ID

VAR-201910-0546


CVE

CVE-2019-3977


TITLE

RouterOS Vulnerabilities related to incompleteness verification of downloaded code

Trust: 0.8

sources: JVNDB: JVNDB-2019-011452

DESCRIPTION

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords. RouterOS Contains a vulnerability in the integrity verification of downloaded code.Information may be tampered with. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. There is a security vulnerability in MikroTik RouterOS 6.45.6 Stable and earlier versions and 6.44.5 Long-term and earlier versions. The vulnerability stems from the fact that the program does not fully verify the source of the update package download. An attacker can exploit this vulnerability to obtain all user names and passwords of the system

Trust: 1.71

sources: NVD: CVE-2019-3977 // JVNDB: JVNDB-2019-011452 // VULHUB: VHN-155412

AFFECTED PRODUCTS

vendor:mikrotikmodel:routerosscope:lteversion:6.44.5

Trust: 1.0

vendor:mikrotikmodel:routerosscope:lteversion:6.45.6

Trust: 1.0

vendor:mikrotikmodel:routerosscope:lteversion:6.44.5 long-term

Trust: 0.8

vendor:mikrotikmodel:routerosscope:lteversion:6.45.6 stable

Trust: 0.8

vendor:mikrotikmodel:routerosscope:eqversion:6.44.3

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.45.5

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.45

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.45.1

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.44.5

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.45.2

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.44.4

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.45.6

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.45.3

Trust: 0.6

vendor:mikrotikmodel:routerosscope:eqversion:6.45.4

Trust: 0.6

sources: JVNDB: JVNDB-2019-011452 // CNNVD: CNNVD-201910-1702 // NVD: CVE-2019-3977

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3977
value: HIGH

Trust: 1.0

NVD: CVE-2019-3977
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201910-1702
value: HIGH

Trust: 0.6

VULHUB: VHN-155412
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-3977
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-155412
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-3977
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-3977
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-155412 // JVNDB: JVNDB-2019-011452 // CNNVD: CNNVD-201910-1702 // NVD: CVE-2019-3977

PROBLEMTYPE DATA

problemtype:CWE-494

Trust: 1.9

sources: VULHUB: VHN-155412 // JVNDB: JVNDB-2019-011452 // NVD: CVE-2019-3977

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1702

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201910-1702

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011452

PATCH

title:Top Pageurl:https://mikrotik.com/

Trust: 0.8

title:MikroTik RouterOS Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101462

Trust: 0.6

sources: JVNDB: JVNDB-2019-011452 // CNNVD: CNNVD-201910-1702

EXTERNAL IDS

db:TENABLEid:TRA-2019-46

Trust: 2.5

db:NVDid:CVE-2019-3977

Trust: 2.5

db:JVNDBid:JVNDB-2019-011452

Trust: 0.8

db:CNNVDid:CNNVD-201910-1702

Trust: 0.7

db:VULHUBid:VHN-155412

Trust: 0.1

sources: VULHUB: VHN-155412 // JVNDB: JVNDB-2019-011452 // CNNVD: CNNVD-201910-1702 // NVD: CVE-2019-3977

REFERENCES

url:https://www.tenable.com/security/research/tra-2019-46

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-3977

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3977

Trust: 0.8

sources: VULHUB: VHN-155412 // JVNDB: JVNDB-2019-011452 // CNNVD: CNNVD-201910-1702 // NVD: CVE-2019-3977

SOURCES

db:VULHUBid:VHN-155412
db:JVNDBid:JVNDB-2019-011452
db:CNNVDid:CNNVD-201910-1702
db:NVDid:CVE-2019-3977

LAST UPDATE DATE

2024-11-23T21:51:53.248000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-155412date:2019-11-01T00:00:00
db:JVNDBid:JVNDB-2019-011452date:2019-11-07T00:00:00
db:CNNVDid:CNNVD-201910-1702date:2019-11-04T00:00:00
db:NVDid:CVE-2019-3977date:2024-11-21T04:42:59.513

SOURCES RELEASE DATE

db:VULHUBid:VHN-155412date:2019-10-29T00:00:00
db:JVNDBid:JVNDB-2019-011452date:2019-11-07T00:00:00
db:CNNVDid:CNNVD-201910-1702date:2019-10-29T00:00:00
db:NVDid:CVE-2019-3977date:2019-10-29T19:15:20.407