CVE-2019-3981

RouterOS General
1

Hi

Is there any news about this vuln? CVE-2019-3981
https://www.tenable.com/cve/CVE-2019-3981

thanks

2

What are the current versions of ROS?
This CPE is about versions 6.42 which are obsolete since 2018 …

3

Now from what I can see this is a man in the middle attack that is not solved. Article mentions Winbox 3.20 which is the latest and ROS 6.43 which is old but you can read the following from Tenable

Disclosure Timeline
10/15/2019 - Tenable discloses. 90 day is Jan. 14, 2020.
10/17/2019 - MikroTik acknowledges and indicates there is no plan to patch in 90 day time frame.
10/17/2019 - Tenable reiterates disclosure will occur on Jan 14.
10/17/2019 - MikroTik acknowledges.
01/14/2020 - Tenable sends a final reminder.

So Mikrotik did acknowledge this bug 2019-10-17 and I cannot read anything from changelog that this has been fixed after this date and nothing on Security blog has been posted about this.
So I think this is a real issue.

4

10/17/2019 - MikroTik acknowledges and indicates there is > no > plan to patch in 90 day time frame.

As you can see Mikrotik didn’t plan to fix it in the time frame given. Would be interesting to hear why…

5

@Bartoz - Why would you infer that the issue only refers to 6.43 unless you can prove that the issue raised in the CVE was covered in the firmware upgrade notes of subsequent Versions.
In other words, you know it has been and thus a link or quote or post referring to that would be helpful.
Or, you are making a wild assed guess that it has been rectified (rectal pluck), which just wastes my time. :wink:

6

The Tenable Blogpost gives some more insight:

Affected Products:
RouterOS 6.43 and above
WinBox 3.20 and below

Version 6.43 of RouterOS included a changelog indicating:

!) winbox - improved authentication process excluding man-in-the-middle possibility;

The change involved the RouterOS WinBox interface (port 8291) switching the key agreement algorithm from a Diffie-Hellman implementation to an ECSRP-5 implementation. While the ECSRP-5 implementation is immune to man-in-the-middle attacks, a man in the middle can still downgrade the WinBox client to the Diffie-Hellman implementation. After the DH key exchange the client will send the attacker their username and the their MD5 hashed password (the hash is salted with an attacker defined salt).

[…]

As of publication time, no solution currently exists.

7

Sounds more like an compatibility issue where winbox currently silently downgrades the connection to DH so it can still work with older ROS versions. Solution is simple, release new winbox that warns you before doing so.

8

@Anav
Just traying to read with understanding what is written

This file implements the Winbox server’s key exchange and encryption mechanism

for Winbox > before 6.43> . …

This server won’t respond to the initial ECSRP-5 message from the client. When

that happens, the client will then switch to the DH implementation.

And this https://www.cybersecurity-help.cz/vdb/SB2018091103?affChecked=1

Severity: Low

CVSSv3: 3.7 [CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)
Description

The vulnerability allows a remote attacker to perform a MitM attack.

The vulnerability exists due to insecure authentication processes in the Winbox service. A remote attacker can perform a man-in-the-middle (MitM) attack and gain unauthorized access to the affected device.

Mitigation

Update to version 6.43.
Vulnerable software versions

MikroTik RouterOS: 6.42, 6.42.1, 6.42.2, 6.42.3, 6.42.4, 6.42.5, 6.42.6, 6.42.7 >

So … if you use ROS more than 2 years old, it’s your choice … I know, I know … we can dispute if newer versions are better or not than old …

Yes … Winbox could warn that you connect to too old ROS but I immediately see the new thread “Disable warning as I use so many ROS versions that it makes me crazy to read this warning”. Or at least do checkbox “Disable this warning”

There is no way to satisfy all of us but there are so many “security threads” started just to ask about sth what is already solved.

What do you suggest about Winbox? What it should do? Disable access to old ROSes or to switch silently the older authentication method.

9

I think it is important to get all the info and not just waft it away and say No this is an old thing so do not worry. It all boils down to risk management and how this could effect someone.
By being silent on the issue Mikrotik only manages to look bad if you ask me.

Much better to release information that this problem exists. It is a bad one? Probably not, it is most lightly a feature needed right now, but you have to look at how you manage a device and take that into consideration.
Do you only have access over internet then you are more exposed to this issue and so on.

The last thing we want is panic as that never creates anything healthy for a community. Look at QNAP issues from end of last year.
I would much more like a detailed information from Mikrotik that states the issue, if it can be mitigated and what they consider the risk factor to be.

Regarding Winbox just release a version that disables the feature that allows for access to older devices and call it 3.21 Then allow for download of 3.20 for Legacy connections (below 6.43) and 3.21 for access after 6.43.If you have a mix the you can still use 3.20 with the risk of the CVE.