ASA-2019-00617 – MikroTik RouterOS: Insufficient Validation of Upgrade Package’s Origin


Allele Security Alert

ASA-2019-00617

Identifier(s)

ASA-2019-00617, CVE-2019-3977, TRA-2019-46

Title

Insufficient Validation of Upgrade Package’s Origin

Vendor(s)

MikroTik

Product(s)

MikroTik RouterOS

Affected version(s)

MikroTik RouterOS Stable versions before 6.45.7
MikroTik RouterOS Long-term versions before 6.44.6

Fixed version(s)

MikroTik RouterOS Stable version 6.45.7
MikroTik RouterOS Long-term version 6.44.6

Proof of concept

Unknown

Description

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into “upgrading” to an older version of RouterOS and possibly reseting all the system’s usernames and passwords.

Technical details

Unknown

Credits

Jacob Baines (Tenable Research)

Reference(s)

MikroTik RouterOS Multiple Vulnerabilities
https://www.tenable.com/security/research/tra-2019-46

RouterOS: Chain to Root
https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21

MikroTik Routers and Wireless – Software
https://mikrotik.com/download/changelogs

CVE-2019-3977
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3977

CVE-2019-3977
https://nvd.nist.gov/vuln/detail/CVE-2019-3977

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.