Vulnerabilities > CVE-2018-1156 - Out-of-bounds Write vulnerability in Mikrotik Routeros

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

mikrotik

CWE-787

critical

nessus

NVD

Published: 2018-08-23

Updated: 2020-08-24

Summary

Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer overflow through the license upgrade interface. This vulnerability could theoretically allow a remote authenticated attacker execute arbitrary code on the system.

Vulnerable Configurations

Part	Description	Count
OS	Mikrotik Mikrotik Routeros 4.10 Mikrotik Routeros 4.17 Mikrotik Routeros 5.7 Mikrotik Routeros 5.8 Mikrotik Routeros 5.9 Mikrotik Routeros 5.11 Mikrotik Routeros 5.12 Mikrotik Routeros 5.13 Mikrotik Routeros 5.14 Mikrotik Routeros 5.16 Mikrotik Routeros 5.17 Mikrotik Routeros 5.18 Mikrotik Routeros 5.19 Mikrotik Routeros 5.20 Mikrotik Routeros 5.21 Mikrotik Routeros 5.22 Mikrotik Routeros 5.23 Mikrotik Routeros 5.24 Mikrotik Routeros 5.25 Mikrotik Routeros 6.0 Mikrotik Routeros 6.1 Mikrotik Routeros 6.2 Mikrotik Routeros 6.3 Mikrotik Routeros 6.4 Mikrotik Routeros 6.5 Mikrotik Routeros 6.6 Mikrotik Routeros 6.7 Mikrotik Routeros 6.9 Mikrotik Routeros 6.10 Mikrotik Routeros 6.11 Mikrotik Routeros 6.12 Mikrotik Routeros 6.13 Mikrotik Routeros 6.14 Mikrotik Routeros 6.15 Mikrotik Routeros 6.16 Mikrotik Routeros 6.17 Mikrotik Routeros 6.18 Mikrotik Routeros 6.19 Mikrotik Routeros 6.20 Mikrotik Routeros 6.21.1 Mikrotik Routeros 6.22 Mikrotik Routeros 6.23 Mikrotik Routeros 6.24 Mikrotik Routeros 6.25 Mikrotik Routeros 6.26 Mikrotik Routeros 6.27 Mikrotik Routeros 6.28 Mikrotik Routeros 6.29 Mikrotik Routeros 6.29.1 Mikrotik Routeros 6.30 Mikrotik Routeros 6.30.1 Mikrotik Routeros 6.30.2 Mikrotik Routeros 6.30.4 Mikrotik Routeros 6.32.1 Mikrotik Routeros 6.32.2 Mikrotik Routeros 6.32.3 Mikrotik Routeros 6.32.4 Mikrotik Routeros 6.33 Mikrotik Routeros 6.33.1 Mikrotik Routeros 6.33.2 Mikrotik Routeros 6.33.3 Mikrotik Routeros 6.33.5 Mikrotik Routeros 6.33.6 Mikrotik Routeros 6.34 Mikrotik Routeros 6.34.1 Mikrotik Routeros 6.34.2 Mikrotik Routeros 6.34.3 Mikrotik Routeros 6.34.4 Mikrotik Routeros 6.34.5 Mikrotik Routeros 6.34.6 Mikrotik Routeros 6.35 Mikrotik Routeros 6.35.1 Mikrotik Routeros 6.35.2 Mikrotik Routeros 6.35.4 Mikrotik Routeros 6.36 Mikrotik Routeros 6.36.1 Mikrotik Routeros 6.36.2 Mikrotik Routeros 6.36.3 Mikrotik Routeros 6.36.4 Mikrotik Routeros 6.37 Mikrotik Routeros 6.37.1 Mikrotik Routeros 6.37.2 Mikrotik Routeros 6.37.3 Mikrotik Routeros 6.37.4 Mikrotik Routeros 6.37.5 Mikrotik Routeros 6.38 Mikrotik Routeros 6.38.1 Mikrotik Routeros 6.38.2 Mikrotik Routeros 6.38.3 Mikrotik Routeros 6.38.4 Mikrotik Routeros 6.38.5 Mikrotik Routeros 6.38.7 Mikrotik Routeros 6.39 Mikrotik Routeros 6.39.1 Mikrotik Routeros 6.39.2 Mikrotik Routeros 6.39.3 Mikrotik Routeros 6.40 Mikrotik Routeros 6.40.1 Mikrotik Routeros 6.40.2 Mikrotik Routeros 6.40.3 Mikrotik Routeros 6.40.4 Mikrotik Routeros 6.40.5 Mikrotik Routeros 6.40.6 Mikrotik Routeros 6.40.7 Mikrotik Routeros 6.40.8 Mikrotik Routeros - Mikrotik Routeros 3.30 Mikrotik Routeros 5.0 Mikrotik Routeros 5.15 Mikrotik Routeros 5.26 Mikrotik Routeros 6.40.9 Mikrotik Routeros 6.41 Mikrotik Routeros 6.41.1 Mikrotik Routeros 6.41.2 Mikrotik Routeros 6.41.3 Mikrotik Routeros 6.41.4 Mikrotik Routeros 6.42 Mikrotik Routeros 6.42.1 Mikrotik Routeros 6.42.2 Mikrotik Routeros 6.42.3 Mikrotik Routeros 6.42.4 Mikrotik Routeros 6.42.5 Mikrotik Routeros 6.42.6	490

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Nessus

NASL family	Misc.
NASL id	MIKROTIK_AUG_2018.NASL
description	According to its self-reported version, the remote networking device is running a version of MikroTik prior to 6.40.9, 6.41.x < 6.42.7, or 6.43. It, therefore, vulnerable to multiple vulnerabilities.
last seen	2020-06-01
modified	2020-06-02
plugin id	112114
published	2018-08-24
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/112114
title	MikroTik RouterOS < 6.40.9 / 6.42.7 / 6.43 multiple vulnerabilities.
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(112114); script_version("1.3"); script_cvs_date("Date: 2019/11/04"); script_cve_id( "CVE-2018-1156", "CVE-2018-1157", "CVE-2018-1158", "CVE-2018-1159" ); script_name(english:"MikroTik RouterOS < 6.40.9 / 6.42.7 / 6.43 multiple vulnerabilities."); script_summary(english:"Checks RouterOS version"); script_set_attribute(attribute:"synopsis", value: "The remote networking device is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the remote networking device is running a version of MikroTik prior to 6.40.9, 6.41.x < 6.42.7, or 6.43. It, therefore, vulnerable to multiple vulnerabilities."); # https://blog.mikrotik.com/security/security-issues-discovered-by-tenable.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?237622b9"); # https://forum.mikrotik.com/viewtopic.php?f=21&t=138331 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f9e2af40"); # https://forum.mikrotik.com/viewtopic.php?f=21&t=138228 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c37b423c"); script_set_attribute(attribute:"solution", value: "Upgrade to MikroTik RouterOS 6.40.9 / 6.42.7 / 6.43 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1156"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/22"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mikrotik:routeros"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mikrotik_detect.nasl"); script_require_keys("MikroTik/RouterOS/Version"); exit(0); } include("vcf.inc"); include("audit.inc"); app = "MikroTik"; kb_ver = "MikroTik/RouterOS/Version"; # The version can be NULL when only SSH service is running. version = get_kb_item_or_exit(kb_ver); if(empty_or_null(version)) audit(AUDIT_UNKNOWN_APP_VER, app); app_info = vcf::get_app_info(app:app, kb_ver:kb_ver, service:FALSE); constraints = [{ "fixed_version" : "6.40.9" }, { "min_version" : "6.41", "fixed_version" : "6.42.7" }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);

The Hacker News

id	THN:15F5633BC0BA0C82579744CCACA99558
last seen	2018-10-08
modified	2018-10-08
published	2018-10-08
reporter	The Hacker News
source	https://thehackernews.com/2018/10/router-hacking-exploit.html
title	New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

The Hacker News

References