CVE-2018-115X issues discovered by Tenable

MikroTik was contacted by Tenable Inc. who had discovered several issues in RouterOS web server. The issues only affect authenticated users, meaning, to exploit them, there must be a known username and password on the device. Your data, access to the system and configuration are not under risk. All the below issues only allow the authenticated user (even a read-only user) to cause the www service to crash. Tenable has assigned CVE numbers to these issues.

  • CVE-2018-1156: An authenticated user can trigger a stack buffer overflow.
  • CVE-2018-1157: File upload memory exhaustion. An authenticated user can cause the www binary to consume all memory.
  • CVE-2018-1158: Recursive JSON parsing stack exhaustion, which could allow an authenticated user to cause crash of the www service.
  • CVE-2018-1159: www memory corruption, if connections are initiated and not properly cleaned up then a heap corruption occurs in www.

All of the above issues are fixed in the following RouterOS releases: 6.42.7, 6.40.9, 6.43