Post might be updated over time: https://blog.mikrotik.com/security/cve-2023-32154.html
Thanks for the heads-up. Updated to 7.9.1 . Awaiting other versions. I can wait, as I don’t use IPv6. Where I have IPv6 enabled, I have not configured such specific settings.
The vendor may have met with someone who is a Mikrotik distributor or a trainer. Or simply a Mikrotik user who used Mikrotik in large scale. We trust you, MikroTik!
ROS6 will be patched also?
Regards.
That’s what the announcement indicates, yes.
Recommended course of action: You can disable IPv6 advertisements, or upgrade to RouterOS 7.10beta7, 7.9.1, 6.49.8, 6.48.7 or newer versions. Some versions are not yet released, please monitor our download page for changes.
Yes, it says so, but it appears it hasnt been released yet. That said, it appears its a rarely used setting combination.
None of my routers have it set that way
It’s still a good idea to check; a couple of my routers that I upgraded from v6 to v7 did end up with Accept Router Advertisements set to Yes, which is not the default (a few other non-default settings were also in place post-upgrade).
Look, I guarantee you that if you don’t put it there on purpose, or it wasn’t already there before,
there is no update or installation that triggers the problem.
It must be done on purpose…
Update, fixes released in ALL channels. Please upgrade.
I know I have complained in the past about how security updates have been announced. In this case it have been flawless. Many thanks for this!
Can we use that RCE to obtain root access to the router? For research purposes 
You crack me up… A positive thinker. Look at everything as an opportunity!
Lets us know what you find 
It is extremely shame not to fix critical vuln during almost half year. So it means that somebody could root your device for relatively small amount of money.
And it’s even more shameful that you write bullshit without knowing what you’re writing.
On 10/05/2023 (May 10th, 2023) > MikroTik received information about a new vulnerability, which is assigned the ID CVE-2023-32154.
The report stated, that vendor (MikroTik) was contacted in December, but we did not find record of such communication.
The original report also says, that vendor was informed in person in an event in Toronto, where > MikroTik was not present in any capacity> .
Tell me more or i can say same about you. Ok this is just Mikrotiks words against somebody else words. Basically it means that somebody who was entitled as Mikrotik representation may be false entitled was aware about issue during half year.
Added quoted text.
Nobody reported the bug to MikroTik before May 10th.
(and by the way it’s an useless bug)
Since both were not present and we cannot know the truth,
given the uselessness and low danger of the bug,
given the extreme ease with which it was resolved,
I believe much more in MikroTik than in any other person,
(who maybe he didn’t intentionally communicate the bug immediately to resell it on the dark web).
As i told before most probably somebody under false flag (if to believe to Mktik) entitled itself as Mikrotik person and took a part at pwn2own and got details about attack.
Well done. It means that issue was on black market during half year. And yes it is still shame that somebody can take a part in such events represent themself as official vendor. let stop with this we never find truth.
Source: https://www.zerodayinitiative.com/advisories/ZDI-23-710/
ADDITIONAL DETAILS
12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto.
05/09/23 – ZDI asked for an update.
05/10/23 – The ZDI re-disclosed the report at the vendor’s request.
05/10/23 – The ZDI informed the vendor that the case will be published as a zero-day advisory on 05/17/23.– Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
DISCLOSURE TIMELINE
2022-12-29 - Vulnerability reported to vendor
2023-05-17 - Coordinated public release of advisory
This is the page they could have used: https://mikrotik.com/supportsec Then, if they used the support e-mail then they would hsve been a ticket number returned. So most likely they used the proper e-mail address here but failed to inform after two days if there is a acknowledgement of the issue.
I strongly suggest that Mikrotik sent an receipt e-mail that the e-mail was received and than also always respond back with their findings. This way you can’t get a “black hole” like now seems to have happened.
I also suggest to add the link to the “supportsec” page on the “about” page:
Company Name SIA Mikrotīkls
Sales e-mail sales@mikrotik.com
Technical Support e-mail support@mikrotik.com
Responsible disclosure https://mikrotik.com/supportsec
Phone (International) +371-6-7317700
+1