CVE-2020-20227

Vulnerability from cvelistv5

Published

2021-05-18 19:10

Modified

2024-08-04 14:15

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	http://seclists.org/fulldisclosure/2021/May/23	Exploit, Mailing List, Third Party Advisory
cve@mitre.org	https://mikrotik.com/	Product
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2021/May/23	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://mikrotik.com/	Product

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T14:15:29.018Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mikrotik.com/"
          },
          {
            "name": "20210511 Four vulnerabilities found in MikroTik\u0027s RouterOS",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2021/May/23"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-18T19:10:42",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mikrotik.com/"
        },
        {
          "name": "20210511 Four vulnerabilities found in MikroTik\u0027s RouterOS",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2021/May/23"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-20227",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mikrotik.com/",
              "refsource": "MISC",
              "url": "https://mikrotik.com/"
            },
            {
              "name": "20210511 Four vulnerabilities found in MikroTik\u0027s RouterOS",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2021/May/23"
            },
            {
              "name": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-20227",
    "datePublished": "2021-05-18T19:10:17",
    "dateReserved": "2020-08-13T00:00:00",
    "dateUpdated": "2024-08-04T14:15:29.018Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-20227\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-05-18T20:15:07.440\",\"lastModified\":\"2024-11-21T05:11:56.423\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.\"},{\"lang\":\"es\",\"value\":\"Mikrotik RouterOs versi\u00f3n stable 6.47, sufre una vulnerabilidad de corrupci\u00f3n de la memoria en el proceso /nova/bin/diskd.\u0026#xa0;Un atacante remoto autenticado puede causar una Denegaci\u00f3n de Servicio debido a un acceso no v\u00e1lido a la memoria\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:N/A:P\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:mikrotik:routeros:6.47:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"70E15876-C2B4-49EF-AC5D-3FE0AE097F18\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2021/May/23\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://mikrotik.com/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2021/May/23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://mikrotik.com/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}"
  }
}

fkie_cve-2020-20227

Vulnerability from fkie_nvd

Published

2021-05-18 20:15

Modified

2024-11-21 05:11

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	http://seclists.org/fulldisclosure/2021/May/23	Exploit, Mailing List, Third Party Advisory
cve@mitre.org	https://mikrotik.com/	Product
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2021/May/23	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://mikrotik.com/	Product

Impacted products

	Vendor	Product	Version
	mikrotik	routeros	6.47

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:mikrotik:routeros:6.47:*:*:*:-:*:*:*",
              "matchCriteriaId": "70E15876-C2B4-49EF-AC5D-3FE0AE097F18",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access."
    },
    {
      "lang": "es",
      "value": "Mikrotik RouterOs versi\u00f3n stable 6.47, sufre una vulnerabilidad de corrupci\u00f3n de la memoria en el proceso /nova/bin/diskd.\u0026#xa0;Un atacante remoto autenticado puede causar una Denegaci\u00f3n de Servicio debido a un acceso no v\u00e1lido a la memoria"
    }
  ],
  "id": "CVE-2020-20227",
  "lastModified": "2024-11-21T05:11:56.423",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-18T20:15:07.440",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2021/May/23"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://mikrotik.com/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2021/May/23"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://mikrotik.com/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. MikroTik RouterOS has a security vulnerability. Advisory: four vulnerabilities found in MikroTik's RouterOS

Details

Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: only CVE-2020-20227 is fixed CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Product Description

RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point.

Description of vulnerabilities

These vulnerabilities were reported to the vendor almost one year ago. And the vendor confirmed these vulnerabilities.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: --- signal=11

2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202
2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88

esp=0x7f9d3e70 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274 edx=0x00000001 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: maps: 2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16 /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944 /lib/libuc++.so 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950 /lib/libubox.so 2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946 /lib/libumsg.so 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05 08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05 08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: code: 0x804b175 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53 83

This vulnerability was initially found in long-term 6.44.6, and it seems that the latest stable version 6.48.2 still suffer from this vulnerability.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: /nova/bin/diskd
2020.06.05-15:00:38.33@0: --- signal=11

2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202
2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8

esp=0x7f9dceac 2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600 edx=0x08056e18 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: maps: 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049 /nova/bin/diskd 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d 7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76 77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f 2020.06.05-15:00:38.34@0: 2020.06.05-15:00:38.34@0: code: 0x7775a1e3 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75

This vulnerability was initially found in stable 6.47, and it was fixed at least in stable 6.48.1.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.62@0: /nova/bin/log
2020.06.22-20:13:36.62@0: --- signal=11

2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202
2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858

esp=0x7fec6818 2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8 edx=0x00000006 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: maps: 2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005 /nova/bin/log 2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818 2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77 2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06 08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: code: 0x77709d2e 2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0 ff

This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability.

By sending a crafted packet, an authenticated remote user can crash the mactel process due to NULL pointer dereference.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: /nova/bin/mactel
2020.06.22-20:25:36.17@0: --- signal=11

2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202
2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8

esp=0x7fe78090 2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b edx=0xffffffff 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: maps: 2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041 /nova/bin/mactel 2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967 /lib/libutil-0.9.33.2.so 2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090 2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04 08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00 2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b 77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: code: 0x804ddc7 2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83 c4

This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability.

Solution

As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree version. For others, no upgrade firmware available yet

References

[1] https://mikrotik.com/download/changelogs/stable-release-tree

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202105-0087",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "routeros",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "mikrotik",
        "version": "6.47"
      },
      {
        "model": "routeros",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "mikrotik",
        "version": null
      },
      {
        "model": "routeros",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "mikrotik",
        "version": "stable 6.47"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Qian Chen",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "162533"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2020-20227",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.0,
            "id": "CVE-2020-20227",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.0,
            "id": "VHN-173684",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:N/I:N/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 2.8,
            "id": "CVE-2020-20227",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 6.5,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2020-20227",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2020-20227",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2020-20227",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202105-651",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-173684",
            "trust": 0.1,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-20227",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. MikroTik RouterOS has a security vulnerability. Advisory: four vulnerabilities found in MikroTik\u0027s RouterOS\n\n\nDetails\n=======\n\nProduct: MikroTik\u0027s RouterOS\nVendor URL: https://mikrotik.com/\nVendor Status: only CVE-2020-20227 is fixed\nCVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246\nCredit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team\n\n\nProduct Description\n==================\n\nRouterOS is the operating system used on the MikroTik\u0027s devices, such as\nswitch, router and access point. \n\n\nDescription of vulnerabilities\n==========================\nThese vulnerabilities were reported to the vendor almost one year ago. And\nthe vendor confirmed these vulnerabilities. \n\n1. \n\nAgainst stable 6.46.5, the poc resulted in the following crash dump. \n\n    # cat /rw/logs/backtrace.log\n    2020.06.19-18:36:13.88@0:\n    2020.06.19-18:36:13.88@0:\n    2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd\n    2020.06.19-18:36:13.88@0: --- signal=11\n--------------------------------------------\n    2020.06.19-18:36:13.88@0:\n    2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202\n    2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88\nesp=0x7f9d3e70\n    2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274\nedx=0x00000001\n    2020.06.19-18:36:13.88@0:\n    2020.06.19-18:36:13.88@0: maps:\n    2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16\n    /ram/pckg/routing/nova/bin/bfd\n    2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959\n   /lib/libdl-0.9.33.2.so\n    2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964\n   /lib/libuClibc-0.9.33.2.so\n    2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960\n   /lib/libgcc_s.so.1\n    2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944\n   /lib/libuc++.so\n    2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954\n   /lib/libcrypto.so.1.0.0\n    2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950\n   /lib/libubox.so\n    2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946\n   /lib/libumsg.so\n    2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958\n   /lib/ld-uClibc-0.9.33.2.so\n    2020.06.19-18:36:13.88@0:\n    2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70\n    2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05\n08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77\n    2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05\n08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00\n    2020.06.19-18:36:13.88@0:\n    2020.06.19-18:36:13.88@0: code: 0x804b175\n    2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53\n83\n\nThis vulnerability was initially found in long-term 6.44.6, and it seems\nthat the latest stable version 6.48.2 still suffer from this vulnerability. \n\n2. \n\nAgainst stable 6.47, the poc resulted in the following crash dump. \n\n    # cat /rw/logs/backtrace.log\n    2020.06.05-15:00:38.33@0:\n    2020.06.05-15:00:38.33@0:\n    2020.06.05-15:00:38.33@0: /nova/bin/diskd\n    2020.06.05-15:00:38.33@0: --- signal=11\n--------------------------------------------\n    2020.06.05-15:00:38.33@0:\n    2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202\n    2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8\nesp=0x7f9dceac\n    2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600\nedx=0x08056e18\n    2020.06.05-15:00:38.33@0:\n    2020.06.05-15:00:38.33@0: maps:\n    2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049\n    /nova/bin/diskd\n    2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966\n   /lib/libuClibc-0.9.33.2.so\n    2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962\n   /lib/libgcc_s.so.1\n    2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945\n   /lib/libuc++.so\n    2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951\n   /lib/libubox.so\n    2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947\n   /lib/libumsg.so\n    2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960\n   /lib/ld-uClibc-0.9.33.2.so\n    2020.06.05-15:00:38.33@0:\n    2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac\n    2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d\n7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08\n    2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76\n77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f\n    2020.06.05-15:00:38.34@0:\n    2020.06.05-15:00:38.34@0: code: 0x7775a1e3\n    2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff\n75\n\nThis vulnerability was initially found in stable 6.47, and it was fixed at\nleast in stable 6.48.1. \n\n3. \n\nAgainst stable 6.47, the poc resulted in the following crash dump. \n\n    # cat /rw/logs/backtrace.log\n    2020.06.22-20:13:36.29@0:\n    2020.06.22-20:13:36.29@0:\n    2020.06.22-20:13:36.62@0: /nova/bin/log\n    2020.06.22-20:13:36.62@0: --- signal=11\n--------------------------------------------\n    2020.06.22-20:13:36.62@0:\n    2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202\n    2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858\nesp=0x7fec6818\n    2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8\nedx=0x00000006\n    2020.06.22-20:13:36.62@0:\n    2020.06.22-20:13:36.62@0: maps:\n    2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005\n    /nova/bin/log\n    2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966\n   /lib/libuClibc-0.9.33.2.so\n    2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962\n   /lib/libgcc_s.so.1\n    2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945\n   /lib/libuc++.so\n    2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947\n   /lib/libumsg.so\n    2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960\n   /lib/ld-uClibc-0.9.33.2.so\n    2020.06.22-20:13:36.62@0:\n    2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818\n    2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00\n00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77\n    2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06\n08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f\n    2020.06.22-20:13:36.62@0:\n    2020.06.22-20:13:36.62@0: code: 0x77709d2e\n    2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0\nff\n\nThis vulnerability was initially found in stable 6.46.3, and it seems that\nthe latest stable version 6.48.2 still suffers from this vulnerability. \n\n4. By\nsending a crafted packet, an authenticated remote user can crash the mactel\nprocess due to NULL pointer dereference. \n\nAgainst stable 6.47, the poc resulted in the following crash dump. \n\n    # cat /rw/logs/backtrace.log\n    2020.06.22-20:25:36.17@0:\n    2020.06.22-20:25:36.17@0:\n    2020.06.22-20:25:36.17@0: /nova/bin/mactel\n    2020.06.22-20:25:36.17@0: --- signal=11\n--------------------------------------------\n    2020.06.22-20:25:36.17@0:\n    2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202\n    2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8\nesp=0x7fe78090\n    2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b\nedx=0xffffffff\n    2020.06.22-20:25:36.17@0:\n    2020.06.22-20:25:36.17@0: maps:\n    2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041\n    /nova/bin/mactel\n    2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966\n   /lib/libuClibc-0.9.33.2.so\n    2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962\n   /lib/libgcc_s.so.1\n    2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945\n   /lib/libuc++.so\n    2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948\n   /lib/libucrypto.so\n    2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967\n   /lib/libutil-0.9.33.2.so\n    2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951\n   /lib/libubox.so\n    2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947\n   /lib/libumsg.so\n    2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960\n   /lib/ld-uClibc-0.9.33.2.so\n    2020.06.22-20:25:36.17@0:\n    2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090\n    2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04\n08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00\n    2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b\n77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77\n    2020.06.22-20:25:36.17@0:\n    2020.06.22-20:25:36.17@0: code: 0x804ddc7\n    2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83\nc4\n\nThis vulnerability was initially found in stable 6.46.3, and it seems that\nthe latest stable version 6.48.2 still suffers from this vulnerability. \n\n\nSolution\n========\n\nAs to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree\nversion. For others, no upgrade firmware available yet\n\n\nReferences\n==========\n\n[1] https://mikrotik.com/download/changelogs/stable-release-tree\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-20227"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "db": "PACKETSTORM",
        "id": "162533"
      }
    ],
    "trust": 1.89
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-20227",
        "trust": 3.5
      },
      {
        "db": "PACKETSTORM",
        "id": "162533",
        "trust": 2.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-173684",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-20227",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "PACKETSTORM",
        "id": "162533"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "id": "VAR-202105-0087",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-173684"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-08-14T13:54:04.987000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top\u00a0Page",
        "trust": 0.8,
        "url": "https://mikrotik.com/"
      },
      {
        "title": "MikroTik RouterOS Buffer error vulnerability fix",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151566"
      },
      {
        "title": "CVE-2020-20227",
        "trust": 0.1,
        "url": "https://github.com/JamesGeee/CVE-2020-20227 "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-787",
        "trust": 1.1
      },
      {
        "problemtype": "Buffer error (CWE-119) [NVD Evaluation ]",
        "trust": 0.8
      },
      {
        "problemtype": "CWE-119",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.2,
        "url": "http://packetstormsecurity.com/files/162533/mikrotik-routeros-memory-corruption.html"
      },
      {
        "trust": 1.9,
        "url": "https://mikrotik.com/"
      },
      {
        "trust": 1.8,
        "url": "http://seclists.org/fulldisclosure/2021/may/23"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-20227"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/119.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/jamesgeee/cve-2020-20227"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://mikrotik.com/download/changelogs/stable-release-tree"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-20220"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-20245"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-20246"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "PACKETSTORM",
        "id": "162533"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "db": "PACKETSTORM",
        "id": "162533"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-05-18T00:00:00",
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "date": "2021-05-18T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "date": "2022-01-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "date": "2021-05-11T21:38:05",
        "db": "PACKETSTORM",
        "id": "162533"
      },
      {
        "date": "2021-05-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      },
      {
        "date": "2021-05-18T20:15:07.440000",
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-05-03T00:00:00",
        "db": "VULHUB",
        "id": "VHN-173684"
      },
      {
        "date": "2021-05-21T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-20227"
      },
      {
        "date": "2022-01-25T05:36:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      },
      {
        "date": "2022-05-05T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      },
      {
        "date": "2022-05-03T16:04:40.443000",
        "db": "NVD",
        "id": "CVE-2020-20227"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Mikrotik\u00a0RouterOs\u00a0 Buffer Error Vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006901"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "buffer error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-651"
      }
    ],
    "trust": 0.6
  }
}

ghsa-f3xh-wj4j-qrg9

Vulnerability from github

Published

2022-05-24 19:02

Modified

2022-05-24 19:02

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-20227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-18T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.",
  "id": "GHSA-f3xh-wj4j-qrg9",
  "modified": "2022-05-24T19:02:41Z",
  "published": "2022-05-24T19:02:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20227"
    },
    {
      "type": "WEB",
      "url": "https://mikrotik.com"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/May/23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2020-20227

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2020-20227

Aliases

CVE-2020-20227

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-20227",
    "description": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.",
    "id": "GSD-2020-20227"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-20227"
      ],
      "details": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.",
      "id": "GSD-2020-20227",
      "modified": "2023-12-13T01:21:48.368417Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2020-20227",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://mikrotik.com/",
            "refsource": "MISC",
            "url": "https://mikrotik.com/"
          },
          {
            "name": "20210511 Four vulnerabilities found in MikroTik\u0027s RouterOS",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2021/May/23"
          },
          {
            "name": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:mikrotik:routeros:6.47:*:*:*:-:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-20227"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-119"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mikrotik.com/",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://mikrotik.com/"
            },
            {
              "name": "20210511 Four vulnerabilities found in MikroTik\u0027s RouterOS",
              "refsource": "FULLDISC",
              "tags": [
                "Exploit",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/May/23"
            },
            {
              "name": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/162533/MikroTik-RouterOS-Memory-Corruption.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-05-21T20:49Z",
      "publishedDate": "2021-05-18T20:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-20227

Vulnerability from cvelistv5

fkie_cve-2020-20227

Vulnerability from fkie_nvd

var-202105-0087

Vulnerability from variot

Details

Product Description

Description of vulnerabilities

Solution

References

ghsa-f3xh-wj4j-qrg9

Vulnerability from github

gsd-2020-20227

Vulnerability from gsd

Tags

Sightings

Nomenclature