Sign-up

ID

VAR-201908-0802


CVE

CVE-2019-15055


TITLE

MikroTik RouterOS Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008823

DESCRIPTION

MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication. MikroTik RouterOS Contains an input validation vulnerability.Information may be tampered with. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. There is a security vulnerability in MikroTik RouterOS 6.44.5 and earlier versions and 6.45.x to 6.45.3 versions. The vulnerability is caused by the program not handling disk names correctly

Trust: 1.71

sources: NVD: CVE-2019-15055 // JVNDB: JVNDB-2019-008823 // VULHUB: VHN-147063

AFFECTED PRODUCTS

vendor:mikrotikmodel:routerosscope:lteversion:6.44.5

Trust: 1.8

vendor:mikrotikmodel:routerosscope:lteversion:6.45.3

Trust: 1.0

vendor:mikrotikmodel:routerosscope:gteversion:6.45

Trust: 1.0

vendor:mikrotikmodel:routerosscope:eqversion:6.45.3 for up to 6.45.x

Trust: 0.8

sources: JVNDB: JVNDB-2019-008823 // NVD: CVE-2019-15055

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15055
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-15055
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201908-1945
value: MEDIUM

Trust: 0.6

VULHUB: VHN-147063
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-15055
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-147063
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-15055
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-147063 // JVNDB: JVNDB-2019-008823 // CNNVD: CNNVD-201908-1945 // NVD: CVE-2019-15055

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.1

problemtype:CWE-20

Trust: 0.9

sources: VULHUB: VHN-147063 // JVNDB: JVNDB-2019-008823 // NVD: CVE-2019-15055

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1945

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201908-1945

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008823

PATCH
title:Release 6.46beta34url:https://mikrotik.com/download/changelogs/testing-release-tree
Trust: 0.8
title:MikroTik RouterOS Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97429
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008823 // 
            
            
            
            CNNVD: CNNVD-201908-1945

EXTERNAL IDS
db:NVDid:CVE-2019-15055
Trust: 2.5
db:JVNDBid:JVNDB-2019-008823
Trust: 0.8
db:CNNVDid:CNNVD-201908-1945
Trust: 0.7
db:VULHUBid:VHN-147063
Trust: 0.1
sources:
            
            
            VULHUB: VHN-147063 // 
            
            
            
            JVNDB: JVNDB-2019-008823 // 
            
            
            
            CNNVD: CNNVD-201908-1945 // 
            
            
            
            NVD: CVE-2019-15055

REFERENCES
url:https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90
Trust: 2.5
url:https://forum.mikrotik.com/viewtopic.php?t=151603
Trust: 1.7
url:https://mikrotik.com/download/changelogs/testing-release-tree
Trust: 1.7
url:https://fortiguard.com/zeroday/fg-vd-19-108
Trust: 1.7
url:https://github.com/tenable/routeros/tree/master/poc/cve_2019_15055
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-15055
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15055
Trust: 0.8
sources:
            
            
            VULHUB: VHN-147063 // 
            
            
            
            JVNDB: JVNDB-2019-008823 // 
            
            
            
            CNNVD: CNNVD-201908-1945 // 
            
            
            
            NVD: CVE-2019-15055

SOURCES
db:VULHUBid:VHN-147063
db:JVNDBid:JVNDB-2019-008823
db:CNNVDid:CNNVD-201908-1945
db:NVDid:CVE-2019-15055

LAST UPDATE DATE
2024-11-23T23:01:42.941000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-147063date:2020-10-06T00:00:00
db:JVNDBid:JVNDB-2019-008823date:2019-09-06T00:00:00
db:CNNVDid:CNNVD-201908-1945date:2020-10-09T00:00:00
db:NVDid:CVE-2019-15055date:2024-11-21T04:27:58.123

SOURCES RELEASE DATE
db:VULHUBid:VHN-147063date:2019-08-26T00:00:00
db:JVNDBid:JVNDB-2019-008823date:2019-09-06T00:00:00
db:CNNVDid:CNNVD-201908-1945date:2019-08-26T00:00:00
db:NVDid:CVE-2019-15055date:2019-08-26T21:15:11.210