CVE-2019-19356
published 2020-02-07CVE-2019-19356: Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in…
PriorityP183high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
27.96%
97.9th percentile
Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netis-systems | wf2419_firmware | — | — |
| netis-systems | wf2419_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandmode_name=netcore_set&tools_type=2&tools_ip_url=|+<cmd>&tools_cmd=1&net_tools_set=1&wlan_idx_num=0↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin-igd/netcore_set.cgi"; http.request_body; content:"mode_name=netcore_set&tools_type=2&tools_ip_url=|7c|+"; fast_pattern; content:"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"; distance:0; reference:cve,2019-19356; reference:url,www.exploit-db.com/exploits/48149; classtype:attempted-admin; sid:2030278; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, cve CVE_2019_19356, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|7c|+
- →Exploit POST body to /cgi-bin-igd/netcore_set.cgi contains pipe character (URL-encoded as |7c|) in the tools_ip_url parameter, used to inject OS commands via the tracert diagnostic tool. ↗
- →Command output is retrieved via a follow-up POST to /cgi-bin-igd/netcore_get.cgi with body mode_name=netcore_get&no=no; monitor for this two-stage request pattern. ↗
- →Successful exploitation returns a JSON response with 'SUCCESS' as the first element; defenders can monitor for this response pattern on the CGI endpoint. ↗
- →The Snort/ET rule uses fast_pattern on the pipe-encoded injection string in the HTTP request body; deploy the ET rule SID 2030278 at the network perimeter targeting inbound HTTP to IoT/router management interfaces.
- ·The vulnerability requires authentication to the router web management page; exploitation is only possible post-login (authenticated RCE). ↗
- ·Two firmware versions are confirmed vulnerable: V1.2.31805 and V2.2.36123; scope detection/patching efforts to devices running these versions. ↗
- ·The ET Snort rule (SID 2030278) incorrectly specifies http.method content:"GET" while the exploit PoC uses HTTP POST; verify rule behaviour in your IDS/IPS before relying solely on this signature.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Netis WF2419 Devices Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2019-19356 [HIGH] CWE-78 Netis WF2419 Devices Remote Code Execution Vulnerability
Vulnerability: Netis WF2419 Devices Remote Code Execution Vulnerability
Affected: Netis WF2419 Devices
Netis WF2419 devices contains an unspecified vulnerability that allows an attacker to perform remote code execution as root through the router's web management page.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-19356
Remediation Due Date: 2022-05-03
GHSA
GHSA-ch88-rxpc-5c5r: Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page
ghsa_unreviewed·2022-05-24
CVE-2019-19356 [HIGH] CWE-78 GHSA-ch88-rxpc-5c5r: Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page
Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.
VulnCheck
Netis WF2419 Devices Remote Code Execution Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-19356 [HIGH] CWE-78 Netis WF2419 Devices Remote Code Execution Vulnerability
Netis WF2419 Devices Remote Code Execution Vulnerability
Netis WF2419 devices contains an unspecified vulnerability that allows an attacker to perform remote code execution as root through the router's web management page.
Affected: Netis WF2419 Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_type=src&vulnerability=cve-2019-19
Suricata
ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356
suricata·2020-06-10·CVSS 7.5
CVE-2019-19356 [HIGH] ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356
ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin-igd/netcore_set.cgi"; http.request_body; content:"mode_name=netcore_set&tools_type=2&tools_ip_url=|7c|+"; fast_pattern; content:"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"; distance:0; reference:cve,2019-19356; reference:url,www.exploit-db.com/exploits/48149; classtype:attempted-admin; sid:2030278; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, cve CVE_2019_19356, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2019-19356 [HIGH] New Mirai Variant Targeting Network Security Devices
Threat Research Center
Threat Research
Vulnerabilities
## New Mirai Variant Targeting Network Security Devices
Vaibhav Singhal
Ruchna Nigam
Zhibin Zhang
Asher Davila
Published: March 15, 2021
Threat Research
Vulnerabilities
CVE-2019-19356
CVE-2020-25506
CVE-2020-26919
CVE-2021-22502
CVE-2021-27561
CVE-2021-27562
IoT
Mirai
VisualDoor
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
VisualDoor (a SonicWall SSL-VPN exploit).
CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2020-25506 [HIGH] New Mirai Variant Targeting Network Security Devices
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
- VisualDoor (a SonicWall SSL-VPN exploit).
- CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
- CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
- Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
- Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved in the attack was updated to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, mere hours after vulnerability details were published. On March 3, 2021, the same samples were served from a third IP address, with the addition of an exploit leveraging CVE-2021-22502. Furthermore, on March 13, an exploit targeting CVE-2020-26919 was also
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
http://packetstormsecurity.com/files/156588/Netis-WF2419-2.2.36123-Remote-Code-Execution.htmlhttps://github.com/shadowgatt/CVE-2019-19356https://www.digital.security/en/blog/netis-routers-remote-code-execution-cve-2019-19356http://packetstormsecurity.com/files/156588/Netis-WF2419-2.2.36123-Remote-Code-Execution.htmlhttps://github.com/shadowgatt/CVE-2019-19356https://www.digital.security/en/blog/netis-routers-remote-code-execution-cve-2019-19356https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-19356
2020-02-07
Published
2021-11-03
Added to CISA KEV
Exploited in the wild