MikroTik RouterOS Memory Corruption / Failed Assertion

2020.01.08

Credit: Qian Chen

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Advisory: two vulnerabilities found in MikroTik's RouterOS
Details
=======
Product: MikroTik's RouterOS
Affected Versions: before 6.44.6 (Long-term release tree)
Fixed Versions: 6.44.6 (Long-term release tree)
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
Product Description
==================
RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.
Description of vulnerabilities
==========================
These two vulnerabilities were tested only against the MikroTik RouterOS
long-term release tree when found. Maybe other release trees also suffer
from these issues.
1. The console process suffers from a memory corruption issue.
An authenticated remote user can crash the console process due to a NULL
pointer reference by sending a crafted packet.
2. The console process suffers from an assertion failure issue. There is a
reachable assertion in the console process. An authenticated remote user
can crash the console process duo to assertion failure by sending a crafted
packet.
Solution
========
Upgrade to the corresponding latest RouterOS tree version.
References
==========
[1] https://mikrotik.com/download/changelogs/long-term-release-tree

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MikroTik RouterOS Memory Corruption / Failed Assertion

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.