MikroTik RouterOS < 6.46.7, <= 6.47.3, 7.x DoS Vulnerability

Vulnerability Tests
1

Good day

CVE [CVE-2020-11881]

Wrong version detection in this test. My RouterOS version is 7.9.2, but its show me then its lower then 6.46.7

2

Hello and welcome to this community forum,

actually the VT itself is currently working as expected / is correct as the title:

MikroTik RouterOS < 6.46.7, <= 6.47.3, 7.x DoS Vulnerability

and the affected tag says:

MikroTik RouterOS version 6.47.3 and prior and 7.x.

The 7.x means that all versions of that branch (including 7.9.2) are assumed as affected as no official statement on a fix in the 7.x branch has been found back then.

Unfortunately the MikroTik RouterOS vulnerability handling is always a little bit hard to follow as there are (to the best of our knowledge) no dedicated advisory page available or no mention of specific CVEs in the changelogs on their page (you e.g. need to try to match some CVE descriptions to some changelog entries to actually being able to determine which CVE got fixed in which release).

TLDR;

  • The VT is currently working as expected / as designed / as implemented
  • If you know some official statement in which 7.x version this flaw got fixed it could be provided here and the version check could be updated accordingly to match this newly available info
2 Likes
3

It seems there was also some discussion around this ongoing in the forum linked below but no clear / official statement on fixes for version 7.x could be found there:

https://forum.mikrotik.com/viewtopic.php?t=166137

1 Like
4

Thx a lot for answer

1 Like
5

As a follow up i have tried to find some additional information / clear vendor statement in which 7.x versions/branch this flaw got fixed but haven’t found any information so far.

For this i had checked e.g.:

and the only clear information which was found about a fix for this CVE was the following on the 6.46.7 changelog:

smb - fixed possible memory leak (CVE-2020-11881);

If some one is in contact with the vendor please ask for an update of the later changelogs for e.g. 6.4.7 or 7.x releases (to reference this CVE) to know in which later version received a fix as well.

Afterwards the VT in question could be updated accordingly.

6

Okay, just to be clear.
I installed latest stable 7.10 and test it with GitHub - botlabsDev/CVE-2020-11881: CVE-2020-11881: unauthenticated remote DoS for MikroTik SMB service.

The result was

[smb]: online
[dos]: ok
[smb]: online

And smbclient result after this

Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

So I think its fixed, just not reported

Cfi, if you wish to test it personal, write me, i will give you access to Mikrotik

1 Like
7

Thanks a lot for the follow-up.

While this might be fixed there is also a chance that it isn’t if e.g.:

  • the tool in question isn’t able to detect the flaw in newer RouterOS versions
    • Remember: The tool seems to have been updated in 09/2020 the last time
  • some additional configuration on the target is preventing a detection

Greenbone currently doesn’t have capabilities / resources to research the status of all flaws of all possible vendors for which a VT exists and needs to either rely on reliable information provided by the vendor or need to assume that a flaw might not be fixed (better safe then sorry, users can still work with overrides if they like).

For being able to update the VT in question the vendor would need to provide reliable info on the fixed status of this flaw like mentioned previously.

As an alternative you could also set an override for the VT in question to hide the result if you would like to accept the chance of a risk that this flaw might not be fixed currently.

8

Thx a lot for answer and for your time. I will do like you said, to hide the result

1 Like
9

If still being in contact with the vendor it could be also asked for a clear info / communication on the fixed status like outlined previously:

For being able to update the VT in question the vendor would need to provide reliable info on the fixed status of this flaw like mentioned previously.

Other vendors e.g. have a dedicated advisory page like e.g. the following which are including the CVEs, a short description and the versions of the software fixing these:

10

I can confirm that MikroTik routers are a nightmare to manage vulnerabilities for. Whatever upgrade or downgrade I do to close vulnerabilities, new ones appear. Seems like the staff over at their forums doesn’t like handling vulnerability reports or questions regarding vulnerabitities as well.

1 Like
11

Sorry to revive this topic.

I have contacted MikroTik on this issue and after some “haggling” with their support, I have finally received a clear info on the fix status:

grafik
grafik688Ă—908 30.5 KB

So there we have it ladies and gents,

The fix was introduced in V7.1beta3 and didn’t effect any stable builds. The first stable build was 7.1 and it had the fix in it. So the answer to your questin is - no! No V7 stable branches where affected.

If any Greenbone staff want to verify this support exchange, feel free to DM me, as I am not comfortable sharing my full name here.

EDIT: MikroTik staff have also replied publically on this issue, albeit a lot less detailed.

2 Likes
12

Thanks a lot for digging deeper into this topic and asking the vendor again about a status.

While i don’t know why the info about the fix status is not included in the Changelog entry of 7.1beta3 at MikroTik Routers and Wireless - Software the current statement should be enough for now to update the VT in question to reflect the new info accordingly.

This change should arrive in the feed in the next few days.

2 Likes