CVE-2019-5619 – CVE-2019-5619 is a critical stack-based buffer ... (How to Fix)

Q: What is the severity of CVE-2019-5619?

CVE-2019-5619 has a CVSS score of 9.8 (CRITICAL). CVE-2019-5619 is a critical stack-based buffer overflow vulnerability in AASync FTP server software that allows remote attackers to execute arbitrary code on affected systems. Attackers can exploit this vulnerability by sending specially crafted FTP LIST commands to vulnerable servers. Organizations running AASync version 2.2.1.0 are affected.

📋 TL;DR

CVE-2019-5619 is a critical stack-based buffer overflow vulnerability in AASync FTP server software that allows remote attackers to execute arbitrary code on affected systems. Attackers can exploit this vulnerability by sending specially crafted FTP LIST commands to vulnerable servers. Organizations running AASync version 2.2.1.0 are affected.

💻 Affected Systems

Products:

AASync FTP Server

Versions: Version 2.2.1.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the FTP LIST command handler. All default installations of version 2.2.1.0 are vulnerable.

📦 What is this software?

Aasync by Aasync

View all CVEs affecting Aasync →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to full administrative control, data theft, and potential lateral movement within the network.

🟠

Likely Case

Remote code execution leading to malware deployment, data exfiltration, or ransomware installation on vulnerable servers.

🟢

If Mitigated

Denial of service or application crash if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - FTP servers are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal FTP servers could be exploited by compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available (exploit/windows/ftp/aasync_list_reply). Exploitation is straightforward and reliable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a different FTP server solution or implementing workarounds.

🔧 Temporary Workarounds

Network-based blocking

windows

Block FTP LIST command at network perimeter or using host-based firewall rules

netsh advfirewall firewall add rule name="Block FTP LIST" dir=in action=block protocol=TCP localport=21 remoteip=any program="%ProgramFiles%\AASync\aasync.exe"

Disable FTP service

windows

Stop and disable the AASync FTP service if not required

sc stop AASync
sc config AASync start= disabled

🧯 If You Can't Patch

Isolate vulnerable systems in a separate network segment with strict access controls
Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check AASync version in Help > About menu or examine file properties of aasync.exe. Version 2.2.1.0 is vulnerable.

Check Version:

wmic datafile where name="C:\\Program Files\\AASync\\aasync.exe" get version

Verify Fix Applied:

Verify AASync is no longer running or has been upgraded to a different version. Test with Metasploit module to confirm exploit no longer works.

📡 Detection & Monitoring

Log Indicators:

Multiple failed FTP LIST commands
Unusual FTP command patterns
Application crash logs from AASync

Network Indicators:

FTP LIST commands with unusually long parameters
Traffic patterns matching Metasploit exploit module

SIEM Query:

source="ftp.log" AND command="LIST" AND (parameter_length>100 OR parameter contains "\x90")

📊 Metadata

CVE ID: CVE-2019-5619

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: April 29, 2020

Last Updated: November 21, 2024

🔗 References

https://www.rapid7.com/db/modules/exploit/windows/ftp/aasync_list_reply Third Party Advisory
https://www.rapid7.com/db/modules/exploit/windows/ftp/aasync_list_reply Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5619, you might also want to check these: