CVE-2019-1010200 – This CVE describes a critical OS command inject... (How to Fix)

Q: What is the severity of CVE-2019-1010200?

CVE-2019-1010200 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical OS command injection vulnerability in Google Voice Builder that allows remote attackers to execute arbitrary commands on affected servers. The vulnerability exists in three endpoints across two web servers and can be exploited via specially crafted GET requests. Any organization running vulnerable versions of Voice Builder is affected.

📋 TL;DR

This CVE describes a critical OS command injection vulnerability in Google Voice Builder that allows remote attackers to execute arbitrary commands on affected servers. The vulnerability exists in three endpoints across two web servers and can be exploited via specially crafted GET requests. Any organization running vulnerable versions of Voice Builder is affected.

💻 Affected Systems

Products:

Google Voice Builder

Versions: All versions prior to commit f6660e6d8f0d1d931359d591dbdec580fef36d36

Operating Systems: Any OS running Voice Builder

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects two web servers within the project: merlin_model_server and festival_model_server.

📦 What is this software?

Voice Builder by Google

View all CVEs affecting Voice Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data exfiltration, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to steal sensitive data, disrupt services, or use the server for further attacks.

🟢

If Mitigated

Attack blocked at network perimeter or detected before successful exploitation.

🌐 Internet-Facing: HIGH - The vulnerable endpoints are exposed via web servers and can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Even internally accessible servers can be exploited by attackers who gain internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit via HTTP GET requests with malicious query parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: After commit f6660e6d8f0d1d931359d591dbdec580fef36d36

Vendor Advisory: https://github.com/google/voice-builder/commit/f6660e6d8f0d1d931359d591dbdec580fef36d36

Restart Required: Yes

Instructions:

1. Update to the latest Voice Builder version after commit f6660e6d8f0d1d931359d591dbdec580fef36d36. 2. Restart all Voice Builder services. 3. Verify the fix by checking that the vulnerable endpoints no longer accept malicious input.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to the vulnerable endpoints using firewall rules or network segmentation.

iptables -A INPUT -p tcp --dport [VOICE_BUILDER_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [VOICE_BUILDER_PORT] -j DROP

Web Application Firewall

all

Deploy a WAF with command injection detection rules to block exploitation attempts.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs in the affected endpoints.
Run Voice Builder services with minimal privileges and in isolated containers or virtual machines.

🔍 How to Verify

Check if Vulnerable:

Check if your Voice Builder version is prior to commit f6660e6d8f0d1d931359d591dbdec580fef36d36 by examining the git commit history or version metadata.

Check Version:

git log --oneline -1

Verify Fix Applied:

Test the /tts and /alignment endpoints with command injection payloads (e.g., '; ls' or '| cat /etc/passwd') to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
HTTP requests to /tts or /alignment endpoints with suspicious query parameters containing shell metacharacters

Network Indicators:

HTTP GET requests to vulnerable endpoints with command injection payloads in query strings

SIEM Query:

source="web_server_logs" AND (uri_path="/tts" OR uri_path="/alignment") AND query_string MATCHES "[;|&`$()]"

📊 Metadata

CVE ID: CVE-2019-1010200

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 23, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/google/voice-builder/commit/c145d4604df67e6fc625992412eef0bf9a85e26b Patch,Third Party Advisory
https://github.com/google/voice-builder/commit/f6660e6d8f0d1d931359d591dbdec580fef36d36 Patch,Third Party Advisory
https://github.com/google/voice-builder/commit/c145d4604df67e6fc625992412eef0bf9a85e26b Patch,Third Party Advisory
https://github.com/google/voice-builder/commit/f6660e6d8f0d1d931359d591dbdec580fef36d36 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1010200, you might also want to check these: