Allele Security Alert
ASA-2019-00525
Identifier(s)
ASA-2019-00525, CVE-2019-15055, FG-VD-19-108
Title
Authenticated Arbitrary File Deletion Vulnerability
Vendor(s)
Unknown
Product(s)
MikroTik RouterOS
Affected version(s)
MikroTik RouterOS through version 6.44.5
MikroTik RouterOS versions 6.45.x through 6.45.3
Fixed version(s)
Mikrotik RouterOS testing version 6.46beta34 (2019-Aug-22 06:24)
Mikrotik RouterOS stable version 6.45.5 (2019-Aug-26 10:56)
Proof of concept
Yes
Description
An authenticated arbitrary file deletion vulnerability exists in the MikroTik’s RouterOS. Successful exploitation of this vulnerability would allow a remote authenticated attacker to delete arbitrary file on the system, which could lead to privilege escalation.
Technical details
Unknown
Credits
Tin Duong (Fortinet FortiGuard Labs)
Reference(s)
Fortinet Discovers MikroTik RouterOS Authenticated Arbitrary File Deletion Vulnerability
https://fortiguard.com/zeroday/FG-VD-19-108
Rooting RouterOS with a USB Drive
https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90
CVE-2019-15055 USB to Root
https://www.youtube.com/watch?v=HIIqEi0_uN4&feature=youtu.be
Testing release tree
https://mikrotik.com/download/changelogs/testing-release-tree
Stable release tree
https://mikrotik.com/download/changelogs/stable-release-tree
CVE-2019-15055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15055
CVE-2019-15055
https://nvd.nist.gov/vuln/detail/CVE-2019-15055
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 3, 2019