#VU20428 Input validation error in MikroTik RouterOS - CVE-2019-15055

Cybersecurity Help s.r.o.

Published: 2019-08-28 | Updated: 2020-01-08

Vulnerability identifier: #VU20428

Vulnerability risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-15055

CWE-ID: CWE-20

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
MikroTik RouterOS
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: MikroTik

Description

The vulnerability allows a remote attacker to delete arbitrary files.

The vulnerability exists due to insufficient validation of the disk name. A remote authenticated attacker can reset credential storage, access to the management interface as an administrator without authentication and delete arbitrary files.

Mitigation
Install update from vendor's website.

Vulnerable software versions

MikroTik RouterOS: 6.44 - 6.44.5, 6.45 - 6.45.3

External links
https://fortiguard.com/zeroday/FG-VD-19-108
https://mikrotik.com/download/changelogs/testing-release-tree

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Privilege escalation in MikroTik RouterOS