MikroTik Winbox up to 3.22 Configuration File settings.cfg.viw Credentials information disclosure

entryeditHistoryDiffjsonxmlCTI

A vulnerability, which was classified as problematic, has been found in MikroTik Winbox up to 3.22. This issue affects an unknown function of the file settings.cfg.viw of the component Configuration File. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field04/16/2020 02:35 PM04/16/2020 02:40 PM
vendorMikroTikMikroTik
nameWinboxWinbox
version<=3.22<=3.22
componentConfiguration FileConfiguration File
filesettings.cfg.viwsettings.cfg.viw
risk11
cvss2_vuldb_basescore1.51.5
cvss2_vuldb_tempscore1.51.5
cvss2_vuldb_avLL
cvss2_vuldb_acMM
cvss2_vuldb_auSS
cvss2_vuldb_ciPP
cvss2_vuldb_iiNN
cvss2_vuldb_aiNN
cvss3_meta_basescore4.44.4
cvss3_meta_tempscore4.44.4
cvss3_vuldb_basescore3.33.3
cvss3_vuldb_tempscore3.33.3
cvss3_vuldb_avLL
cvss3_vuldb_acLL
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iNN
cvss3_vuldb_aNN
titlewordCredentialsCredentials
date1586908800 (04/15/2020)1586908800 (04/15/2020)
price_0day$0-$5k$0-$5k
cveCVE-2020-5721CVE-2020-5721
cvss2_vuldb_eNDND
cvss2_vuldb_rlNDND
cvss2_vuldb_rcNDND
cvss3_vuldb_eXX
cvss3_vuldb_rlXX
cvss3_vuldb_rcXX
cvss3_nvd_basescore5.55.5
cwe0260
cvss2_nvd_avL
cvss2_nvd_acL
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiN
cvss2_nvd_aiN
cvss3_nvd_avL
cvss3_nvd_acL
cvss3_nvd_prL
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iN
cvss3_nvd_aN
cve_assigned1578268800
cve_nvd_summaryMikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router.

Do you know our Splunk app?

Download it now for free!