groove/Sara
1
0
Fork 0
mirror of https://github.com/casterbyte/Sara.git synced 2025-12-16 11:29:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: groove:v1.1.1
Branches Tags
groove:main
groove:v1.3.0
groove:v1.2
groove:v1.1.1
groove:v1.1
...
compare: groove:main
Branches Tags
groove:main
groove:v1.3.0
groove:v1.2
groove:v1.1.1
groove:v1.1

16 commits
v1.1.1 ... main

Author SHA1 Message Date
Mahama Bazarov
a07b6bc401
Update README.md 2025-12-09 16:34:37 +04:00
caster0x00
fc94270c0e v1.3 2025-12-09 16:30:21 +04:00
caster0x00
93f970d6eb metadata 2025-10-14 14:04:14 +04:00
caster0x00
42b829db83 alias change 2025-08-13 10:25:50 +04:00
casterbyte
6cf9b1a555 v1.2 2025-05-29 22:01:57 +05:00
Caster
557586f836
Merge pull request #5 from MatthieuCoder/add-confirm-flag 
feat: add `--skip-confirmation` flag
 2025-05-27 23:19:10 -07:00
Matthieu Pignolet
346b3ae25e
Merge branch 'casterbyte:main' into add-confirm-flag 2025-05-28 09:08:36 +04:00
Caster
54dd6d1d4b
Merge pull request #4 from MatthieuCoder/main 
feat: add support for ssh-key authentication
 2025-05-25 19:33:58 +06:00
Matthieu Pignolet
aa22c20655
Merge branch 'add-confirm-flag' into merged-ssh-and-confirm 2025-05-25 12:10:56 +04:00
Matthieu Pignolet
de02596d13
fix: add wrong header in the README.md file 2025-05-25 12:04:48 +04:00
Matthieu Pignolet
6451958bd3
feat(docs): add documentation of --ssh-key and --passphrase 2025-05-25 12:03:26 +04:00
Matthieu Pignolet
a5e3cfda46
feat: add documentation for the --skip-confrmation flag 2025-05-25 11:58:08 +04:00
Matthieu Pignolet
5d0fa56bf3
fix: remove the type argument when using add_argument 2025-05-25 11:52:09 +04:00
Matthieu Pignolet
e499becd2b
feat: add --skip-confirmation flag 
This enables the use of Sara in scripts where you don't generally want to have a confirmation prompt
 2025-05-25 11:45:29 +04:00
Matthieu Pignolet
ee46c0736f
feat: add support for ssh keys passphrases 
This commit adds the support for using keyphrases to unlock the ssh key content introducted in 4ae35cff38
 2025-05-25 11:23:49 +04:00
Matthieu Pignolet
4ae35cff38
feat: add ssh key login 
This commit introduces a new option that is mutually exclusive with --password.
The goal of this change is to enable the use of non-password-protected ssh keys in order to access the RouterOS's cli.
 2025-05-25 11:17:34 +04:00
7 changed files with 1353 additions and 1009 deletions
Download patch file Download diff file Expand all files Collapse all files

399
README.md
View file

@ -1,17 +1,21 @@
# Sara: RouterOS Security Inspector
# Sara: MikroTik RouterOS Security Inspector
RouterOS configuration analyzer to find security misconfigurations and vulnerabilities.
RouterOS security analyzer for detecting misconfigurations, weak settings, and known vulnerabilities (CVE).
![](/banner/banner.png)
![](cover/saracover.png)
```
RouterOS Security Inspector. For security engineers
Operates remotely using SSH, designed to evaluate RouterOS security
```bash
_____
/ ___/____ __________ _
\__ \/ __ `/ ___/ __ `/
___/ / /_/ / / / /_/ /
/____/\__,_/_/ \__,_/
Author: Magama Bazarov, <magamabazarov@mailbox.org>
Alias: Caster
Version: 1.1.1
Codename: Judge
Sara: MikroTik RouterOS Security Inspector
Developer: Mahama Bazarov (Caster)
Contact: mahamabazarov@mailbox.org
Version: 1.3.0
Documentation & Usage: https://github.com/caster0x00/Sara
```
# Disclaimer
@ -28,7 +32,7 @@ The author does not take any responsibility for the misuse of this tool, includi
# Sara is not an attack tool
**Sara does not bypass authentication, exploit vulnerabilities, or alter RouterOS configurations.** It works in **read-only mode**, requiring no administrative privileges.
**Sara does not bypass authentication, exploit vulnerabilities, or alter RouterOS configurations.** It works in read-only mode and does not modify device configuration. A read-only RouterOS account is sufficient.
If you are unsure about the interpretation of the analysis results, consult an experienced network engineer before making any decisions!
@ -40,117 +44,95 @@ Before use, ensure that your device auditing complies with your organization's l
- Use it only on your devices or with the owner's permission;
- Do not use Sara on other people's networks without the owner's explicit consent - this may violate computer security laws!
# Mechanism
# Features
**Sara** uses [netmiko](https://github.com/ktbyers/netmiko) to remotely connect via SSH to RouterOS devices. It executes RouterOS system commands to extract configuration data and analyze it for potential vulnerabilities and signs of compromise. The user connects to the hardware himself using Sara by entering his username and password. Sara executes exactly `print` based commands, thus not changing the configuration of your hardware in any way. So, by the way, you can even use an RO-only account if you want to.
**Sara** uses [netmiko](https://github.com/ktbyers/netmiko) to remotely connect via SSH to RouterOS devices. It executes RouterOS system commands to extract configuration data and analyze it for potential vulnerabilities and signs of compromise. The user connects to the hardware himself using Sara by entering his username and password. Sara executes only `print` commands and does not change RouterOS configuration in any way. You can even use a read-only (RO) account if you want to.
Sara does not use any exploits, payloads or bruteforce attacks. All RouterOS security analysis here is based on pure configuration analysis.
## What exactly is Sara checking for?
## Profiles
1. **SMB protocol activity** determines whether SMB is enabled, which may be vulnerable to CVE-2018-7445;
Sara uses audit profiles. Each profile covers its own audit scope.
2. **Check the status of RMI interfaces** identifies active management services (Telnet, FTP, Winbox, API, HTTP/HTTPS);
- `system`: This profile covers RouterOS system checks. It checks the system version, account status, remote management services and their availability, IP restrictions, PoE and RouterBOOT status, SSH settings, and password policies. It also analyzes MAC Winbox/Telnet services, NAT rules, connection tracking mode, RoMON, and the scheduler, including for suspicious automatic tasks and possible persistence mechanisms.
- `protocols`: The profile focuses on network protocols and services that are commonly used as entry points for attacks. It checks SMB, UPnP, SOCKS proxies, DNS settings and static DNS records, DDNS cloud services, Neighbor Discovery settings, and SNMP. The profile's task is to identify enabled or improperly restricted network services that could increase the attack surface.
- `wifi`: This profile evaluates the security of the wireless part of RouterOS. It analyzes Wi-Fi interfaces, PMKID parameters, and WPS modes that could open up opportunities for offline attacks or unauthorized connections. The profile helps you quickly understand whether the current Wi-Fi network security configuration is weak.
3. **Wi-Fi Security Check** determines whether WPS and PMKID support are enabled, which can be used in WPA2-PSK attacks;
> At the moment, this check has minor stability issues, as different versions of RouterOS have different variations of Wi-Fi configurations. Keep that in mind, but feel free to make an issue, we'll look into it;
4. **Check UPnP** determines whether UPnP is enabled, which can automatically forward ports and threaten network security;
5. **Check DNS settings** detects whether `allow-remote-requests`, which makes the router a DNS server, is enabled;
6. **Check DDNS** determines whether dynamic DNS is enabled, which can reveal the real IP address of the device;
7. **PoE Test** checks if PoE is enabled, which may cause damage to connected devices;
8. **Check RouterBOOT security** determines if RouterBOOT bootloader protection is enabled;
9. **Check SOCKS Proxy** identifies an active SOCKS Proxy that could be used by an attacker for pivoting, as well as indicating a potential compromise of the device.
10. **Bandwidth Server Test (BTest)** determines whether a bandwidth server is enabled that can be used for a Flood attack by the attacker;
11. **Check discovery protocols** determines whether CDP, LLDP, MNDP that can disclose network information are active;
12. **Check minimum password length** determines whether the `minimum-password-length` parameter is set to prevent the use of weak passwords;
13. **SSH Check** analyzes SSH settings, including the use of strong-crypto and Port Forwarding permission;
14. **Check Connection Tracking** determines whether Connection Tracking is enabled, which can increase the load and open additional attack vectors;
15. **RoMON check** detects RoMON activity, which allows you to manage devices at Layer 2;
16. **Check Winbox MAC Server** analyzes access by MAC address via Winbox and Telnet, which can be a vulnerability on a local network;
17. **Check SNMP** detects the use of weak SNMP community strings (`public`, `private`);
18. **Check NAT rules** analyzes port forwarding (`dst-nat`, `netmap`) that may allow access to internal services from the outside;
19. **Check network access to RMI** determines whether access to critical services (API, Winbox, SSH) is restricted to trusted IPs only;
20. **Check RouterOS version** analyzes the current version of RouterOS and compares it to known vulnerable versions;
21. **RouterOS Vulnerability Check** checks the RouterOS version against the CVE database and displays a list of known vulnerabilities;
22. **“Keep Password” in Winbox** warns of potential use of the “Keep Password” feature
23. **Check default usernames** defines the use of standard logins (`admin`, `engineer`, `test`, `mikrotik`);
24. **Checking the schedulers** detects malicious tasks that can load remote scripts, perform hidden reboots, or run too often;
25. **Check static DNS records** Analyzes static DNS records that can be used for phishing and MITM attacks.
## A breakdown of one technique
Sara analyzes MikroTik RouterOS configuration by sending commands via SSH and interpreting the results. Let's consider a basic example of checking an SMB service that may be vulnerable to CVE-2018-7445.
```python
# SMB Check
def check_smb(connection):
separator("Checking SMB Service")
command = "/ip smb print"
output = connection.send_command(command)
if "enabled: yes" in output:
print(Fore.RED + Style.BRIGHT + "[*] CAUTION: SMB service is enabled! Are you sure you want it? Also, avoid CVE-2018-7445")
else:
print(Fore.GREEN + "[+] SMB is disabled. No risk detected.")
print(Fore.GREEN + "[+] No issues found.")
```
1. Sending a command to the router: command = `/ip smb print` - queries the status of the SMB service;
2. `output = connection.send_command(command)` - executes the command via SSH and receives its output, writing it to the variable memory;
3. If the output contains the string `“enabled: yes”`, then SMB is enabled and the script displays a warning.
The same principle works for the other checks. Only read the configuration and then analyze it in detail.
# Vulnerability Search (CVE)
# CVE Search
Sara performs a security analysis of RouterOS by checking the current firmware version and checking it against a database of known vulnerabilities (CVEs). This process identifies critical vulnerabilities that can be exploited by attackers to compromise the device.
## But how does it work?
## How does it work?
1. Sara extracts the current RouterOS version from the device using the system command (`/system resource print`)
Sara uses a separate module called `cve_analyzer.py`.
It downloads information from the NVD (National Vulnerability Database), filters it by RouterOS, and generates a local file called `routeros_cves.json`
Next, the RouterOS version is compared with the version ranges specified in CVE records, as well as with additional patterns extracted from vulnerability descriptions.
2. The check is performed using the built-in `cve_lookup.py` module, which stores a dictionary of known RouterOS vulnerabilities. This module is based on data obtained [from the MITRE CVE database](https://cve.mitre.org/data/downloads) and contains:
There are two ways to perform the CVE check:
- CVE ID;
- Vulnerability Description;
- Range of vulnerable RouterOS versions
1. Live Device (SSH)
Sara analyzes the version of the device and determines if it falls into the list of vulnerable versions.
Sara will determine the RouterOS version on the device and compare it with the CVE database.
```bash
~$ sara cve 192.168.88.1 admin
```
3. If the RouterOS version contains known vulnerabilities, Sara displays a warning indicating:
If necessary, you can specify the SSH key and port:
```bash
~$ sara cve 192.168.88.1 admin ~/.ssh/id_rsa 2222
```
- CVE ID;
- Description of the vulnerability and potential risks.
> The password or key passphrase is requested interactively ([getpass](https://docs.python.org/3/library/getpass.html))
## Specifics of checking
```bash
[+] CVE Audit (Live)
[*] Target Device: 192.168.88.1
[*] Transport: SSH (port 22)
[?] SSH password for admin@192.168.88.1:
[✓] SSH connection established: admin@192.168.88.1
[+] Search for CVEs for a specific version
[!] routeros_cves.json not found.
[*] Fetching CVEs from NVD...
[+] Saved 80 CVEs to routeros_cves.json
- Sara does not verify real-world exploitation of vulnerabilities. It only cross-references the RouterOS version against publicly available CVE databases;
- If the device is running an older version of RouterOS, but vulnerable services have been manually disabled, some warnings may be false positives;
- The CVE database is updated over time, so it is recommended to keep an eye out for current patches from MikroTik yourself.
Target RouterOS Version: 7.20.5 Matched CVEs: 0
CRIT: 0 | HIGH: 0 | MED: 0 | LOW: 0 | UNK: 0
# How to use
[*] No known CVEs found for this RouterOS version
[*] Disconnected from RouterOS (192.168.88.1)
```
2. Manual
If the device is unavailable, you can simply specify the desired version:
```bash
~$ sara cve version 7.13.1
```
Sara will perform a vulnerability scan for a specific version without connecting to the device.
```bash
[+] CVE Audit (Manual Version)
[*] RouterOS Version: 7.13.1
[+] Search for CVEs for a specific version
[!] routeros_cves.json not found.
[*] Fetching CVEs from NVD...
[+] Saved 80 CVEs to routeros_cves.json
Target RouterOS Version: 7.13.1 Matched CVEs: 2
CRIT: 0 | HIGH: 1 | MED: 1 | LOW: 0 | UNK: 0
CVE ID SEV CVSS PUBLISHED
CVE-2025-6443 HIGH 7.2 2025-06-25
CVE-2024-54772 MED 5.4 2025-02-11
```
## Features of CVE verification
Sara does not determine the possibility of actual exploitation of vulnerabilities, but only analyzes the compliance of the RouterOS version with known CVEs;
A vulnerability is considered "relevant" if the device version falls within the range specified in the CVE, or if the vulnerability description contains a recognized version range;
The NVD database often contains incomplete data (`versionStartExcluding=null`, `versionEndExcluding=null`). That's why it's also a good idea to manually check the results against MikroTik's official changelog.
# How to Use
You have two ways to install Sara:
@ -164,201 +146,68 @@ caster@kali:~$ sara -h
2. Manually using Git and Python:
```bash
~$ sudo apt install git python3-colorama python3-netmiko python3-packaging
~$ git clone https://github.com/casterbyte/Sara
~$ sudo apt install git python3-colorama python3-netmiko python3-packaging python3-requests
~$ git clone https://github.com/caster0x00/Sara
~$ cd Sara
~/Sara$ sudo python3 setup.py install
~$ sara -h
```
## Trigger Arguments (CLI Options)
## Startup
Sara supports the following command line options:
The tool uses subcommands divided by purpose:
- `audit` - analyze the RouterOS configuration by profiles (system / protocols / wifi);
- `cve` - check RouterOS vulnerabilities based on CVE (live check or manually specified version)
```bash
usage: sara.py [-h] --ip IP --username USERNAME --password PASSWORD [--port PORT]
options:
-h, --help show this help message and exit
--ip IP The address of your MikroTik router
--username USERNAME SSH username (RO account can be used)
--password PASSWORD SSH password
--port PORT SSH port (default: 22)
~$ sara <command> [...]
```
1. `--ip` - this argument specifies the IP address of the MikroTik device to which Sara is connecting;
## Authentication
2. `--username` - the SSH username that will be used to connect. Sara supports only authorized access;
Sara does not support passwords in command line arguments. Passwords/passphrases are requested securely via `getpass()`
> You can use read-only (RO) accounts. Sara does not make configuration changes, so you do not need `write` or `full` level access.
3. `--password` - password for SSH authentication;
4. `--port` - allows you to specify a non-standard SSH port for connection. The default is **22**, but if you have changed the SSH port number, it must be specified manually.
# Sara's Launch
## Audit
The RouterOS configuration audit is performed via SSH with selected profiles.
```bash
caster@kali:~$ python3 sara.py --ip 192.168.88.1 --username admin --password mypass
~$ sara audit <ip> <username> <profiles> [key] [port]
~$ sara audit 192.168.88.1 admin system
```
_____
/ ____|
| (___ __ _ _ __ __ _
\___ \ / _` | '__/ _` |
____) | (_| | | | (_| |
|_____/ \__,_|_| \__,_|
With key (SSH):
```bash
~$ sara audit 192.168.88.1 admin system,protocols ~/.ssh/id_rsa
```
RouterOS Security Inspector. For security engineers
Operates remotely using SSH, designed to evaluate RouterOS security
With a non-standard port:
```bash
~$ sara audit 192.168.88.1 admin system,protocols ~/.ssh/id_rsa 2222
```
Author: Magama Bazarov, <caster@exploit.org>
Alias: Caster
Version: 1.1
Codename: Judge
Documentation & Usage: https://github.com/casterbyte/Sara
## Profiles
[!] DISCLAIMER: Use this tool only for auditing your own devices.
[!] Unauthorized use on third-party systems is ILLEGAL.
[!] The author is not responsible for misuse.
Profiles are a comma-separated list:
WARNING: This tool is for security auditing of YOUR OWN RouterOS devices.
Unauthorized use may be illegal. Proceed responsibly.
- `system` refers to system settings, management, users, RMI, SSH security, NAT, scheduler, etc.;
- `protocols` refers to services and network protocols (SMB, UPnP, DNS, SNMP, DDNS, Neighbor Discovery);
- `wifi` refers to security of Wi-Fi interfaces (PMKID, WPS).
Do you wish to proceed? [yes/no]: yes
[*] Connecting to RouterOS at 192.168.88.1:22
[*] Connection successful!
========================================
[*] Checking RouterOS Version
[+] Detected RouterOS Version: 7.15.3
[+] No known CVEs found for this version.
========================================
[*] Checking SMB Service
[+] SMB is disabled. No risk detected.
[+] No issues found.
========================================
[*] Checking RMI Services
[!] ALERT: TELNET is ENABLED! This is a high security risk.
- Account passwords can be intercepted
[!] ALERT: FTP is ENABLED! This is a high security risk.
- Are you sure you need FTP?
[!] ALERT: HTTP is ENABLED! This is a high security risk.
- Account passwords can be intercepted
[+] OK: SSH is enabled. Good!
- Are you using strong passwords and SSH keys for authentication?
[!] CAUTION: HTTP-SSL is enabled.
- HTTPS detected. Ensure it uses a valid certificate and strong encryption.
[!] CAUTION: API is enabled.
- RouterOS API is vulnerable to a bruteforce attack. If you need it, make sure you have access to it.
[!] CAUTION: WINBOX is enabled.
[!] CAUTION: If you're using 'Keep Password' in Winbox, your credentials may be stored in plaintext!
- If your PC is compromised, attackers can extract saved credentials.
- Consider disabling 'Keep Password' to improve security.
[!] CAUTION: API-SSL is enabled.
- RouterOS API is vulnerable to a bruteforce attack. If you need it, make sure you have access to it.
========================================
[*] Checking Default Usernames
[!] CAUTION: Default username 'admin' detected! Change it to a unique one.
[!] CAUTION: Default username 'engineer' detected! Change it to a unique one.
========================================
[*] Checking network access to RMI
[!] CAUTION: TELNET has no IP restriction set! Please restrict access.
[!] CAUTION: FTP has no IP restriction set! Please restrict access.
[!] CAUTION: WWW has no IP restriction set! Please restrict access.
[+] OK! SSH is restricted to: 192.168.88.0/24
[!] CAUTION: WWW-SSL has no IP restriction set! Please restrict access.
[!] CAUTION: API has no IP restriction set! Please restrict access.
[+] OK! WINBOX is restricted to: 192.168.88.0/24
[!] CAUTION: API-SSL has no IP restriction set! Please restrict access.
========================================
[*] Checking Wi-Fi Security
[+] All Wi-Fi interfaces and security profiles have secure settings.
[*] If you use WPA-PSK or WPA2-PSK, take care of password strength. So that the handshake cannot be easily brute-forced.
[+] No issues found.
========================================
[*] Checking UPnP Status
[+] UPnP is disabled. No risk detected.
[+] No issues found.
========================================
[*] Checking DNS Settings
[!] CAUTION: Router is acting as a DNS server! This is just a warning. The DNS port on your RouterOS should not be on the external interface.
========================================
[*] Checking DDNS Settings
[+] DDNS is disabled. No risk detected.
[+] No issues found.
========================================
[*] Checking PoE Status
[!] CAUTION: PoE is enabled on ether1. Ensure that connected devices support PoE to prevent damage.
========================================
[*] Checking RouterBOOT Protection
[!] CAUTION: RouterBOOT protection is disabled! This can allow unauthorized firmware changes and password resets via Netinstall.
========================================
[*] Checking SOCKS Proxy Status
[+] SOCKS proxy is disabled. No risk detected.
[+] No issues found.
========================================
[*] Checking Bandwidth Server Status
[+] Bandwidth server is disabled. No risk detected.
[+] No issues found.
========================================
[*] Checking Neighbor Discovery Protocols
[+] No security risks found in Neighbor Discovery Protocol settings.
[+] No issues found.
========================================
[*] Checking Password Policy
[!] CAUTION: No minimum password length is enforced! The length of the created passwords must be taken into account.
========================================
[*] Checking SSH Security
[!] CAUTION: SSH Dynamic Port Forwarding is enabled! This could indicate a RouterOS compromise, and SSH DPF could also be used by an attacker as a pivoting technique.
[!] CAUTION: strong-crypto is disabled! It is recommended to enable it to enhance security. This will:
- Use stronger encryption, HMAC algorithms, and larger DH primes;
- Prefer 256-bit encryption, disable null encryption, prefer SHA-256;
- Disable MD5, use 2048-bit prime for Diffie-Hellman exchange;
========================================
[*] Checking Connection Tracking
[+] Connection Tracking is properly configured.
[+] No issues found.
========================================
[*] Checking RoMON Status
[+] RoMON is disabled. No risk detected.
[+] No issues found.
========================================
[*] Checking Winbox MAC Server Settings
[+] MAC Winbox are properly restricted.
[+] MAC Telnet are properly restricted.
[+] MAC Ping are properly restricted.
========================================
[*] Checking SNMP Community Strings
[+] SNMP community strings checked. No weak values detected.
[+] No issues found.
========================================
[*] Checking Firewall NAT Rules
[+] No Destination NAT (dst-nat/netmap) rules detected. No risks found.
[+] No issues found.
========================================
[*] Checking for Malicious Schedulers
[*] Checking: 'Unknown' →
[+] No malicious schedulers detected.
========================================
[*] Checking Static DNS Entries
[!] WARNING: The following static DNS entries exist:
- dc01.myownsummer.org → 192.168.88.71
- fake.example.com → 192.168.88.100
[*] Were you the one who created those static DNS records? Make sure.
[*] Attackers during RouterOS post-exploitation like to tamper with DNS record settings, for example, for phishing purposes.
========================================
[*] Checking Router Uptime
[*] Router Uptime: 64 days, 2 hours, 23 minutes
[*] Disconnected from RouterOS (192.168.88.1:22)
[*] All checks have been completed. Security inspection completed in 3.03 seconds
You can use multiple profiles at once:
```bash
system,protocols,wifi
```
# Copyright
Copyright (c) 2025 Magama Bazarov. This project is licensed under the Apache 2.0 License
Copyright (c) 2026 Mahama Bazarov.
This project is licensed under the Apache 2.0 License.
This project is not affiliated with or endorsed by SIA Mikrotīkls
All MikroTik trademarks and product names are the property of their respective owners.
# Outro
MikroTik devices are widely used around the world. Sara is designed to help engineers improve security - use it wisely.
E-mail for contact: magamabazarov@mailbox.org
If you have any suggestions or find any bugs, feel free to create issues in the repository or contact me: [mahamabazarov@mailbox.org](mailto:mahamabazarov@mailbox.org)

BIN
banner/banner.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
cover/saracover.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.8 MiB

486
cve_analyzer.py Normal file
View file

@ -0,0 +1,486 @@
# Auxiliary module cve_analyzer.py for searching CVE using the NIST NVD database
#
# Copyright (c) 2026 Mahama Bazarov
# Licensed under the Apache 2.0 License
# This project is not affiliated with or endorsed by SIA Mikrotīkls
import json, re, os, requests, time
from packaging.version import Version, InvalidVersion
from colorama import Fore, Style
# NVD v2.0 URL and settings
NVD_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0"
KEYWORD = "routeros"
RESULTS_PER_PAGE = 2000
OUTPUT_FILE = "routeros_cves.json"
GUTTER = 2 # spaces between columns
# Simple role-based color mapping
def paint(role: str, text: str) -> str:
role_value = (role or "").lower()
if role_value in ("crit", "fail"):
return Fore.RED + text + Style.RESET_ALL
if role_value == "warn":
return Fore.YELLOW + text + Style.RESET_ALL
if role_value == "ok":
return Fore.GREEN + text + Style.RESET_ALL
if role_value == "info":
return Fore.CYAN + text + Style.RESET_ALL
if role_value == "label":
return Fore.CYAN + text + Style.RESET_ALL
if role_value == "value":
return Style.BRIGHT + text + Style.RESET_ALL
return text
# ANSI and OSC-8 stripping for width calculation
ANSI_RE = re.compile(r"\x1b\[[0-9;]*[A-Za-z]")
OSC8_BEL = re.compile(r"\x1b]8;;.*?\x07")
OSC8_ST = re.compile(r"\x1b]8;;.*?\x1b\\")
def strip_osc8(s: str) -> str:
tmp = OSC8_BEL.sub("", s)
tmp = OSC8_ST.sub("", tmp)
return tmp
def visible_len(s: str) -> int:
raw = strip_osc8(s)
no_ansi = ANSI_RE.sub("", raw)
return len(no_ansi)
def pad_r(s: str, width: int) -> str:
length = visible_len(s)
pad_len = width - length
if pad_len < 0:
pad_len = 0
return s + " " * pad_len
def pad_l(s: str, width: int) -> str:
length = visible_len(s)
pad_len = width - length
if pad_len < 0:
pad_len = 0
return " " * pad_len + s
# Clickable hyperlink (OSC-8)
def term_link(text: str, url: str) -> str:
return f"\x1b]8;;{url}\x1b\\{text}\x1b]8;;\x1b\\"
# Convert RouterOS version string to Version object
def normalize_version(v):
if not v:
return None
try:
return Version(v)
except InvalidVersion:
cleaned = re.sub(r"(rc|beta|testing|stable)[\d\-]*", "", v, flags=re.IGNORECASE)
try:
return Version(cleaned)
except InvalidVersion:
return None
# Extract version ranges from CVE description text
def extract_ranges_from_description(description):
description = (description or "").lower()
ranges = []
matches = re.findall(r"(?:from\s+)?v?(\d+\.\d+(?:\.\d+)?)\s+to\s+v?(\d+\.\d+(?:\.\d+)?)", description)
for start, end in matches:
ranges.append({"versionStartIncluding": start, "versionEndIncluding": end})
matches = re.findall(r"before\s+v?(\d+\.\d+(?:\.\d+)?)", description)
for end in matches:
ranges.append({"versionEndExcluding": end})
matches = re.findall(r"after\s+v?(\d+\.\d+(?:\.\d+)?)", description)
for start in matches:
ranges.append({"versionStartExcluding": start})
matches = re.findall(r"through\s+v?(\d+\.\d+(?:\.\d+)?)", description)
for end in matches:
ranges.append({"versionEndIncluding": end})
matches = re.findall(r"v?(\d+\.\d+)\.x", description)
for base in matches:
ranges.append({"versionStartIncluding": f"{base}.0", "versionEndIncluding": f"{base}.999"})
matches = re.findall(r"(?:up to|and below)\s+v?(\d+\.\d+(?:\.\d+)?)", description)
for end in matches:
ranges.append({"versionEndIncluding": end})
return ranges
# Check if current version falls into a vulnerable range
def is_version_affected(current_v, version_info):
def get(v_key):
return normalize_version(version_info.get(v_key))
criteria_raw = version_info.get("criteria", "") or ""
criteria = criteria_raw.lower()
end_excl_raw = version_info.get("versionEndExcluding", "")
if criteria and ("mikrotik" not in criteria or "routeros" not in criteria):
return False
if isinstance(end_excl_raw, str) and end_excl_raw.startswith("7") and str(current_v).startswith("6."):
return False
if isinstance(end_excl_raw, str) and end_excl_raw.startswith("6") and str(current_v).startswith("7."):
return False
start_incl = get("versionStartIncluding")
start_excl = get("versionStartExcluding")
end_incl = get("versionEndIncluding")
end_excl = get("versionEndExcluding")
if not any([start_incl, start_excl, end_incl, end_excl]):
version_match = re.search(r"routeros:([\w.\-]+)", criteria_raw)
if version_match:
version_exact = normalize_version(version_match.group(1))
return version_exact is not None and current_v == version_exact
return False
for raw_key, normed in zip(
["versionStartIncluding", "versionStartExcluding", "versionEndIncluding", "versionEndExcluding"],
[start_incl, start_excl, end_incl, end_excl],
):
if version_info.get(raw_key) and normed is None:
return False
if start_incl and current_v < start_incl:
return False
if start_excl and current_v <= start_excl:
return False
if end_incl and current_v > end_incl:
return False
if end_excl and current_v >= end_excl:
return False
return True
# Download all RouterOS CVEs from NVD and save locally
def fetch_all_cves():
all_cves = []
start_index = 0
print(Fore.CYAN + "[*] Fetching CVEs from NVD...")
while True:
params = {
"keywordSearch": KEYWORD,
"startIndex": start_index,
"resultsPerPage": RESULTS_PER_PAGE,
}
try:
response = requests.get(NVD_URL, params=params, timeout=30)
response.raise_for_status()
data = response.json()
except requests.exceptions.RequestException as e:
print(Fore.RED + f"[-] HTTP Error: {e}")
break
except json.JSONDecodeError:
print(Fore.RED + "[-] Failed to parse JSON from NVD.")
break
cve_items = data.get("vulnerabilities", [])
total_results = data.get("totalResults", 0)
for item in cve_items:
cve = item.get("cve", {})
cve_id = cve.get("id")
description = next((d["value"] for d in cve.get("descriptions", []) if d.get("lang") == "en"), "")
severity = "UNKNOWN"
score = "N/A"
published = cve.get("published", "")
metrics = cve.get("metrics", {})
if "cvssMetricV31" in metrics:
cvss = metrics["cvssMetricV31"][0]["cvssData"]
severity = cvss.get("baseSeverity", "UNKNOWN")
score = cvss.get("baseScore", "N/A")
elif "cvssMetricV30" in metrics:
cvss = metrics["cvssMetricV30"][0]["cvssData"]
severity = cvss.get("baseSeverity", "UNKNOWN")
score = cvss.get("baseScore", "N/A")
affected_versions = []
for config in cve.get("configurations", []):
for node in config.get("nodes", []):
for match in node.get("cpeMatch", []):
if not match.get("vulnerable", False):
continue
criteria = match.get("criteria", "") or ""
crit_l = criteria.lower()
if "mikrotik" not in crit_l or "routeros" not in crit_l:
continue
affected_versions.append(
{
"criteria": criteria,
"versionStartIncluding": match.get("versionStartIncluding"),
"versionStartExcluding": match.get("versionStartExcluding"),
"versionEndIncluding": match.get("versionEndIncluding"),
"versionEndExcluding": match.get("versionEndExcluding"),
}
)
all_cves.append(
{
"cve_id": cve_id,
"description": description,
"severity": severity,
"cvss_score": score,
"published": published,
"affected_versions": affected_versions,
}
)
start_index += RESULTS_PER_PAGE
if start_index >= total_results:
break
time.sleep(1.5)
with open(OUTPUT_FILE, "w", encoding="utf-8") as f:
json.dump(all_cves, f, indent=2, ensure_ascii=False)
print(Fore.GREEN + f"[+] Saved {len(all_cves)} CVEs to {OUTPUT_FILE}")
# Load local CVE cache and optionally refresh it
def load_cve_data():
if not os.path.isfile(OUTPUT_FILE):
print(Fore.YELLOW + f"[!] {OUTPUT_FILE} not found.")
fetch_all_cves()
else:
print(Fore.YELLOW + f"[?] {OUTPUT_FILE} already exists.")
answer = input(Fore.YELLOW + " Overwrite it with fresh CVE data? [yes/no]: ").strip().lower()
if answer == "yes":
fetch_all_cves()
try:
with open(OUTPUT_FILE, "r", encoding="utf-8") as f:
return json.load(f)
except Exception as e:
print(Fore.RED + f"[-] Failed to load {OUTPUT_FILE}: {e}")
return None
# Format CVSS score as 0.1 or N/A
def fmt_cvss(x):
try:
value = float(x)
return f"{value:0.1f}"
except Exception:
return "N/A"
# Severity rank for sorting
sev_rank = {
"CRITICAL": 0,
"HIGH": 1,
"MEDIUM": 2,
"LOW": 3,
"UNKNOWN": 4,
}
def key_tuple(m):
sev = m.get("severity", "UNKNOWN") or "UNKNOWN"
sev_u = sev.upper()
rank = sev_rank.get(sev_u, 4)
pub = m.get("published") or ""
return (rank, pub)
# Severity tag (CRIT/HIGH/MED/LOW/UNK)
def sev_tag(sev: str):
sev_u = (sev or "UNKNOWN").upper()
if sev_u == "CRITICAL":
return paint("crit", "CRIT")
if sev_u == "HIGH":
return paint("fail", "HIGH")
if sev_u == "MEDIUM":
return paint("warn", "MED")
if sev_u == "LOW":
return paint("info", "LOW")
return paint("value", "UNK")
def count_seg(label: str, n: int):
role_map = {
"CRIT": "crit",
"HIGH": "fail",
"MED": "warn",
"LOW": "info",
"UNK": "value",
}
role = role_map[label]
return paint(role, label) + ": " + paint("value", str(n))
# Summary header
def render_summary(version: str, matches, counters):
c_crit = counters.get("CRITICAL", 0)
c_high = counters.get("HIGH", 0)
c_med = counters.get("MEDIUM", 0)
c_low = counters.get("LOW", 0)
c_unk = counters.get("UNKNOWN", 0)
line1 = (
paint("label", "Target RouterOS Version:") + " " + paint("value", version)
+ " "
+ paint("label", "Matched CVEs:") + " " + paint("value", str(len(matches)))
)
parts = [
count_seg("CRIT", c_crit),
count_seg("HIGH", c_high),
count_seg("MED", c_med),
count_seg("LOW", c_low),
count_seg("UNK", c_unk),
]
line2 = " | ".join(parts)
print(line1)
print(line2)
print()
# Table rendering
def render_cve(rows):
max_id_len = 14
for m in rows:
cve_id = m.get("cve_id", "") or ""
length = len(cve_id)
if length > max_id_len:
max_id_len = length
id_w = max_id_len + 2
if id_w < 16:
id_w = 16
if id_w > 22:
id_w = 22
sev_w = 5
cvss_w = 4
pub_w = 10
sep = " " * GUTTER
head = (
pad_r(paint("label", "CVE ID"), id_w)
+ sep
+ pad_r(paint("label", "SEV"), sev_w)
+ sep
+ pad_r(paint("label", "CVSS"), cvss_w)
+ sep
+ pad_r(paint("label", "PUBLISHED"), pub_w)
)
print(head)
for m in rows:
cve_id = m.get("cve_id", "") or ""
link = term_link(cve_id, "https://nvd.nist.gov/vuln/detail/" + cve_id)
sev_t = sev_tag(m.get("severity", "UNKNOWN"))
cvss = fmt_cvss(m.get("cvss_score", "N/A"))
published = m.get("published") or "-"
published = str(published)[:10]
line = (
pad_r(paint("info", link), id_w)
+ sep
+ pad_r(sev_t, sev_w)
+ sep
+ pad_l(paint("value", cvss), cvss_w)
+ sep
+ pad_r(paint("value", published), pub_w)
)
print(line)
# Core CVE matching logic for a given RouterOS version
def run_cve_match_for_version(current_v, current_version: str):
cve_data = load_cve_data()
if not cve_data:
return
counters = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0, "UNKNOWN": 0}
matches = []
for cve in cve_data:
matched = False
affected_versions = cve.get("affected_versions", [])
if not affected_versions:
affected_versions = extract_ranges_from_description(cve.get("description", ""))
for version_info in affected_versions:
if is_version_affected(current_v, version_info):
matched = True
break
if not matched:
continue
sev = (cve.get("severity", "UNKNOWN") or "UNKNOWN").upper()
counters[sev] = counters.get(sev, 0) + 1
matches.append(
{
"cve_id": cve.get("cve_id", ""),
"severity": sev,
"cvss_score": cve.get("cvss_score", "N/A"),
"published": cve.get("published", ""),
}
)
print()
render_summary(current_version, matches, counters)
if not matches:
print(paint("ok", "[*] No known CVEs found for this RouterOS version"))
print()
return
rows = sorted(matches, key=key_tuple)
render_cve(rows)
# Live CVE audit based on device version (kept for potential reuse)
def run_cve_audit(connection):
print(paint("label", "[+] Search for CVEs for a specific version"))
output = connection.send_command("/system resource print")
match = re.search(r"version:\s*([\w.\-]+)", output)
if not match:
print(Fore.RED + "[-] ERROR: Could not determine RouterOS version.")
return
current_version = match.group(1)
current_v = normalize_version(current_version)
if not current_v:
print(Fore.RED + f"[-] ERROR: RouterOS version '{current_version}' is invalid.")
return
run_cve_match_for_version(current_v, current_version)
# CVE audit for manually provided RouterOS version string (used by Sara)
def run_cve_audit_for_version(version_str: str):
print(paint("label", "[+] Search for CVEs for a specific version"))
current_version = version_str.strip()
current_v = normalize_version(current_version)
if not current_v:
print(Fore.RED + f"[-] ERROR: RouterOS version '{current_version}' is invalid.")
return
run_cve_match_for_version(current_v, current_version)

72
cve_lookup.py
View file

@ -1,72 +0,0 @@
# Sara's helper module for CVE search based on RouterOS version analysis
# Downloaded and adapted from: https://cve.mitre.org/data/downloads
# The CVE search thanks to this module is passive and does not involve sending various payloads, launching exploits and so on
# UPD: It's not the best realization at this point. I need to use the NIST NVD database without having to hardcode CVEs. This was not the best solution.
cve_routeros_database = {
"CVE-2008-0680": "SNMPd in MikroTik RouterOS 3.2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP SET request.",
"CVE-2008-6976": "MikroTik RouterOS 3.x through 3.13 and 2.x through 2.9.51 allows remote attackers to modify Network Management System (NMS) settings via a crafted SNMP set request.",
"CVE-2012-6050": "The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consumption), read the router version, and possibly have other impacts via a request to download the router's DLLs or plugins, as demonstrated by roteros.dll",
"CVE-2015-2350": "Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS 5.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request in the status page to /cfg.",
"CVE-2017-17537": "MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated remote attacker to cause a denial of service by connecting to TCP port 53 and sending data that begins with many '\0' characters",
"CVE-2017-17538": "MikroTik v6.40.5 devices allow remote attackers to cause a denial of service via a flood of ICMP packets.",
"CVE-2017-6297": "The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not enable IPsec encryption after a reboot, which allows man-in-the-middle attackers to view transmitted data unencrypted and gain access to networks on the L2TP server by monitoring the packets for the transmitted data and obtaining the L2TP secret",
"CVE-2017-6444": "The MikroTik Router hAP Lite 6.25 has no protection mechanism for unsolicited TCP ACK packets in the case of a fast network connection",
"CVE-2017-7285": "A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of TCP RST packets",
"CVE-2017-8338": "A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of UDP packets on port 500 (used for L2TP over IPsec)",
"CVE-2018-10066": "An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN server certificate verification allows a remote unauthenticated attacker capable of intercepting client traffic to act as a malicious OpenVPN server. This may allow the attacker to gain access to the client's internal network",
"CVE-2018-10070": "A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending a crafted FTP request on port 21 that begins with many '\0' characters",
"CVE-2018-1157": "Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request.",
"CVE-2018-1158": "Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server via recursive parsing of JSON.",
"CVE-2018-14847": "MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.",
"CVE-2018-7445": "A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place",
"CVE-2019-13074": "A vulnerability in the FTP daemon on MikroTik routers through 6.44.3 could allow remote attackers to exhaust all available memory, causing the device to reboot because of uncontrolled resource management.",
"CVE-2019-15055": "MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication",
"CVE-2019-16160": "An integer underflow in the SMB server of MikroTik RouterOS before 6.45.5 allows remote unauthenticated attackers to crash the service.",
"CVE-2019-3924": "MikroTik RouterOS before 6.43.12 (stable) and 6.42.12 (long-term) is vulnerable to an intermediary vulnerability. The software will execute user defined network requests to both WAN and LAN clients. A remote unauthenticated attacker can use this vulnerability to bypass the router's firewall or for general network scanning activities.",
"CVE-2019-3943": "MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are vulnerable to an authenticated, remote directory traversal via the HTTP or Winbox interfaces. An authenticated, remote attack can use this vulnerability to read and write files outside of the sandbox directory (/rw/disk)",
"CVE-2019-3978": "RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker's choice. The DNS responses are cached by the router, potentially resulting in cache poisoning",
"CVE-2019-3981": "MikroTik Winbox 3.20 and below is vulnerable to man in the middle attacks. A man in the middle can downgrade the client's authentication protocol and recover the user's username and MD5 hashed password.",
"CVE-2020-10364": "The SSH daemon on MikroTik routers through 6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections, and cause a reboot via connect and write system calls, because of uncontrolled resource management",
"CVE-2020-11881": "An array index error in MikroTik RouterOS 6.41.3 through 6.46.5, and 7.x through 7.0 Beta5, allows an unauthenticated remote attacker to crash the SMB server via modified setup-request packets,",
"CVE-2020-20021": "An issue discovered in MikroTik Router 6.46.3 and earlier allows attacker to cause denial of service via misconfiguration in the SSH daemon.",
"CVE-2020-20214": "MikroTik RouterOS 6.44.6 (long-term tree) suffers from an assertion failure vulnerability in the btest process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet.",
"CVE-2020-20217": "MikroTik RouterOS before 6.47 (stable tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/route process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU.",
"CVE-2020-20220": "MikroTik RouterOS prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"CVE-2020-20222": "MikroTik RouterOS 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"CVE-2020-20225": "MikroTik RouterOS before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /nova/bin/user process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet.",
"CVE-2020-20227": "MikroTik RouterOS stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.",
"CVE-2020-20230": "MikroTik RouterOS before stable 6.47 suffers from an uncontrolled resource consumption in the sshd process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU.",
"CVE-2020-20231": "MikroTik RouterOS through stable version 6.48.3 suffers from a memory corruption vulnerability in the /nova/bin/detnet process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"CVE-2020-20236": "MikroTik RouterOS 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.",
"CVE-2020-20237": "Mikrotik RouterOS 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.",
"CVE-2020-20245": "Mikrotik RouterOS stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.",
"CVE-2020-20246": "Mikrotik RouterOS stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.",
"CVE-2020-20248": "Mikrotik RouterOS before stable 6.47 suffers from an uncontrolled resource consumption in the memtest process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU.",
"CVE-2020-20249": "Mikrotik RouterOS before stable 6.47 suffers from a memory corruption vulnerability in the resolver process. By sending a crafted packet",
"CVE-2020-20250": "Mikrotik RouterOS before stable version 6.47 suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) NOTE: this is different from CVE-2020-20253 and CVE-2020-20254. All four vulnerabilities in the /nova/bin/lcdstat process are discussed in the CVE-2020-20250",
"CVE-2020-20252": "Mikrotik RouterOS before stable version 6.47 suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference)",
"CVE-2020-20253": "Mikrotik RouterOS before 6.47 (stable tree) suffers from a divison by zero vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service due to a divide by zero error.",
"CVE-2020-20254": "Mikrotik RouterOS before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"CVE-2020-20262": "Mikrotik RouterOS before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet.",
"CVE-2020-20264": "Mikrotik RouterOS before 6.47 (stable tree) in the /ram/pckg/advanced-tools/nova/bin/netwatch process. An authenticated remote attacker can cause a Denial of Service due to a divide by zero error.",
"CVE-2020-20265": "Mikrotik RouterOS before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /ram/pckg/wireless/nova/bin/wireless process. An authenticated remote attacker can cause a Denial of Service due via a crafted packet.",
"CVE-2020-20266": "Mikrotik RouterOS before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/dot1x process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"CVE-2020-5720": "MikroTik WinBox before 3.21 is vulnerable to a path traversal vulnerability that allows creation of arbitrary files wherevere WinBox has write permissions. WinBox is vulnerable to this attack if it connects to a malicious endpoint or if an attacker mounts a man in the middle attack.",
"CVE-2020-5721": "MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and",
"CVE-2021-27221": "MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work.",
"CVE-2021-3014": "MikroTik RouterOS through 6.48 is vulnerable to XSS in the hotspot login page via the target parameter",
"CVE-2021-36613": "MikroTik RouterOS before stable 6.48.2 suffers from a memory corruption vulnerability in the ptp process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference)",
"CVE-2021-36614": "MikroTik RouterOS before stable 6.48.2 suffers from a memory corruption vulnerability in the tr069-client process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference)",
"CVE-2022-34960": "The container package in MikroTik RouterOS 7.4beta4 allows an attacker to create mount points pointing to symbolic links",
"CVE-2022-36522": "Mikrotik RouterOS through stable 6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.",
"CVE-2022-45313": "Mikrotik RouterOS before stable 7.5 was discovered to contain an out-of-bounds read in the hotspot process. This vulnerability allows attackers to execute arbitrary code via a crafted nova message.",
"CVE-2022-45315": "Mikrotik RouterOS before stable 7.6 was discovered to contain an out-of-bounds read in the snmp process. This vulnerability allows attackers to execute arbitrary code via a crafted packet.",
"CVE-2023-24094": "An issue in the bridge2 component of MikroTik RouterOS v6.40.5 allows attackers to cause a Denial of Service (DoS) via crafted packets.",
"CVE-2023-30799": "MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.",
"CVE-2023-30800": "The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result",
"CVE-2023-41570": "MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.",
"CVE-2024-38861": "Improper Certificate Validation in Checkmk Exchange plugin MikroTik allows attackers in MitM position to intercept traffic. This issue affects MikroTik: from 2.0.0 through 2.5.5, from 0.4a_mk through 2.0a.",
"CVE-2024-54772": "An issue was discovered in the Winbox service of MikroTik RouterOS long-term release v6.43.13 through v6.49.13 and stable v6.43 through v7.17.2. A patch is available in the stable release v6.49.18. A discrepancy in response size between connection attempts made with a valid username and those with an invalid username allows attackers to enumerate for valid accounts.",
}

1302
sara.py
View file

File diff suppressed because it is too large Load diff

13
setup.py
View file

@ -2,23 +2,24 @@ from setuptools import setup, find_packages
setup(
name="sara",
version="1.1.1",
url="https://github.com/casterbyte/Sara",
author="Magama Bazarov",
author_email="magamabazarov@mailbox.org",
version="1.3",
url="https://github.com/caster0x00/Sara",
author="Mahama Bazarov",
author_email="mahamabazarov@mailbox.org",
scripts=['sara.py'],
description="RouterOS Security Inspector",
long_description=open('README.md', encoding="utf8").read(),
long_description_content_type='text/markdown',
license="Apache-2.0",
keywords=['mikrotik', 'routeros', 'config analyzer', 'network security',],
keywords=['mikrotik', 'routeros', 'config analyzer', 'network security', 'cve',],
packages=find_packages(),
install_requires=[
'colorama',
'netmiko',
'packaging',
'requests',
],
py_modules=['cve_lookup'],
py_modules=['cve_analyzer'],
entry_points={
"console_scripts": ["sara = sara:main"],
},