{"id":15958,"date":"2019-10-31T00:47:49","date_gmt":"2019-10-30T19:17:49","guid":{"rendered":"https:\/\/www.technologyforyou.org\/?p=15958"},"modified":"2019-10-31T00:47:49","modified_gmt":"2019-10-30T19:17:49","slug":"tenable-research-new-router-vulns-expose-half-a-million-public-facing-targets","status":"publish","type":"post","link":"https:\/\/www.technologyforyou.org\/tenable-research-new-router-vulns-expose-half-a-million-public-facing-targets\/","title":{"rendered":"Tenable Research : New router vulns expose half a million+ public-facing targets"},"content":{"rendered":"<p><strong><span style=\"font-family: arial, helvetica, sans-serif;\">Tenable,\u00a0Inc., the Cyber Exposure company, published details of multiple vulnerabilities it found in MikroTik RouterOS, with an estimated half a million vulnerable public-facing targets.<\/span><\/strong><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\"><b>CVE-2019-3976 : Relative Path Traversal in NPK Parsing<\/b><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package&#8217;s name field. If an authenticated user installs a malicious package then a directory could be created and the developer shell could be enabled.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\"><b>CVE-2019-3977 : Insufficient Validation of Upgrade Package&#8217;s Origin<\/b><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into &#8220;upgrading&#8221; to an older version of RouterOS and possibly resetting all the system&#8217;s usernames and passwords.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\"><b>CVE-2019-3978: Insufficient Protections of a Critical Resource (DNS Requests\/Cache)<\/b><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker&#8217;s choice. The DNS responses are cached by the router, potentially resulting in cache poisoning.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\"><b>CVE-2019-3979: Improper DNS Response Handling<\/b><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below are vulnerable to a DNS unrelated data attack. The router adds all A records to its DNS cache even when the records are unrelated to the domain that was queried. Therefore, a remote attacker controlled DNS server can poison the router&#8217;s DNS cache via malicious responses with additional and untrue records.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">By chaining these disclosed vulnerabilities (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, and CVE-2019-3979) together, an unauthenticated remote attacker could gain root access on the system, downgrade the router&#8217;s OS, reset the system passwords and potentially gain a root shell.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">Mikrotik has issued a patch to fix these vulnerabilities and users are urged to upgrade to version 6.45.7 Stable or 6.44.6 Long-term or newer.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tenable,\u00a0Inc., the Cyber Exposure company, published details of multiple vulnerabilities it found in MikroTik RouterOS, with an estimated half a million vulnerable public-facing targets. CVE-2019-3976 : Relative Path Traversal in NPK Parsing RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package&#8217;s name field. If [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[9207,9208],"class_list":{"0":"post-15958","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-cyber-security","7":"tag-new-router-vulns-expose-half-a-million-public-facing-targets","8":"tag-tenable-research"},"_links":{"self":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/15958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/comments?post=15958"}],"version-history":[{"count":0,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/15958\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media?parent=15958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/categories?post=15958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/tags?post=15958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}