ASA-2019-00616 – MikroTik RouterOS: Relative Path Traversal in NPK Parsing

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00616

Identifier(s)

ASA-2019-00616, CVE-2019-3976, TRA-2019-46

Title

Relative Path Traversal in NPK Parsing

Vendor(s)

MikroTik

Product(s)

MikroTik RouterOS

Affected version(s)

MikroTik RouterOS stable versions before 6.45.7
MikroTik RouterOS long-term versions before 6.44.6

Fixed version(s)

MikroTik RouterOS stable version 6.45.7
MikroTik RouterOS long-term version 6.44.6

Proof of concept

Yes

Description

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package’s name field. If an authenticated user installs a malicious package then a directory could be created and the developer shell could be enabled.

Technical details

Unknown

Credits

Jacob Baines (Tenable Research)

Reference(s)

MikroTik RouterOS Multiple Vulnerabilities
https://www.tenable.com/security/research/tra-2019-46

RouterOS: Chain to Root
https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21

Option NPK
https://github.com/tenable/routeros/tree/master/option_npk/

MikroTik Routers and Wireless – Software
https://mikrotik.com/download/changelogs

CVE-2019-3976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3976

CVE-2019-3976
https://nvd.nist.gov/vuln/detail/CVE-2019-3976

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.