any threat actor could conceivably use it. We recently discovered three distinct campaigns using it for a variety of malicious activities.
We’ve also discovered threat actors using two of the most popular RATs — Orcus RAT and RevengeRAT — to target government entities, financial services organizations, information technology service providers and consultancies.
We also have ou
Tenable
Critical Cisco Vulnerabilities Across Multiple Products, Exploit Code for CVE-2019-1913 Reportedly Released
blogs_tenable·2019-08-22·CVSS 9.8
[CRITICAL] Critical Cisco Vulnerabilities Across Multiple Products, Exploit Code for CVE-2019-1913 Reportedly Released
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rcehttp://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rce
2019-08-07
Published