Details of VAR-201908-1017

ID

VAR-201908-1017

CVE

CVE-2019-1913

TITLE

Cisco Small Business 220 Series Smart Switche Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-007728

DESCRIPTION

Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS. Cisco Small Business 220 Series Smart Switche Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco Small Business 220 Series Smart Switches is a small smart switch device from Cisco (USA)

Trust: 2.16

sources: NVD: CVE-2019-1913 // JVNDB: JVNDB-2019-007728 // CNVD: CNVD-2019-34793

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-34793

AFFECTED PRODUCTS

vendor:	cisco	model:	sg220-28mp	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sf220-24p	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sf-220-24	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sg220-26	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sg220-28	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sf220-48	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sg220-26p	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sf220-48p	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sg220-50p	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sg220-52	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sg220-50	scope:	lt	version:	1.1.4.4	Trust: 1.0
vendor:	cisco	model:	sf220-24	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sf220-24p	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sf220-48	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sf220-48p	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sg220-26	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sg220-26p	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sg220-28	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sg220-28mp	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sg220-50	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sg220-50p	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	series smart switch	scope:	eq	version:	220<1.1.4.4	Trust: 0.6

sources: CNVD: CNVD-2019-34793 // JVNDB: JVNDB-2019-007728 // NVD: CVE-2019-1913

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2019-1913
value:	CRITICAL
Trust: 1.8
ykramarz@cisco.com:	CVE-2019-1913
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2019-34793
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201908-426
value:	CRITICAL
Trust: 0.6

NVD:
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2019-1913
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2019-34793
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

NVD:
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 2.0
NVD:	CVE-2019-1913
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-34793 // JVNDB: JVNDB-2019-007728 // NVD: CVE-2019-1913 // NVD: CVE-2019-1913 // CNNVD: CNNVD-201908-426

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2019-007728 // NVD: CVE-2019-1913

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-426

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201908-426

CONFIGURATIONS

sources: NVD: CVE-2019-1913

PATCH

title:	cisco-sa-20190806-sb220-rce	url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190806-sb220-rce	Trust: 0.8
title:	Patch for Cisco Small Business 220 Series Smart Switches Buffer Overflow Vulnerability	url:	https://www.cnvd.org.cn/patchinfo/show/184645	Trust: 0.6
title:	Cisco Small Business 220 Series Smart Switches Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=96169	Trust: 0.6

sources: CNVD: CNVD-2019-34793 // JVNDB: JVNDB-2019-007728 // CNNVD: CNNVD-201908-426

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1913	Trust: 3.0
db:	PACKETSTORM	id:	154667	Trust: 1.6
db:	JVNDB	id:	JVNDB-2019-007728	Trust: 0.8
db:	CNVD	id:	CNVD-2019-34793	Trust: 0.6
db:	EXPLOIT-DB	id:	47442	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2960	Trust: 0.6
db:	CNNVD	id:	CNNVD-201908-426	Trust: 0.6

sources: CNVD: CNVD-2019-34793 // JVNDB: JVNDB-2019-007728 // NVD: CVE-2019-1913 // CNNVD: CNNVD-201908-426

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-1913	Trust: 2.0
url:	http://packetstormsecurity.com/files/154667/realtek-managed-switch-controller-rtl83xx-stack-overflow.html	Trust: 1.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190806-sb220-rce	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1913	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190806-sb220-auth_bypass	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190806-sb220-inject	Trust: 0.6
url:	https://www.exploit-db.com/exploits/47442	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2960/	Trust: 0.6

sources: CNVD: CNVD-2019-34793 // JVNDB: JVNDB-2019-007728 // NVD: CVE-2019-1913 // CNNVD: CNNVD-201908-426

CREDITS

security researcher bashis through the VDOO Disclosure Program.

Trust: 0.6

sources: CNNVD: CNNVD-201908-426

SOURCES

db:	CNVD	id:	CNVD-2019-34793
db:	JVNDB	id:	JVNDB-2019-007728
db:	NVD	id:	CVE-2019-1913
db:	CNNVD	id:	CNNVD-201908-426

LAST UPDATE DATE

2023-12-18T13:38:13.427000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-34793	date:	2019-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-007728	date:	2019-08-20T00:00:00
db:	NVD	id:	CVE-2019-1913	date:	2019-10-01T23:15:11.910
db:	CNNVD	id:	CNNVD-201908-426	date:	2019-10-08T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-34793	date:	2019-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-007728	date:	2019-08-20T00:00:00
db:	NVD	id:	CVE-2019-1913	date:	2019-08-07T06:15:11.933
db:	CNNVD	id:	CNNVD-201908-426	date:	2019-08-06T00:00:00