Vulnerability identifier: #VU20428

Vulnerability risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-15055

CWE-ID: CWE-20

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
MikroTik RouterOS
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: MikroTik

Description

The vulnerability allows a remote attacker to delete arbitrary files.

The vulnerability exists due to insufficient validation of the disk name. A remote authenticated attacker can reset credential storage, access to the management interface as an administrator without authentication and delete arbitrary files.

Mitigation
Install update from vendor's website.

Vulnerable software versions

MikroTik RouterOS: 6.44, 6.44.1, 6.44.2, 6.44.3, 6.44.4, 6.44.5, 6.45, 6.45.1, 6.45.2, 6.45.3

CPE

• cpe:2.3:h:mikrotik:mikrotik_routeros:6.44.5:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.45.3:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.45.2:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.45.1:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.44.4:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.44.3:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.44.2:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.44.1:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.44:*:*:*:*::*:*
• cpe:2.3:h:mikrotik:mikrotik_routeros:6.45:*:*:*:*::*:*

External links
https://fortiguard.com/zeroday/FG-VD-19-108
https://mikrotik.com/download/changelogs/testing-release-tree

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.