[update 2021/05/04] Three CVEs have been assigned to these vulnerabilities.
CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/graphing process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) CVE-2020-20213: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an stack exhaustion vulnerability in the /nova/bin/net process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU Q C <[email protected]> 于2020年7月22日周三 下午8:11写道: > Advisory: three vulnerabilities found in MikroTik's RouterOS > > > Details > ======= > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > ================== > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > ========================== > > 1. Memory corruption vulnerability > The diskd process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the diskd > process due to invalid memory access. > > Against stable 6.44.3, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: /nova/bin/diskd > 2020.06.04-14:18:22.55@0: --- signal=11 > -------------------------------------------- > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202 > 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 > ebp=0x7fd40b78 esp=0x7fd40b6c > 2020.06.04-14:18:22.55@0: eax=0x0000001b ebx=0x776d54ec > ecx=0x776d54ec edx=0x20fe0010 > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: maps: > 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp 00000000 00:0c 1131 > /nova/bin/diskd > 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp 00000000 00:0c 996 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp 00000000 00:0c 992 > /lib/libgcc_s.so.1 > 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp 00000000 00:0c 976 > /lib/libuc++.so > 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp 00000000 00:0c 982 > /lib/libubox.so > 2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp 00000000 00:0c 978 > /lib/libumsg.so > 2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp 00000000 00:0c 990 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c > 2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b > d4 7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20 > 2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c > d4 7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00 > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: code: 0x776cd1db > 2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 > ff 75 > > This vulnerability was initially found in long-term 6.44.5, and has been > fixed in stable 6.47. > > 2. NULL pointer dereference vulnerability > The graphing process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > graphing process due to NULL > pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: /nova/bin/graphing > 2020.06.04-15:12:41.47@0: --- signal=11 > -------------------------------------------- > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202 > 2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8 > ebp=0x7fa8acd8 esp=0x7fa8acb0 > 2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c > ecx=0x00000000 edx=0x08061ce8 > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: maps: > 2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp 00000000 00:0c 1038 > /nova/bin/graphing > 2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp 00000000 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-15:12:41.47@0: 7768a000-776a4000 r-xp 00000000 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-15:12:41.47@0: 776a5000-776b4000 r-xp 00000000 00:0c 944 > /lib/libuc++.so > 2020.06.04-15:12:41.47@0: 776b5000-776bd000 r-xp 00000000 00:0c 950 > /lib/libubox.so > 2020.06.04-15:12:41.47@0: 776be000-7770a000 r-xp 00000000 00:0c 946 > /lib/libumsg.so > 2020.06.04-15:12:41.47@0: 7770d000-77717000 r-xp 00000000 00:0c 961 > /lib/libm-0.9.33.2.so > 2020.06.04-15:12:41.47@0: 7771c000-77723000 r-xp 00000000 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: stack: 0x7fa8b000 - 0x7fa8acb0 > 2020.06.04-15:12:41.47@0: e8 1c 06 08 b8 1d 06 08 00 00 00 00 01 00 > 00 00 0c ad a8 7f 5b 00 00 00 b8 98 05 08 b8 98 05 08 > 2020.06.04-15:12:41.47@0: f0 da 6b 77 0c ad a8 7f 28 ad a8 7f 3a bc > 6b 77 b8 1c 06 08 0c ad a8 7f 05 00 00 00 a0 10 06 08 > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: code: 0x80521e2 > 2020.06.04-15:12:41.47@0: ff 51 04 83 c4 18 6a 5c 53 e8 a0 9c ff ff > 8b 56 > > This vulnerability was initially found in long-term 6.44.6, and has been > fixed in stable 6.47. > > 3. Stack exhaustion vulnerability > The net process suffers from a stack exhaustion vulnerability. By sending > a crafted packet to the net process, an authenticated remote user can > trigger a stack exhaustion vulnerability via recursive function calls. > > When testing the proof of concept on an x86 RouterOS VM, this > vulnerability didn't just crash net process but caused the whole system to > reboot. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.08-11:19:45.40@0: > 2020.06.08-11:19:45.40@0: > 2020.06.08-11:19:45.40@0: /nova/bin/net > 2020.06.08-11:19:45.40@0: --- signal=11 > -------------------------------------------- > 2020.06.08-11:19:45.40@0: > 2020.06.08-11:19:45.40@0: eip=0x0809ec65 eflags=0x00010206 > 2020.06.08-11:19:45.40@0: edi=0x7fb0fe4c esi=0x7fb0ff48 > ebp=0x7f311018 esp=0x7f310fe0 > 2020.06.08-11:19:45.40@0: eax=0x00fe0008 ebx=0x7772cae4 > ecx=0x7772cae4 edx=0x08122630 > 2020.06.08-11:19:45.40@0: > 2020.06.08-11:19:45.40@0: maps: > 2020.06.08-11:19:45.40@0: 08048000-08121000 r-xp 00000000 00:0c 1004 > /nova/bin/net > 2020.06.08-11:19:45.40@0: 77654000-77689000 r-xp 00000000 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.08-11:19:45.40@0: 7768d000-776a7000 r-xp 00000000 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.08-11:19:45.40@0: 776a8000-776b7000 r-xp 00000000 00:0c 944 > /lib/libuc++.so > 2020.06.08-11:19:45.40@0: 776b8000-776c6000 r-xp 00000000 00:0c 945 > /lib/libz.so > 2020.06.08-11:19:45.40@0: 776c7000-776d1000 r-xp 00000000 00:0c 961 > /lib/libm-0.9.33.2.so > 2020.06.08-11:19:45.40@0: 776d3000-776db000 r-xp 00000000 00:0c 950 > /lib/libubox.so > 2020.06.08-11:19:45.40@0: 776dc000-776df000 r-xp 00000000 00:0c 948 > /lib/libuxml++.so > 2020.06.08-11:19:45.40@0: 776e0000-7772c000 r-xp 00000000 00:0c 946 > /lib/libumsg.so > 2020.06.08-11:19:45.40@0: 7772f000-7774c000 r-xp 00000000 00:0c 947 > /lib/libucrypto.so > 2020.06.08-11:19:45.40@0: 77750000-77757000 r-xp 00000000 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.08-11:19:45.40@0: > 2020.06.08-11:19:45.40@0: stack: 0x7fb10000 - 0x7f310fe0 > > This vulnerability was initially found in long-term 6.44.5, and has been > fixed in stable 6.47. > > > Solution > ======== > > Upgrade to the corresponding latest RouterOS tree version. > > > References > ========== > > [1] https://mikrotik.com/download/changelogs/stable-release-tree > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
