Any info about this ? ZDI-23-710 CVE-2023-32154

chechito · May 18, 2023, 4:34pm

RADVD Out-Of-Bounds Write Remote Code Execution Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-23-710/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32154

12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto.

eworm · May 18, 2023, 4:40pm

I guess Mikrotik has its own implementation and is not effected.

jcortega · May 18, 2023, 4:46pm

It’s an specific RouterOS vulnerability

r00t · May 18, 2023, 5:04pm

This one seems particularly bad vulnerability, especially if it’s in the router advertisement/neighbor discovery as described, as these are active by default and left enabled by most users:

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. > Authentication is not required to exploit this vulnerability.

The specific flaw exists within the > Router Advertisement Daemon> . The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. > An attacker can leverage this vulnerability to execute code in the context of root.

Larsa · May 18, 2023, 5:52pm

Is this a joke?

There is is no technical analysis, no info if it concerns RoS v6 or V7, and lastly CVE-2023-32154 does not even appear to be registered with NIST…

chechito · May 18, 2023, 6:03pm

i think details are not revealed until a fix is released/confirmed, to prevent mass exploitation

https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure

eworm · May 18, 2023, 6:04pm

Oh, my fault… I just read “radvd” and did not follow the links.

Well, we will see… Let’s hope we will have results in the coming days.

Larsa · May 18, 2023, 7:01pm

Well, then it’s either a leak at NIST (cve) or a fake.

normis · May 19, 2023, 11:15am

Blog entry following soon, together with RouterOS upgrade in all channels. Upgrade needed if using IPv6 advertisement settings.

rextended · May 19, 2023, 11:19am

So, for be clear, if is

/ipv6 settings
set accept-router-advertisements=no

no worry…?

normis · May 19, 2023, 11:20am

ONLY affected if:

ipv6/settings/ set accept-router-advertisemnets=yes

or

ipv6/settings/set forward=no accept-router-advertisemnets=yes-if-forwarding-disabled

rextended · May 19, 2023, 11:22am

Well, I have already configured all devices with this setting (set accept-router-advertisements=no) from the beginning

normis · May 19, 2023, 11:24am

Yes, it is certainly not normal to have it on. Somebody coud have it on by mistake, or in very specific scenarios.

rextended · May 19, 2023, 11:25am

If I do not remember bad the default on both v6 and v7 is accept-router-advertisements=yes-if-forwarding-disabled and forward=yes

Sorry, is also included 6.48.6 (long-term) and 6.49.7 (stable), over the 7.9 (stable) / 7.10beta5 (development)?
Thanks.

normis · May 19, 2023, 11:28am

RouterOS 7.10beta7, 7.9.1, 6.49.8 coming soon

rextended · May 19, 2023, 11:30am

No hope on 6.48.7?

pe1chl · May 19, 2023, 2:58pm

Blog? I did not know it still existed…

spippan · May 20, 2023, 3:29pm

blog = new help docs?

holvoetn · May 20, 2023, 3:38pm

Is it correct this is already known for over 6 months ?

pe1chl · May 20, 2023, 6:01pm

No, blog = https://blog.mikrotik.com/
But nothing has been posted there for nearly two years…