ASA-2019-00473 – Mikrotik RouterOS: Memory exhaustion via a crafted POST request


Allele Security Alert

ASA-2019-00473

Identifier(s)

ASA-2019-00473, CVE-2019-13954

Title

Memory exhaustion via a crafted POST request

Vendor(s)

Mikrotik

Product(s)

Mikrotik RouterOS

Affected version(s)

Mikrotik RouterOS long-term release tree before version 6.44.5
Mikrotik RouterOS stable release tree before version 6.45.1

Fixed version(s)

Mikrotik RouterOS long-term release tree version 6.44.5
Mikrotik RouterOS stable release tree version 6.45.1

Proof of concept

Yes

Description

This vulnerability is similiar to the CVE-2018-1157. An authenticated user can cause the www binary to consume all memory via a crafted POST request to /jsproxy/upload. It’s because of the incomplete fix for the CVE-2018-1157.

Technical details

Based on the public proof of concept for CVE-2018-1157, crafting a filename ending with many ‘\x00’ can bypass the original fix to trigger the vulnerability.

Credits

Qian Chen (Qihoo 360 Nirvan Team)

Reference(s)

Two vulnerabilities found in MikroTik’s RouterOS
https://seclists.org/fulldisclosure/2019/Jul/20

CVE-2018-1157
https://github.com/tenable/routeros/tree/master/poc/cve_2018_1157

Long-term release tree
https://mikrotik.com/download/changelogs/long-term-release-tree

Stable release tree
https://mikrotik.com/download/changelogs/stable-release-tree

CVE-2018-1157
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1157

CVE-2018-1157
https://nvd.nist.gov/vuln/detail/CVE-2018-1157

CVE-2019-13954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13954

CVE-2019-13954
https://nvd.nist.gov/vuln/detail/CVE-2019-13954

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 26, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.