CVE-2019-3976

Name of the Vulnerable Software and Affected Versions RouterOS versions 6.45.6 and earlier RouterOS versions 6.44.5 and earlier

Description The issue is related to an arbitrary directory creation vulnerability via the upgrade package's name field. If an authenticated user installs a malicious package, a directory could be created and the developer shell could be enabled. This vulnerability is also related to the implementation of the .NPK file processing mechanism in RouterOS, which is associated with bypassing relative paths. Exploitation of the vulnerability may allow a remote attacker to create arbitrary directories and execute arbitrary shell code using a malicious update package.

Recommendations For RouterOS versions 6.45.6 and earlier, consider disabling the package installation feature until a patch is available. For RouterOS versions 6.44.5 and earlier, restrict access to the upgrade package's name field to minimize the risk of exploitation. As a temporary workaround, consider disabling the developer shell until a patch is available.