CVE-2019-3977

Published: Oct 29, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords.

Affected (2)

Products: Mikrotik: Routeros

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mikrotik Routeros	Up to 6.45.6
Mikrotik Routeros	Up to 6.44.5

Related CWEs

Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References (2)

https://www.tenable.com/security/research/tra-2019-46

Source: vulnreport@tenable.com

Third Party Advisory

https://www.tenable.com/security/research/tra-2019-46

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.