Switches based on RTL83xx chips, including Cisco Small Business 220, Zyxel GS1900-24, NETGEAR GS75x, ALLNET ALL-SG8208M, and more than a dozen devices from lesser known manufacturers, critical vulnerabilities that allow an unauthenticated attacker to take control of the switch. The problems are caused by errors in the Realtek Managed Switch Controller SDK, the code from which was used when preparing the firmware.
(CVE-2019-1913) affects the web management interface and makes it possible to execute your code with root user privileges. The vulnerability is caused by insufficient checking of user-supplied parameters and the lack of proper evaluation of buffer boundaries when reading input data. As a result, an attacker can cause a buffer overflow by sending a specially crafted request and exploit the problem to execute their code.
(CVE-2019-1912) allows you to upload arbitrary files to the Switch without authentication, including overwriting configuration files and launching a reverse shell for remote login. The problem is caused by an incomplete authorization check in the web interface.
Also noteworthy is the elimination of less dangerous (CVE-2019-1914), which allows, in the presence of an unprivileged authenticated login to the web interface, to execute arbitrary commands with root privileges. Issues are fixed in firmware updates for Cisco Small Business 220 (1.1.4.4), Zyxel, and NETGEAR. A detailed description of the operating methods is planned 20 August.
Problems also appear in other devices based on RTL83xx chips, but they have not yet been confirmed by manufacturers and have not been fixed:
- EnGenius EGS2110P, EWS1200-28TFP, EWS1200-28TFP;
- PLANET GS-4210-8P2S, GS-4210-24T2;
- DrayTek VigorSwitch P1100;
- CERIO CS-2424G-24P;
- Xhome DownLoop-G24M;
- Abaniact (INABA) AML2-PS16-17GP L2;
- Araknis Networks (SnapAV) AN-310-SW-16-POE;
- EDIMAX GS-5424PLC, GS-5424PLC;
- Open Mesh OMS24;
- Pakedgedevice SX-8P;
- TG-NET P3026M-24POE.
Source: opennet.ru