Allele Security Alert
ASA-2019-00617, CVE-2019-3977, TRA-2019-46
Insufficient Validation of Upgrade Package’s Origin
MikroTik RouterOS Stable versions before 6.45.7
MikroTik RouterOS Long-term versions before 6.44.6
MikroTik RouterOS Stable version 6.45.7
MikroTik RouterOS Long-term version 6.44.6
Proof of concept
RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into “upgrading” to an older version of RouterOS and possibly reseting all the system’s usernames and passwords.
Jacob Baines (Tenable Research)
MikroTik RouterOS Multiple Vulnerabilities
RouterOS: Chain to Root
MikroTik Routers and Wireless – Software
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 29, 2019