Package validation and upgrade vulnerability

Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router’s installed RouterOS version, possibly lock the user out of the system, possibly disable the system.

  • Issue #1: Appending unsigned data to package and directory traversal (CVE-2019-3976). An attacker could create custom packages and give them to the victim, to modify RouterOS directory structure.
  • Issue #2: Upgrade is vulnerable to man in the middle attacks (CVE-2019-3977). An attacker could trick the victim to get packages from a different upgrade server.

Both issues are fixed in released RouterOS versions in all release chains:

  • 6.45.7 [stable]
  • 6.44.6 [long-term]
  • 6.46beta59 [testing]

With the following changelog entries:

  • !) package - accept only packages with original filenames (CVE-2019-3976);
  • !) package - improved package signature verification (CVE-2019-3977);