cbcvebase.
CVE-2019-1913
published 2019-08-07

CVE-2019-1913: Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to…

PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.94%
97.7th percentile
Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.

Affected

13 ranges
VendorProductVersion rangeFixed in
ciscocisco_small_business_220_series_smart_plus_switches>= unspecified < 1.1.4.41.1.4.4
ciscosf-220-24_firmware< 1.1.4.41.1.4.4
ciscosf220-24p_firmware< 1.1.4.41.1.4.4
ciscosf220-48_firmware< 1.1.4.41.1.4.4
ciscosf220-48p_firmware< 1.1.4.41.1.4.4
ciscosg220-26_firmware< 1.1.4.41.1.4.4
ciscosg220-26p_firmware< 1.1.4.41.1.4.4
ciscosg220-28_firmware< 1.1.4.41.1.4.4
ciscosg220-28mp_firmware< 1.1.4.41.1.4.4
ciscosg220-50_firmware< 1.1.4.41.1.4.4
ciscosg220-50p_firmware< 1.1.4.41.1.4.4
ciscosg220-52_firmware< 1.1.4.41.1.4.4
ciscosmall_business_220_series_smart_switches

Detection & IOCsextracted from sources · hover to see the quote

otherETag: 225-51973
otherETag: 225-60080
snort
51293 – 51295
snort
51298 – 51300
snort
51306 - 51307
  • Exploit targets the web management interface over HTTP or HTTPS; malicious requests exploit a stack overflow via a 'one byte read-write loop' without boundary check in Boa/Hydra web server (Realtek RTL83xx additional coding). Monitor for anomalous POST/GET requests to the switch web management interface on ports 80 and 443.
  • The exploit uses the ETag response header to fingerprint the target device and firmware version. Detect reconnaissance by monitoring for repeated HEAD/GET requests harvesting ETag values from the switch web interface.
  • The PoC uses CMD injection to disable ASLR on the target before exploitation. Monitor for command injection patterns in HTTP request parameters to the switch management interface.
  • Successful exploitation results in a MIPS Big Endian reverse shell. Monitor for unexpected outbound TCP connections from Cisco Small Business 220 series switches, particularly to attacker-controlled LHOST:LPORT combinations.
  • The exploit may attempt unauthorized updates to 'running-config' to add or delete credentials on the switch GUI/CLI. Monitor for unauthenticated configuration change requests.
  • Log files '/mntlog/flash.log' and '/var/log/flash.log' may be created on the device during exploitation. Check for unexpected log file creation at these paths as a post-exploitation indicator.
  • ·Exploitation path depends on whether the web management interface is configured for HTTP or HTTPS; both are vulnerable. Ensure detection rules cover both protocols (ports 80 and 443).
  • ·The vulnerability is in Realtek RTL83xx additional coding layered on top of Boa/Hydra web servers, not in Boa/Hydra themselves. All firmware versions and multiple vendors sharing this codebase are affected.
  • ·NETGEAR GS728TPv2/GS728TPPv2/GS752TPv2/GS752TPP (ETag 639-98866 and 639-73124) are vulnerable but the two-buffer jump method is not directly applicable due to heap address range and password obfuscation; they remain exploitable via the base Boa/Hydra vulnerability.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.