CVE-2019-19945
📋 TL;DR
This vulnerability in uhttpd (OpenWrt's web server) allows attackers to cause a heap buffer overflow by sending specially crafted HTTP POST requests with conflicting chunked encoding and negative content-length headers. This affects OpenWrt devices running vulnerable versions, potentially leading to denial of service or remote code execution.
💻 Affected Systems
- OpenWrt
📦 What is this software?
Openwrt by Openwrt
Openwrt by Openwrt
Openwrt by Openwrt
Openwrt by Openwrt
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, allowing attackers to install malware, pivot to internal networks, or create persistent backdoors.
Likely Case
Denial of service causing the uhttpd service to crash, disrupting web management interface and any services relying on it.
If Mitigated
Limited to denial of service if exploit attempts are blocked by network controls or the service restarts automatically.
🎯 Exploit Status
Exploitation requires sending a single HTTP request with specific headers. No authentication required. Public exploit code exists in security advisories and repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenWrt 18.06.6 and 19.07.0
Vendor Advisory: https://openwrt.org/advisory/2020-01-13-1
Restart Required: Yes
Instructions:
1. Update OpenWrt using opkg package manager: 'opkg update && opkg upgrade uhttpd'. 2. Alternatively, flash updated firmware from OpenWrt downloads. 3. Restart uhttpd service: '/etc/init.d/uhttpd restart' or reboot device.
🔧 Temporary Workarounds
Disable uhttpd Web Interface
linuxTemporarily disable the vulnerable web server until patching is possible
/etc/init.d/uhttpd stop
/etc/init.d/uhttpd disable
Restrict Network Access
linuxUse firewall rules to block external access to uhttpd ports (typically 80/443)
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Isolate affected devices in separate network segments with strict firewall rules
- Implement network-based intrusion prevention systems (IPS) to detect and block exploit attempts
🔍 How to Verify
Check if Vulnerable:
Check OpenWrt version: 'cat /etc/openwrt_release' or 'opkg list-installed | grep uhttpd'. If version is 18.06.5 or earlier, or 19.x through 19.07.0-rc2, device is vulnerable.Check Version:
cat /etc/openwrt_release | grep DISTRIB_RELEASEVerify Fix Applied:
Verify uhttpd version after update: 'opkg list-installed | grep uhttpd' should show 18.06.6 or 19.07.0+. Test with crafted HTTP request to confirm service doesn't crash.📡 Detection & Monitoring
Log Indicators:
- uhttpd crash logs in /var/log/messages
- HTTP requests with both 'Transfer-Encoding: chunked' and negative Content-Length values
Network Indicators:
- HTTP POST requests to CGI endpoints with conflicting chunked encoding and negative content-length headers
- Unusual traffic to device management interfaces
SIEM Query:
source="uhttpd" AND (http_method="POST" AND (header="Transfer-Encoding: chunked" AND content_length<0))