Advisory: four vulnerabilities found in MikroTik's RouterOS
Details
=======
Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: only CVE-2020-20227 is fixed
CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
Product Description
==================
RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.
Description of vulnerabilities
==========================
These vulnerabilities were reported to the vendor almost one year ago. And
the vendor confirmed these vulnerabilities.
1. CVE-2020-20220
The bfd process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the bfd process
due to invalid memory access.
Against stable 6.46.5, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: --- signal=11
--------------------------------------------
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202
2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88
esp=0x7f9d3e70
2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274
edx=0x00000001
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: maps:
2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16
/ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959
/lib/libdl-0.9.33.2.so
2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964
/lib/libuClibc-0.9.33.2.so
2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960
/lib/libgcc_s.so.1
2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944
/lib/libuc++.so
2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954
/lib/libcrypto.so.1.0.0
2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950
/lib/libubox.so
2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946
/lib/libumsg.so
2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958
/lib/ld-uClibc-0.9.33.2.so
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70
2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05
08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77
2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05
08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: code: 0x804b175
2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53
83
This vulnerability was initially found in long-term 6.44.6, and it seems
that the latest stable version 6.48.2 still suffer from this vulnerability.
2. CVE-2020-20227
The diskd process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the diskd
process due to invalid memory access.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: /nova/bin/diskd
2020.06.05-15:00:38.33@0: --- signal=11
--------------------------------------------
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202
2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8
esp=0x7f9dceac
2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600
edx=0x08056e18
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: maps:
2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049
/nova/bin/diskd
2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951
/lib/libubox.so
2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac
2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d
7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08
2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76
77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f
2020.06.05-15:00:38.34@0:
2020.06.05-15:00:38.34@0: code: 0x7775a1e3
2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff
75
This vulnerability was initially found in stable 6.47, and it was fixed at
least in stable 6.48.1.
3. CVE-2020-20245
The log process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the log process
due to invalid memory access.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.62@0: /nova/bin/log
2020.06.22-20:13:36.62@0: --- signal=11
--------------------------------------------
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202
2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858
esp=0x7fec6818
2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8
edx=0x00000006
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: maps:
2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005
/nova/bin/log
2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818
2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00
00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77
2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06
08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: code: 0x77709d2e
2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0
ff
This vulnerability was initially found in stable 6.46.3, and it seems that
the latest stable version 6.48.2 still suffers from this vulnerability.
4. CVE-2020-20246
The mactel process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the mactel
process due to NULL pointer dereference.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: /nova/bin/mactel
2020.06.22-20:25:36.17@0: --- signal=11
--------------------------------------------
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202
2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8
esp=0x7fe78090
2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b
edx=0xffffffff
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: maps:
2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041
/nova/bin/mactel
2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948
/lib/libucrypto.so
2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967
/lib/libutil-0.9.33.2.so
2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951
/lib/libubox.so
2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090
2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04
08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00
2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b
77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: code: 0x804ddc7
2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83
c4
This vulnerability was initially found in stable 6.46.3, and it seems that
the latest stable version 6.48.2 still suffers from this vulnerability.
Solution
========
As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree
version. For others, no upgrade firmware available yet
References
==========
[1] https://mikrotik.com/download/changelogs/stable-release-tree