Attacker Value
Very Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2019-1892

Disclosure Date: July 06, 2019 Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Cisco Small Business 200/300/500 Series Managed Switch HTTPS validation allows a memory corruption (DoS)

Add Assessment

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Medium
Technical Analysis

This is a memory corruption vulnerability that allows an attacker to send a malformed HTTPS packet, which will then generate the corruption. At this time, there are no reports that the memory corruption will result in remote code execution, just a Denial of Service.

These switches are not Cisco’s flagship products, so distribution will be limited, though that also means they are likely to be in locations without robust IT support, and upgrading the software on a core switch can be daunting and may have unanticipated consequences to the configuration, especially for novices.

While the surface area for attack is limited, this will likely retain a longer shelf life. It requires that HTTPS be enabled on the switch, which should be done to prevent eavesdropping, anyway.

Mitigations are fairly straight-forward; it is not a great practice to allow access to critical infrastructure configuration ports from untrusted areas, you should not disable the HTTPS connections, and there is a patch available from Cisco.

Log in to Add Reply

General Information

Offensive Application
dos
Utility Class
other
Ports
443
OS
Unknown
Vulnerable Versions
< 1.4.10.6
Prerequisites
Unknown
Discovered By
Cisco
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Never
Exploitable
Always
Reliability
Moderate
Stability
Moderate
Available Mitigations
Very Strong
Shelf Life
Long
Userbase/Installbase
Large
Patch Effectiveness
Very High
Technical Analysis