var-202105-0087
Vulnerability from variot
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. MikroTik RouterOS has a security vulnerability. Advisory: four vulnerabilities found in MikroTik's RouterOS
Details
Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: only CVE-2020-20227 is fixed CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
Product Description
RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point.
Description of vulnerabilities
These vulnerabilities were reported to the vendor almost one year ago. And the vendor confirmed these vulnerabilities.
Against stable 6.46.5, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: --- signal=11
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202
2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88
esp=0x7f9d3e70 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274 edx=0x00000001 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: maps: 2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16 /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944 /lib/libuc++.so 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950 /lib/libubox.so 2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946 /lib/libumsg.so 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05 08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05 08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: code: 0x804b175 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53 83
This vulnerability was initially found in long-term 6.44.6, and it seems that the latest stable version 6.48.2 still suffer from this vulnerability.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: /nova/bin/diskd
2020.06.05-15:00:38.33@0: --- signal=11
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202
2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8
esp=0x7f9dceac 2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600 edx=0x08056e18 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: maps: 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049 /nova/bin/diskd 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d 7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76 77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f 2020.06.05-15:00:38.34@0: 2020.06.05-15:00:38.34@0: code: 0x7775a1e3 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75
This vulnerability was initially found in stable 6.47, and it was fixed at least in stable 6.48.1.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.62@0: /nova/bin/log
2020.06.22-20:13:36.62@0: --- signal=11
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202
2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858
esp=0x7fec6818 2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8 edx=0x00000006 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: maps: 2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005 /nova/bin/log 2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818 2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77 2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06 08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: code: 0x77709d2e 2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0 ff
This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability.
- By sending a crafted packet, an authenticated remote user can crash the mactel process due to NULL pointer dereference.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: /nova/bin/mactel
2020.06.22-20:25:36.17@0: --- signal=11
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202
2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8
esp=0x7fe78090 2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b edx=0xffffffff 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: maps: 2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041 /nova/bin/mactel 2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967 /lib/libutil-0.9.33.2.so 2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090 2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04 08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00 2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b 77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: code: 0x804ddc7 2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83 c4
This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability.
Solution
As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree version. For others, no upgrade firmware available yet
References
[1] https://mikrotik.com/download/changelogs/stable-release-tree
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202105-0087",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "routeros",
"scope": "eq",
"trust": 1.0,
"vendor": "mikrotik",
"version": "6.47"
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.8,
"vendor": "mikrotik",
"version": null
},
{
"model": "routeros",
"scope": "eq",
"trust": 0.8,
"vendor": "mikrotik",
"version": "stable 6.47"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Qian Chen",
"sources": [
{
"db": "PACKETSTORM",
"id": "162533"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
}
],
"trust": 0.7
},
"cve": "CVE-2020-20227",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "CVE-2020-20227",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "VHN-173684",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"id": "CVE-2020-20227",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2020-20227",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-20227",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2020-20227",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202105-651",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-173684",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-20227",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-173684"
},
{
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
},
{
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. MikroTik RouterOS has a security vulnerability. Advisory: four vulnerabilities found in MikroTik\u0027s RouterOS\n\n\nDetails\n=======\n\nProduct: MikroTik\u0027s RouterOS\nVendor URL: https://mikrotik.com/\nVendor Status: only CVE-2020-20227 is fixed\nCVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246\nCredit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team\n\n\nProduct Description\n==================\n\nRouterOS is the operating system used on the MikroTik\u0027s devices, such as\nswitch, router and access point. \n\n\nDescription of vulnerabilities\n==========================\nThese vulnerabilities were reported to the vendor almost one year ago. And\nthe vendor confirmed these vulnerabilities. \n\n1. \n\nAgainst stable 6.46.5, the poc resulted in the following crash dump. \n\n # cat /rw/logs/backtrace.log\n 2020.06.19-18:36:13.88@0:\n 2020.06.19-18:36:13.88@0:\n 2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd\n 2020.06.19-18:36:13.88@0: --- signal=11\n--------------------------------------------\n 2020.06.19-18:36:13.88@0:\n 2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202\n 2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88\nesp=0x7f9d3e70\n 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274\nedx=0x00000001\n 2020.06.19-18:36:13.88@0:\n 2020.06.19-18:36:13.88@0: maps:\n 2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16\n /ram/pckg/routing/nova/bin/bfd\n 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959\n /lib/libdl-0.9.33.2.so\n 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964\n /lib/libuClibc-0.9.33.2.so\n 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960\n /lib/libgcc_s.so.1\n 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944\n /lib/libuc++.so\n 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954\n /lib/libcrypto.so.1.0.0\n 2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950\n /lib/libubox.so\n 2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946\n /lib/libumsg.so\n 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958\n /lib/ld-uClibc-0.9.33.2.so\n 2020.06.19-18:36:13.88@0:\n 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70\n 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05\n08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77\n 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05\n08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00\n 2020.06.19-18:36:13.88@0:\n 2020.06.19-18:36:13.88@0: code: 0x804b175\n 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53\n83\n\nThis vulnerability was initially found in long-term 6.44.6, and it seems\nthat the latest stable version 6.48.2 still suffer from this vulnerability. \n\n2. \n\nAgainst stable 6.47, the poc resulted in the following crash dump. \n\n # cat /rw/logs/backtrace.log\n 2020.06.05-15:00:38.33@0:\n 2020.06.05-15:00:38.33@0:\n 2020.06.05-15:00:38.33@0: /nova/bin/diskd\n 2020.06.05-15:00:38.33@0: --- signal=11\n--------------------------------------------\n 2020.06.05-15:00:38.33@0:\n 2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202\n 2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8\nesp=0x7f9dceac\n 2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600\nedx=0x08056e18\n 2020.06.05-15:00:38.33@0:\n 2020.06.05-15:00:38.33@0: maps:\n 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049\n /nova/bin/diskd\n 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966\n /lib/libuClibc-0.9.33.2.so\n 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962\n /lib/libgcc_s.so.1\n 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945\n /lib/libuc++.so\n 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951\n /lib/libubox.so\n 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947\n /lib/libumsg.so\n 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960\n /lib/ld-uClibc-0.9.33.2.so\n 2020.06.05-15:00:38.33@0:\n 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac\n 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d\n7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08\n 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76\n77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f\n 2020.06.05-15:00:38.34@0:\n 2020.06.05-15:00:38.34@0: code: 0x7775a1e3\n 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff\n75\n\nThis vulnerability was initially found in stable 6.47, and it was fixed at\nleast in stable 6.48.1. \n\n3. \n\nAgainst stable 6.47, the poc resulted in the following crash dump. \n\n # cat /rw/logs/backtrace.log\n 2020.06.22-20:13:36.29@0:\n 2020.06.22-20:13:36.29@0:\n 2020.06.22-20:13:36.62@0: /nova/bin/log\n 2020.06.22-20:13:36.62@0: --- signal=11\n--------------------------------------------\n 2020.06.22-20:13:36.62@0:\n 2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202\n 2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858\nesp=0x7fec6818\n 2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8\nedx=0x00000006\n 2020.06.22-20:13:36.62@0:\n 2020.06.22-20:13:36.62@0: maps:\n 2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005\n /nova/bin/log\n 2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966\n /lib/libuClibc-0.9.33.2.so\n 2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962\n /lib/libgcc_s.so.1\n 2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945\n /lib/libuc++.so\n 2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947\n /lib/libumsg.so\n 2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960\n /lib/ld-uClibc-0.9.33.2.so\n 2020.06.22-20:13:36.62@0:\n 2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818\n 2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00\n00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77\n 2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06\n08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f\n 2020.06.22-20:13:36.62@0:\n 2020.06.22-20:13:36.62@0: code: 0x77709d2e\n 2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0\nff\n\nThis vulnerability was initially found in stable 6.46.3, and it seems that\nthe latest stable version 6.48.2 still suffers from this vulnerability. \n\n4. By\nsending a crafted packet, an authenticated remote user can crash the mactel\nprocess due to NULL pointer dereference. \n\nAgainst stable 6.47, the poc resulted in the following crash dump. \n\n # cat /rw/logs/backtrace.log\n 2020.06.22-20:25:36.17@0:\n 2020.06.22-20:25:36.17@0:\n 2020.06.22-20:25:36.17@0: /nova/bin/mactel\n 2020.06.22-20:25:36.17@0: --- signal=11\n--------------------------------------------\n 2020.06.22-20:25:36.17@0:\n 2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202\n 2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8\nesp=0x7fe78090\n 2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b\nedx=0xffffffff\n 2020.06.22-20:25:36.17@0:\n 2020.06.22-20:25:36.17@0: maps:\n 2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041\n /nova/bin/mactel\n 2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966\n /lib/libuClibc-0.9.33.2.so\n 2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962\n /lib/libgcc_s.so.1\n 2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945\n /lib/libuc++.so\n 2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948\n /lib/libucrypto.so\n 2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967\n /lib/libutil-0.9.33.2.so\n 2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951\n /lib/libubox.so\n 2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947\n /lib/libumsg.so\n 2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960\n /lib/ld-uClibc-0.9.33.2.so\n 2020.06.22-20:25:36.17@0:\n 2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090\n 2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04\n08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00\n 2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b\n77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77\n 2020.06.22-20:25:36.17@0:\n 2020.06.22-20:25:36.17@0: code: 0x804ddc7\n 2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83\nc4\n\nThis vulnerability was initially found in stable 6.46.3, and it seems that\nthe latest stable version 6.48.2 still suffers from this vulnerability. \n\n\nSolution\n========\n\nAs to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree\nversion. For others, no upgrade firmware available yet\n\n\nReferences\n==========\n\n[1] https://mikrotik.com/download/changelogs/stable-release-tree\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-20227"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "VULHUB",
"id": "VHN-173684"
},
{
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"db": "PACKETSTORM",
"id": "162533"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-20227",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "162533",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202105-651",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-173684",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-20227",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-173684"
},
{
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "PACKETSTORM",
"id": "162533"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
},
{
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"id": "VAR-202105-0087",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-173684"
}
],
"trust": 0.01
},
"last_update_date": "2024-08-14T13:54:04.987000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://mikrotik.com/"
},
{
"title": "MikroTik RouterOS Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151566"
},
{
"title": "CVE-2020-20227",
"trust": 0.1,
"url": "https://github.com/JamesGeee/CVE-2020-20227 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.1
},
{
"problemtype": "Buffer error (CWE-119) [NVD Evaluation ]",
"trust": 0.8
},
{
"problemtype": "CWE-119",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-173684"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "http://packetstormsecurity.com/files/162533/mikrotik-routeros-memory-corruption.html"
},
{
"trust": 1.9,
"url": "https://mikrotik.com/"
},
{
"trust": 1.8,
"url": "http://seclists.org/fulldisclosure/2021/may/23"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-20227"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://github.com/jamesgeee/cve-2020-20227"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://mikrotik.com/download/changelogs/stable-release-tree"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-20220"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-20245"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-20246"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-173684"
},
{
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "PACKETSTORM",
"id": "162533"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
},
{
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-173684"
},
{
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"db": "PACKETSTORM",
"id": "162533"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
},
{
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-05-18T00:00:00",
"db": "VULHUB",
"id": "VHN-173684"
},
{
"date": "2021-05-18T00:00:00",
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"date": "2022-01-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"date": "2021-05-11T21:38:05",
"db": "PACKETSTORM",
"id": "162533"
},
{
"date": "2021-05-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-651"
},
{
"date": "2021-05-18T20:15:07.440000",
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-03T00:00:00",
"db": "VULHUB",
"id": "VHN-173684"
},
{
"date": "2021-05-21T00:00:00",
"db": "VULMON",
"id": "CVE-2020-20227"
},
{
"date": "2022-01-25T05:36:00",
"db": "JVNDB",
"id": "JVNDB-2021-006901"
},
{
"date": "2022-05-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-651"
},
{
"date": "2022-05-03T16:04:40.443000",
"db": "NVD",
"id": "CVE-2020-20227"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mikrotik\u00a0RouterOs\u00a0 Buffer Error Vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006901"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-651"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.