ID

VAR-202002-0403


CVE

CVE-2019-19356


TITLE

Netis WF2419 In OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-014562

DESCRIPTION

Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing. Netis WF2419 To OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Netis WF2419 is a 300Mbps wireless router. The vulnerability stems from a lack of validation of user input

Trust: 2.25

sources: NVD: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-04554

AFFECTED PRODUCTS

vendor:netismodel:wf2419scope:eqversion:1.2.31805

Trust: 2.4

vendor:netismodel:wf2419scope:eqversion:2.2.36123

Trust: 2.4

sources: CNVD: CNVD-2020-04554 // JVNDB: JVNDB-2019-014562 // NVD: CVE-2019-19356

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-19356
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-014562
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-04554
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202002-238
value: HIGH

Trust: 0.6

VULMON: CVE-2019-19356
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-19356
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2019-014562
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-04554
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-19356
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-014562
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // CNNVD: CNNVD-202002-238 // NVD: CVE-2019-19356

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-014562 // NVD: CVE-2019-19356

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-238

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202002-238

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014562

PATCH

title:WF2419url:http://www.netis-systems.com/Suppory/de_details/id/1/de/44.html

Trust: 0.8

title:NETIS router (WF2419) RCE (CVE-2019-19356) Context Prerequisites Vulnerability details Exploiturl:https://github.com/shadowgatt/CVE-2019-19356

Trust: 0.1

title:CVE-2019-19356 cd CVE-2019-19356 docker-compose up -durl:https://github.com/qq1515406085/CVE-2019-19356

Trust: 0.1

title:Known Exploited Vulnerabilities Detectorurl:https://github.com/Ostorlab/KEV

Trust: 0.1

title:PoC in GitHuburl:https://github.com/hectorgie/PoC-in-GitHub

Trust: 0.1

title:PoC in GitHuburl:https://github.com/developer3000S/PoC-in-GitHub

Trust: 0.1

title:PoC in GitHuburl:https://github.com/0xT11/CVE-POC

Trust: 0.1

sources: VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562

EXTERNAL IDS

db:NVDid:CVE-2019-19356

Trust: 3.1

db:PACKETSTORMid:156588

Trust: 1.7

db:JVNDBid:JVNDB-2019-014562

Trust: 0.8

db:CNVDid:CNVD-2020-04554

Trust: 0.6

db:CXSECURITYid:WLB-2020030011

Trust: 0.6

db:CNNVDid:CNNVD-202002-238

Trust: 0.6

db:VULMONid:CVE-2019-19356

Trust: 0.1

sources: CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // CNNVD: CNNVD-202002-238 // NVD: CVE-2019-19356

REFERENCES

url:https://www.digital.security/en/blog/netis-routers-remote-code-execution-cve-2019-19356

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-19356

Trust: 2.0

url:https://github.com/shadowgatt/cve-2019-19356

Trust: 1.8

url:http://packetstormsecurity.com/files/156588/netis-wf2419-2.2.36123-remote-code-execution.html

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19356

Trust: 0.8

url:https://cxsecurity.com/issue/wlb-2020030011

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2020-04554 // VULMON: CVE-2019-19356 // JVNDB: JVNDB-2019-014562 // CNNVD: CNNVD-202002-238 // NVD: CVE-2019-19356

CREDITS

Elias Issa

Trust: 0.6

sources: CNNVD: CNNVD-202002-238

SOURCES

db:CNVDid:CNVD-2020-04554
db:VULMONid:CVE-2019-19356
db:JVNDBid:JVNDB-2019-014562
db:CNNVDid:CNNVD-202002-238
db:NVDid:CVE-2019-19356

LAST UPDATE DATE

2024-08-14T13:55:07.080000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-04554date:2020-02-11T00:00:00
db:VULMONid:CVE-2019-19356date:2022-01-01T00:00:00
db:JVNDBid:JVNDB-2019-014562date:2020-02-28T00:00:00
db:CNNVDid:CNNVD-202002-238date:2022-01-04T00:00:00
db:NVDid:CVE-2019-19356date:2022-01-01T19:57:27.453

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-04554date:2020-02-11T00:00:00
db:VULMONid:CVE-2019-19356date:2020-02-07T00:00:00
db:JVNDBid:JVNDB-2019-014562date:2020-02-28T00:00:00
db:CNNVDid:CNNVD-202002-238date:2020-02-07T00:00:00
db:NVDid:CVE-2019-19356date:2020-02-07T23:15:10.013