Main Vulnerability Database Vulnerabilities #VU22425

#VU22425 Insufficient verification of data authenticity in MikroTik RouterOS - CVE-2019-3977

Published: October 30, 2019

Vulnerability identifier: #VU22425

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-3977

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
MikroTik RouterOS

Software vendor:
MikroTik

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to software does not validate origin of the upgrade packages when using autoupgrade feature. A remote attacker can trick the victim into downloading and installing an old version of RouterOS and reset passwords of all system users.

Remediation

Install updates from vendor's website.

External links

https://mikrotik.com/download/changelogs#6.45.7
https://www.tenable.com/security/research/tra-2019-46

#VU22425 Insufficient verification of data authenticity in MikroTik RouterOS - CVE-2019-3977

Description

Remediation

External links

Please verify you're human