MikroTik RouterOS Path Traversal (CVE-2019-15055)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502079);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/28");

  script_cve_id("CVE-2019-15055");

  script_name(english:"MikroTik RouterOS Path Traversal (CVE-2019-15055)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly
handles the disk name, which allows authenticated users to delete
arbitrary files. Attackers can exploit this vulnerability to reset
credential storage, which allows them access to the management
interface as an administrator without authentication.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://fortiguard.com/zeroday/FG-VD-19-108");
  script_set_attribute(attribute:"see_also", value:"https://forum.mikrotik.com/viewtopic.php?t=151603");
  script_set_attribute(attribute:"see_also", value:"https://github.com/tenable/routeros/tree/master/poc/cve_2019_15055");
  # https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b748946");
  script_set_attribute(attribute:"see_also", value:"https://mikrotik.com/download/changelogs/testing-release-tree");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-15055");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/08/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mikrotik:routeros:6.44.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mikrotik:routeros:6.45.3");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/MikroTik");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/MikroTik');

var asset = tenable_ot::assets::get(vendor:'MikroTik');

var vuln_cpes = {
    "cpe:/o:mikrotik:routeros:6.44.5" :
        {"versionEndIncluding" : "6.44.5", "family" : "RouterOS"},
    "cpe:/o:mikrotik:routeros:6.45.3" :
        {"versionEndIncluding" : "6.45.3", "versionStartIncluding" : "6.45", "family" : "RouterOS"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);