var-201910-0546
Vulnerability from variot
RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords. RouterOS Contains a vulnerability in the integrity verification of downloaded code.Information may be tampered with. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. There is a security vulnerability in MikroTik RouterOS 6.45.6 Stable and earlier versions and 6.44.5 Long-term and earlier versions. The vulnerability stems from the fact that the program does not fully verify the source of the update package download. An attacker can exploit this vulnerability to obtain all user names and passwords of the system
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201910-0546",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "routeros",
"scope": "lte",
"trust": 1.0,
"vendor": "mikrotik",
"version": "6.44.5"
},
{
"model": "routeros",
"scope": "lte",
"trust": 1.0,
"vendor": "mikrotik",
"version": "6.45.6"
},
{
"model": "routeros",
"scope": "lte",
"trust": 0.8,
"vendor": "mikrotik",
"version": "6.44.5 long-term"
},
{
"model": "routeros",
"scope": "lte",
"trust": 0.8,
"vendor": "mikrotik",
"version": "6.45.6 stable"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.44.3"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.45.5"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.45"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.45.1"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.44.5"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.45.2"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.44.4"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.45.6"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.45.3"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.6,
"vendor": "mikrotik",
"version": "6.45.4"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
},
{
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:mikrotik:router_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
}
]
},
"cve": "CVE-2019-3977",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 8.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2019-3977",
"impactScore": 7.8,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 8.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-155412",
"impactScore": 7.8,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:C/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2019-3977",
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-3977",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-3977",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2019-3977",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201910-1702",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-155412",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-155412"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
},
{
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into \"upgrading\" to an older version of RouterOS and possibly reseting all the system\u0027s usernames and passwords. RouterOS Contains a vulnerability in the integrity verification of downloaded code.Information may be tampered with. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. There is a security vulnerability in MikroTik RouterOS 6.45.6 Stable and earlier versions and 6.44.5 Long-term and earlier versions. The vulnerability stems from the fact that the program does not fully verify the source of the update package download. An attacker can exploit this vulnerability to obtain all user names and passwords of the system",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-3977"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "VULHUB",
"id": "VHN-155412"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "TENABLE",
"id": "TRA-2019-46",
"trust": 2.5
},
{
"db": "NVD",
"id": "CVE-2019-3977",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011452",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1702",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-155412",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-155412"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
},
{
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"id": "VAR-201910-0546",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-155412"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:51:53.248000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://mikrotik.com/"
},
{
"title": "MikroTik RouterOS Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101462"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-494",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-155412"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.tenable.com/security/research/tra-2019-46"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3977"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3977"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-155412"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
},
{
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-155412"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
},
{
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-10-29T00:00:00",
"db": "VULHUB",
"id": "VHN-155412"
},
{
"date": "2019-11-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"date": "2019-10-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201910-1702"
},
{
"date": "2019-10-29T19:15:20.407000",
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-11-01T00:00:00",
"db": "VULHUB",
"id": "VHN-155412"
},
{
"date": "2019-11-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-011452"
},
{
"date": "2019-11-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201910-1702"
},
{
"date": "2024-11-21T04:42:59.513000",
"db": "NVD",
"id": "CVE-2019-3977"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "RouterOS Vulnerabilities related to incompleteness verification of downloaded code",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-011452"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201910-1702"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.