CVE-2017-20149
published 2022-10-15CVE-2017-20149: The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.55%
83.1th percentile
The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikrotik | routeros | < 6.37.5 | 6.37.5 |
| mikrotik | routeros | >= 6.38 < 6.38.5 | 6.38.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered by a crafted HTTP request sent to the MikroTik RouterOS web server from a remote, unauthenticated attacker; monitor for anomalous/malformed HTTP requests targeting MikroTik web interfaces ↗
- ·Vulnerability affects MikroTik RouterOS releases before Stable 6.38.5 and Long-term 6.37.5; patched versions are not vulnerable ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qjvr-7h9f-927v: The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6
ghsa_unreviewed·2022-10-15
CVE-2017-20149 [CRITICAL] CWE-787 GHSA-qjvr-7h9f-927v: The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6
The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.
VulnCheck
MikroTik RouterOS Out-of-bounds Write
vulncheck·2017·CVSS 9.8
CVE-2017-20149 [CRITICAL] MikroTik RouterOS Out-of-bounds Write
MikroTik RouterOS Out-of-bounds Write
The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.
Affected: MikroTik RouterOS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/quick-summary-port-8291-scan-en/; https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_02B-3_Herwig_paper.pdf; https://www.cve.org/CVERecord?i
No detection rules found.
No public exploits indexed.
arXiv
The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants
arxiv_fulltext·2023-09-03
The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants
BMS
BMS
acronym
DDoSDistributed Denial of Service
BMSBotnet Monitoring System
acronym
The End of the Canonical IoT Botnet:
A Measurement Study of Mirai's Descendants
Leon Böck
Telecooperation Lab
Technical University of Darmstadt
Valentin Sundermann
Telecooperation Lab
Technical University of Darmstadt
Isabella Fusari
George Mason University
Shankar Karuppayah
National Advanced IPv6 Centre
Universiti Sains Malaysia
Max Mühlhäuser
Telecooperation Lab
Technical University of Darmstadt
Dave Levin
University of Maryland
## Abstract
Since the burgeoning days of IoT, Mirai has been established as the
canonical IoT botnet.
Not long after the public release of its code, researchers found many
Mirai variants compete with one another for many of the same
vulnerable hosts.
Over ti
Greynoiseio
NoiseLetter August 2024
blogs_greynoiseio
NoiseLetter August 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/BigNerd95/Chimay-Redhttps://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/https://github.com/BigNerd95/Chimay-Redhttps://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/
2022-10-15
Published
Exploited in the wild