Details
=======
Product: MikroTik's RouterOS
Affected Versions: before 6.44.6 (Long-term release tree)
Fixed Versions: 6.44.6 (Long-term release tree)
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
Product Description
==================
RouterOS is the operating system used on the MikroTik's devices,
such as
switch, router and access point.
Description of vulnerabilities
==========================
These two vulnerabilities were tested only against the MikroTik
RouterOS
long-term release tree when found. Maybe other release trees also
suffer
from these issues.
1. The console process suffers from a memory corruption
issue.
An authenticated remote user can crash the console process due to a
NULL
pointer reference by sending a crafted packet.
2. The console process suffers from an assertion failure issue.
There is a
reachable assertion in the console process. An authenticated remote
user
can crash the console process duo to assertion failure by sending a
crafted
packet.
Solution
========
Upgrade to the corresponding latest RouterOS tree version.
References
==========
[1] https://mikrotik.com/download/changelogs/long-term-release-tree
Read more https://packetstormsecurity.com/files/155869/mikrotik-corrupt.txt
