Tenable has published details of multiple vulnerabilities it found in MikroTik RouterOS, with an estimated half a million vulnerable public-facing targets.
CVE-2019-3976: Relative Path Traversal in NPK Parsing
RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package’s name field. If an authenticated user installs a malicious package then a directory could be created and the developer shell could be enabled.
CVE-2019-3977: Insufficient Validation of Upgrade Package’s Origin
RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into “upgrading” to an older version of RouterOS and possibly resetting all the system’s usernames and passwords.
CVE-2019-3978: Insufficient Protections of a Critical Resource (DNS Requests/Cache)
RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker’s choice. The DNS responses are cached by the router, potentially resulting in cache poisoning.
CVE-2019-3979: Improper DNS Response Handling
RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below are vulnerable to a DNS unrelated data attack. The router adds all A records to its DNS cache even when the records are unrelated to the domain that was queried. Therefore, a remote attacker controlled DNS server can poison the router’s DNS cache via malicious responses with additional and untrue records.
By chaining these disclosed vulnerabilities (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, and CVE-2019-3979) together, an unauthenticated remote attacker could gain root access on the system, downgrade the router’s OS, reset the system passwords and potentially gain a root shell.