Security restrictions bypass in MikroTik RouterOS

#VU7644 Security restrictions bypass in MikroTik RouterOS

Published: 2017-08-01

Vulnerability identifier: #VU7644

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MikroTik RouterOS
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: MikroTik

Description

Multiple issues have been fixed in Mikrotik RouterOS. Due to vendor's policy not report any security vulnerabilities in their products we treat every new version of Mikrotik RouterOS as a security patch.

Mitigation
Update to version 6.40.

Vulnerable software versions

MikroTik RouterOS: 6.39 - 6.39.2

External links
http://mikrotik.com/download/changelogs/current-release-tree

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple fixes in Mikrotik RouterOS