Sign-up

ID

VAR-201907-0594


CVE

CVE-2019-13955


TITLE

Mikrotik RouterOS Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2019-007388

DESCRIPTION

Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected. Mikrotik RouterOS Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. A security vulnerability exists in Mikrotik RouterOS versions prior to 6.44.5. Advisory: two vulnerabilities found in MikroTik's RouterOS Details ======= Product: MikroTik's RouterOS Affected Versions: before 6.44.5 (Long-term release tree), before 6.45.1 (Stable release tree) Fixed Versions: 6.44.5 (Long-term release tree), 6.45.1 (Stable release tree) Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree Vendor Status: fixed version released CVE: CVE-2019-13954, CVE-2019-13955 Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team Product Description ================== RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. 1. CVE-2019-13954: memory exhaustion via a crafted POST request This vulnerability is similiar to the CVE-2018-1157. An authenticated user can cause the www binary to consume all memory via a crafted POST request to /jsproxy/upload. It's because of the incomplete fix for the CVE-2018-1157. Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really appreciate!), crafting a filename ending with many '\x00' can bypass the original fix to trigger the vulnerability. 2. An authenticated user communicating with the www binary can trigger a stack exhaustion vulnerability via recursive parsing of JSON containing message type M. Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really appreciate!), crafting an JSON message with type M can trigger the vulnerability. A simple python script to generate the crafted message is as follows. References ========== [1] https://mikrotik.com/download/changelogs/long-term-release-tree [2] https://github.com/tenable/routeros

Trust: 1.8

sources: NVD: CVE-2019-13955 // JVNDB: JVNDB-2019-007388 // VULHUB: VHN-145853 // PACKETSTORM: 153733

AFFECTED PRODUCTS

vendor:mikrotikmodel:routerosscope:eqversion:6.45

Trust: 1.0

vendor:mikrotikmodel:routerosscope:ltversion:6.44.5

Trust: 1.0

vendor:mikrotikmodel:routerosscope:ltversion:6.44.5 (long-term release tree)

Trust: 0.8

sources: JVNDB: JVNDB-2019-007388 // NVD: CVE-2019-13955

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13955
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-13955
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201907-1354
value: MEDIUM

Trust: 0.6

VULHUB: VHN-145853
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-13955
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-145853
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-13955
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-145853 // JVNDB: JVNDB-2019-007388 // CNNVD: CNNVD-201907-1354 // NVD: CVE-2019-13955

PROBLEMTYPE DATA

problemtype:CWE-674

Trust: 1.1

problemtype:CWE-400

Trust: 0.9

sources: VULHUB: VHN-145853 // JVNDB: JVNDB-2019-007388 // NVD: CVE-2019-13955

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-1354

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201907-1354

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-007388

PATCH
title:RouterOSurl:https://mikrotik.com/software
Trust: 0.8
title:MikroTik RouterOS Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95504
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-007388 // 
            
            
            
            CNNVD: CNNVD-201907-1354

EXTERNAL IDS
db:PACKETSTORMid:153733
Trust: 2.6
db:NVDid:CVE-2019-13955
Trust: 2.6
db:JVNDBid:JVNDB-2019-007388
Trust: 0.8
db:CNNVDid:CNNVD-201907-1354
Trust: 0.7
db:VULHUBid:VHN-145853
Trust: 0.1
sources:
            
            
            VULHUB: VHN-145853 // 
            
            
            
            JVNDB: JVNDB-2019-007388 // 
            
            
            
            PACKETSTORM: 153733 // 
            
            
            
            CNNVD: CNNVD-201907-1354 // 
            
            
            
            NVD: CVE-2019-13955

REFERENCES
url:http://packetstormsecurity.com/files/153733/mikrotik-routeros-resource-stack-exhaustion.html
Trust: 3.1
url:https://seclists.org/fulldisclosure/2019/jul/20
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-13955
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13955
Trust: 0.8
url:https://github.com/tenable/routeros
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-13954
Trust: 0.1
url:https://mikrotik.com/download/changelogs/long-term-release-tree
Trust: 0.1
sources:
            
            
            VULHUB: VHN-145853 // 
            
            
            
            JVNDB: JVNDB-2019-007388 // 
            
            
            
            PACKETSTORM: 153733 // 
            
            
            
            CNNVD: CNNVD-201907-1354 // 
            
            
            
            NVD: CVE-2019-13955

CREDITS
Qian Chen
Trust: 0.7
sources:
            
            
            PACKETSTORM: 153733 // 
            
            
            
            CNNVD: CNNVD-201907-1354

SOURCES
db:VULHUBid:VHN-145853
db:JVNDBid:JVNDB-2019-007388
db:PACKETSTORMid:153733
db:CNNVDid:CNNVD-201907-1354
db:NVDid:CVE-2019-13955

LAST UPDATE DATE
2024-11-23T22:30:00.073000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-145853date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-007388date:2019-08-08T00:00:00
db:CNNVDid:CNNVD-201907-1354date:2020-08-25T00:00:00
db:NVDid:CVE-2019-13955date:2024-11-21T04:25:46.480

SOURCES RELEASE DATE
db:VULHUBid:VHN-145853date:2019-07-26T00:00:00
db:JVNDBid:JVNDB-2019-007388date:2019-08-08T00:00:00
db:PACKETSTORMid:153733date:2019-07-24T02:32:22
db:CNNVDid:CNNVD-201907-1354date:2019-07-24T00:00:00
db:NVDid:CVE-2019-13955date:2019-07-26T13:15:12.910