Details of VAR-202002-0403

ID

VAR-202002-0403

CVE

CVE-2019-19356

TITLE

Netis WF2419 In OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-014562

DESCRIPTION

Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing. Netis WF2419 To OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Netis WF2419 is a 300Mbps wireless router. The vulnerability stems from a lack of validation of user input

Trust: 2.25

sources: NVD: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-04554

AFFECTED PRODUCTS

vendor:	netis	model:	wf2419	scope:	eq	version:	1.2.31805	Trust: 2.4
vendor:	netis	model:	wf2419	scope:	eq	version:	2.2.36123	Trust: 2.4

sources: CNVD: CNVD-2020-04554 // JVNDB: JVNDB-2019-014562 // NVD: CVE-2019-19356

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2019-19356
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-014562
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-04554
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202002-238
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-19356
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014562
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-04554
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULMON:	CVE-2019-19356
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-014562
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // NVD: CVE-2019-19356 // CNNVD: CNNVD-202002-238

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-014562 // NVD: CVE-2019-19356

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-238

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202002-238

CONFIGURATIONS

sources: NVD: CVE-2019-19356

PATCH

title:	WF2419	url:	http://www.netis-systems.com/suppory/de_details/id/1/de/44.html	Trust: 0.8
title:	NETIS router (WF2419) RCE (CVE-2019-19356) Context Prerequisites Vulnerability details Exploit	url:	https://github.com/shadowgatt/cve-2019-19356	Trust: 0.1
title:	CVE-2019-19356 cd CVE-2019-19356 docker-compose up -d	url:	https://github.com/qq1515406085/cve-2019-19356	Trust: 0.1
title:	Known Exploited Vulnerabilities Detector	url:	https://github.com/ostorlab/kev	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/hectorgie/poc-in-github	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/developer3000s/poc-in-github	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/0xt11/cve-poc	Trust: 0.1

sources: VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562

EXTERNAL IDS

db:	NVD	id:	CVE-2019-19356	Trust: 3.1
db:	PACKETSTORM	id:	156588	Trust: 1.7
db:	JVNDB	id:	JVNDB-2019-014562	Trust: 0.8
db:	CNVD	id:	CNVD-2020-04554	Trust: 0.6
db:	CXSECURITY	id:	WLB-2020030011	Trust: 0.6
db:	CNNVD	id:	CNNVD-202002-238	Trust: 0.6
db:	VULMON	id:	CVE-2019-19356	Trust: 0.1

sources: CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // NVD: CVE-2019-19356 // CNNVD: CNNVD-202002-238

REFERENCES

url:	https://www.digital.security/en/blog/netis-routers-remote-code-execution-cve-2019-19356	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19356	Trust: 2.0
url:	https://github.com/shadowgatt/cve-2019-19356	Trust: 1.8
url:	http://packetstormsecurity.com/files/156588/netis-wf2419-2.2.36123-remote-code-execution.html	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19356	Trust: 0.8
url:	https://cxsecurity.com/issue/wlb-2020030011	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // NVD: CVE-2019-19356 // CNNVD: CNNVD-202002-238

CREDITS

Elias Issa

Trust: 0.6

sources: CNNVD: CNNVD-202002-238

SOURCES

db:	CNVD	id:	CNVD-2020-04554
db:	VULMON	id:	CVE-2019-19356
db:	JVNDB	id:	JVNDB-2019-014562
db:	NVD	id:	CVE-2019-19356
db:	CNNVD	id:	CNNVD-202002-238

LAST UPDATE DATE

2023-12-26T23:01:06.499000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-04554	date:	2020-02-11T00:00:00
db:	VULMON	id:	CVE-2019-19356	date:	2022-01-01T00:00:00
db:	JVNDB	id:	JVNDB-2019-014562	date:	2020-02-28T00:00:00
db:	NVD	id:	CVE-2019-19356	date:	2022-01-01T19:57:27.453
db:	CNNVD	id:	CNNVD-202002-238	date:	2022-01-04T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-04554	date:	2020-02-11T00:00:00
db:	VULMON	id:	CVE-2019-19356	date:	2020-02-07T00:00:00
db:	JVNDB	id:	JVNDB-2019-014562	date:	2020-02-28T00:00:00
db:	NVD	id:	CVE-2019-19356	date:	2020-02-07T23:15:10.013
db:	CNNVD	id:	CNNVD-202002-238	date:	2020-02-07T00:00:00