CVE-2019-1912
📋 TL;DR
An unauthenticated remote attacker can upload arbitrary files to Cisco Small Business 220 Series Smart Switches via the web management interface due to incomplete authorization checks. This allows configuration modification or reverse shell injection. Affects switches running firmware versions prior to 1.1.4.4 with the web management interface enabled.
💻 Affected Systems
- Cisco Small Business 220 Series Smart Switches
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attacker to modify configurations, inject reverse shells for persistent access, and potentially pivot to other network segments.
Likely Case
Unauthorized configuration changes leading to network disruption, data interception, or denial of service.
If Mitigated
Limited impact if web management interface is disabled or network access is restricted.
🎯 Exploit Status
Exploit requires sending malicious HTTP/HTTPS requests to specific web interface endpoints. Public exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.4.4 or later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass
Restart Required: Yes
Instructions:
1. Download firmware version 1.1.4.4 or later from Cisco website. 2. Log into switch web interface. 3. Navigate to Administration > File Management > Firmware Upgrade. 4. Upload new firmware file. 5. Reboot switch after upgrade completes.
🔧 Temporary Workarounds
Disable web management interface
allDisable HTTP/HTTPS web management interface and use CLI or other management methods instead.
configure terminal
no ip http server
no ip http secure-server
end
write memory
Restrict network access
allUse firewall rules to restrict access to switch management interfaces to trusted IP addresses only.
🧯 If You Can't Patch
- Disable web management interface immediately
- Implement strict network segmentation and firewall rules to limit access to management interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > System Summary) or CLI (show version). If version is below 1.1.4.4 and web interface is enabled, device is vulnerable.Check Version:
show versionVerify Fix Applied:
After upgrade, verify firmware version is 1.1.4.4 or higher and test that unauthorized file upload attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file upload attempts in web server logs
- Unexpected configuration changes
- Unusual HTTP POST requests to management interface
Network Indicators:
- HTTP/HTTPS requests to switch management interface from untrusted sources
- File upload requests to unusual endpoints
SIEM Query:
source_ip NOT IN trusted_networks AND dest_port IN (80,443) AND dest_ip IN switch_management_ips AND (uri CONTAINS 'upload' OR method='POST')🔗 References
- http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass
- http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass
