CVE-2019-3977

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords.
References
Link Resource
https://www.tenable.com/security/research/tra-2019-46 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:o:mikrotik:routeros:*:*:*:*:ltr:*:*:*
cpe:2.3:o:mikrotik:routeros:*:*:*:*:-:*:*:*

Information

Published : 2019-10-29 07:15

Updated : 2019-11-01 06:37


NVD link : CVE-2019-3977

Mitre link : CVE-2019-3977

Products Affected
No products.
CWE
CWE-494

Download of Code Without Integrity Check