Sign-up

ID

VAR-202105-0090


CVE

CVE-2020-20245


TITLE

Mikrotik RouterOs  Buffer Error Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-006902

DESCRIPTION

Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access. Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. MikroTik RouterOS has a security vulnerability. Advisory: four vulnerabilities found in MikroTik's RouterOS Details ======= Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: only CVE-2020-20227 is fixed CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description ================== RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities ========================== These vulnerabilities were reported to the vendor almost one year ago. And the vendor confirmed these vulnerabilities. 1. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: --- signal=11 -------------------------------------------- 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202 2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88 esp=0x7f9d3e70 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274 edx=0x00000001 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: maps: 2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16 /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944 /lib/libuc++.so 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950 /lib/libubox.so 2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946 /lib/libumsg.so 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05 08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05 08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: code: 0x804b175 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53 83 This vulnerability was initially found in long-term 6.44.6, and it seems that the latest stable version 6.48.2 still suffer from this vulnerability. 2. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: /nova/bin/diskd 2020.06.05-15:00:38.33@0: --- signal=11 -------------------------------------------- 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202 2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8 esp=0x7f9dceac 2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600 edx=0x08056e18 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: maps: 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049 /nova/bin/diskd 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d 7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76 77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f 2020.06.05-15:00:38.34@0: 2020.06.05-15:00:38.34@0: code: 0x7775a1e3 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 This vulnerability was initially found in stable 6.47, and it was fixed at least in stable 6.48.1. 3. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.22-20:13:36.29@0: 2020.06.22-20:13:36.29@0: 2020.06.22-20:13:36.62@0: /nova/bin/log 2020.06.22-20:13:36.62@0: --- signal=11 -------------------------------------------- 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202 2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858 esp=0x7fec6818 2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8 edx=0x00000006 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: maps: 2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005 /nova/bin/log 2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818 2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77 2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06 08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: code: 0x77709d2e 2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0 ff This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability. 4. By sending a crafted packet, an authenticated remote user can crash the mactel process due to NULL pointer dereference. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: /nova/bin/mactel 2020.06.22-20:25:36.17@0: --- signal=11 -------------------------------------------- 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202 2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8 esp=0x7fe78090 2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b edx=0xffffffff 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: maps: 2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041 /nova/bin/mactel 2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967 /lib/libutil-0.9.33.2.so 2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090 2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04 08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00 2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b 77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: code: 0x804ddc7 2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83 c4 This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability. Solution ======== As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree version. For others, no upgrade firmware available yet References ========== [1] https://mikrotik.com/download/changelogs/stable-release-tree

Trust: 1.89

sources: NVD: CVE-2020-20245 // JVNDB: JVNDB-2021-006902 // VULHUB: VHN-173704 // VULMON: CVE-2020-20245 // PACKETSTORM: 162533

AFFECTED PRODUCTS

vendor:mikrotikmodel:routerosscope:eqversion:6.46.3

Trust: 1.0

vendor:mikrotikmodel:routerosscope:eqversion: -

Trust: 0.8

vendor:mikrotikmodel:routerosscope:eqversion:stable 6.46.3

Trust: 0.8

vendor:mikrotikmodel:routerosscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-006902 // NVD: CVE-2020-20245

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-20245
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-20245
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202105-652
value: MEDIUM

Trust: 0.6

VULHUB: VHN-173704
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-20245
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-20245
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-173704
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-20245
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-20245
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-173704 // VULMON: CVE-2020-20245 // JVNDB: JVNDB-2021-006902 // CNNVD: CNNVD-202105-652 // NVD: CVE-2020-20245

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.1

problemtype:Buffer error (CWE-119) [NVD Evaluation ]

Trust: 0.8

problemtype:CWE-119

Trust: 0.1

sources: VULHUB: VHN-173704 // JVNDB: JVNDB-2021-006902 // NVD: CVE-2020-20245

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-652

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202105-652

PATCH

title:Top Pageurl:https://mikrotik.com/

Trust: 0.8

sources: JVNDB: JVNDB-2021-006902

EXTERNAL IDS

db:NVDid:CVE-2020-20245

Trust: 3.5

db:PACKETSTORMid:162533

Trust: 2.7

db:JVNDBid:JVNDB-2021-006902

Trust: 0.8

db:CNNVDid:CNNVD-202105-652

Trust: 0.6

db:VULHUBid:VHN-173704

Trust: 0.1

db:VULMONid:CVE-2020-20245

Trust: 0.1

sources: VULHUB: VHN-173704 // VULMON: CVE-2020-20245 // JVNDB: JVNDB-2021-006902 // PACKETSTORM: 162533 // CNNVD: CNNVD-202105-652 // NVD: CVE-2020-20245

REFERENCES

url:http://packetstormsecurity.com/files/162533/mikrotik-routeros-memory-corruption.html

Trust: 3.2

url:http://seclists.org/fulldisclosure/2021/may/23

Trust: 1.9

url:https://mikrotik.com/

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2020-20245

Trust: 1.5

url:https://cwe.mitre.org/data/definitions/119.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-20227

Trust: 0.1

url:https://mikrotik.com/download/changelogs/stable-release-tree

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-20220

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-20246

Trust: 0.1

sources: VULHUB: VHN-173704 // VULMON: CVE-2020-20245 // JVNDB: JVNDB-2021-006902 // PACKETSTORM: 162533 // CNNVD: CNNVD-202105-652 // NVD: CVE-2020-20245

CREDITS

Qian Chen

Trust: 0.7

sources: PACKETSTORM: 162533 // CNNVD: CNNVD-202105-652

SOURCES

db:VULHUBid:VHN-173704
db:VULMONid:CVE-2020-20245
db:JVNDBid:JVNDB-2021-006902
db:PACKETSTORMid:162533
db:CNNVDid:CNNVD-202105-652
db:NVDid:CVE-2020-20245

LAST UPDATE DATE

2024-08-14T13:54:04.954000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-173704date:2022-05-03T00:00:00
db:VULMONid:CVE-2020-20245date:2021-05-21T00:00:00
db:JVNDBid:JVNDB-2021-006902date:2022-01-25T05:36:00
db:CNNVDid:CNNVD-202105-652date:2022-05-05T00:00:00
db:NVDid:CVE-2020-20245date:2022-05-03T16:04:40.443

SOURCES RELEASE DATE

db:VULHUBid:VHN-173704date:2021-05-18T00:00:00
db:VULMONid:CVE-2020-20245date:2021-05-18T00:00:00
db:JVNDBid:JVNDB-2021-006902date:2022-01-25T00:00:00
db:PACKETSTORMid:162533date:2021-05-11T21:38:05
db:CNNVDid:CNNVD-202105-652date:2021-05-11T00:00:00
db:NVDid:CVE-2020-20245date:2021-05-18T20:15:07.477