Allele Security Alert
ASA-2019-00474
Identifier(s)
ASA-2019-00474, CVE-2019-13955
Title
Stack exhaustion via recuring parsing of JSON
Vendor(s)
Mikrotik
Product(s)
Mikrotik RouterOS
Affected version(s)
Mikrotik RouterOS long-term release tree before version 6.44.5
Mikrotik RouterOS stable release tree before version 6.45.1
Fixed version(s)
Mikrotik RouterOS long-term release tree version 6.44.5
Mikrotik RouterOS stable release tree version 6.45.1
Proof of concept
Yes
Description
This vulnerability is similar to the CVE-2018-1158. An authenticated user communicating with the www binary can trigger a stack exhaustion vulnerability via recursive parsing of JSON containing message type M.
Technical details
Based on the public proof of concept for CVE-2018-1158, crafting an JSON message with type M can trigger the vulnerability. A simple python script to generate the crafted message is as follows.
msg = "{M01:[M01:[]]}"
for _ in xrange(2000):
msg = msg.replace('[]', "[M01:[]]")
Credits
Qian Chen (Qihoo 360 Nirvan Team)
Reference(s)
Two vulnerabilities found in MikroTik’s RouterOS
https://seclists.org/fulldisclosure/2019/Jul/20
CVE-2018-1158
https://github.com/tenable/routeros/tree/master/poc/cve_2018_1158
Long-term release tree
https://mikrotik.com/download/changelogs/long-term-release-tree
Stable release tree
https://mikrotik.com/download/changelogs/stable-release-tree
CVE-2018-1158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1158
CVE-2018-1158
https://nvd.nist.gov/vuln/detail/CVE-2018-1158
CVE-2019-13955
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13955
CVE-2019-13955
https://nvd.nist.gov/vuln/detail/CVE-2019-13955
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 26, 2019