Zero-Day Advisory
Fortinet Discovers MikroTik RouterOS Authenticated Arbitrary File Deletion Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered an authenticated arbitrary file deletion vulnerability in MikroTik's RouterOS.
RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by Internet Service Providers (ISPs). RouterOS, supported by MikroTik and its user community, provides a wide variety of configuration examples. RouterOS is embedded in MikroTik's RouterBOARD product line, focused on small- and medium-sized internet access providers that typically provide broadband access in remote areas.
An authenticated arbitrary file deletion vulnerability exists in the MikroTik's RouterOS through 6.44.5 and 6.45.x through 6.45.3. Successful exploitation of this vulnerability would allow a remote authenticated attacker to delete arbitrary file on the system, which could lead to privilege escalation.
Solutions
Users should apply patch provided by MikroTik
Timeline
Fortinet reported the vulnerability to MikroTik on 14 August, 2019.
MikroTik confirmed and fixed the vulnerability on 14 August, 2019.
MikroTik released patch for the vulnerability on 22 August, 2019 in the 6.46beta34 release.