SB2019070105 - Multiple vulnerabilities in Mikrotik RouterOS

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2019-11477)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to integer overflow when handling TCP Selective Acknowledgments (SACKs) due to incorrect processing of TCP_SKB_CB(skb)->tcp_gso_segs value in Linux kernel. A remote non-authenticated attacker can send specially crafted network traffic to the affected system, trigger integer overflow and render the system unavailable.

Successful exploitation of the vulnerability allows a remote attacker to perform denial of service (DoS) attack.

2) Resource exhaustion (CVE-ID: CVE-2019-11478)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to an error when processing TCP Selective Acknowledgment (SACK) sequences within the Linux kernel TCP retransmission queue implementation in tcp_fragment. A remote non-authenticated attacker can send specially crafted network traffic to the affected system and perform a denial of service (DoS) attack.

3) Resource exhaustion (CVE-ID: CVE-2019-11479)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to presence of hard-coded MSS value (48 bytes) in the Linux kernel source code. A remote attacker can fragment TCP resend queues significantly more than if a larger MSS were enforced and perform denial of service (DoS) attack.

4) Resource management error (CVE-ID: CVE-2014-8160)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel generates incorrect conntrack entries when handling certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols. A remote attacker can send packets with disallowed port numbers to the affected system and bypass iptables filtering rules. 

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-13074)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can bypass certain security restrictions.

6) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2018-10066)

The vulnerability allows a remote attacker to perform man-in-the-middle (MitM) attack.

The vulnerability exists due to missing OpenVPN server certificate verification. A remote attacker can perform MitM attack and trick the affected device to connect to a malicious OpenVPN server.

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to a local network, behind the Mikrotik router.

Remediation

Install update from vendor's website.

References

• https://mikrotik.com/download/changelogs/#6.45.1
• https://mikrotik.com/download/changelogs/
• https://janis-streib.de/2018/04/11/mikrotik-openvpn-security