#VU20428 Input validation error in MikroTik RouterOS
Vulnerability identifier: #VU20428
Vulnerability risk: Low
CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
MikroTik RouterOS
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Vendor: MikroTik
Description
The vulnerability allows a remote attacker to delete arbitrary files.
The vulnerability exists due to insufficient validation of the disk name. A remote authenticated attacker can reset credential storage, access to the management interface as an administrator without authentication and delete arbitrary files.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MikroTik RouterOS: 6.44 - 6.44.5, 6.45 - 6.45.3
External links
http://fortiguard.com/zeroday/FG-VD-19-108
http://mikrotik.com/download/changelogs/testing-release-tree
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
