CVE-2021-41987

markos222 · April 21, 2022, 9:08am

Hi,

What is about this CVE?

Thanks

Guntis · April 21, 2022, 9:18am

This issue was first fixed in 6.48.6, 6.49.1, 7.1, as such, subsequent versions, and current releases are not affected by it.

markos222 · April 21, 2022, 9:28am

Hi Guntis

The question is how the attacker acts, do you have to have the web port? winbox? or how this cve affects us

With firewalled ports we are safe?

Thanks

markos222 · April 21, 2022, 9:58am

Hi

Do I need to have a certificate installed for this attack to occur?

Thanks

Guntis · April 21, 2022, 10:10am

SCEP has to be configured, and the attacker needs to know the path name, furthermore its a somewhat complex attack with a low probability of success: https://teamt5.org/en/posts/vulnerability-mikrotik-cve-2021-41987/

markos222 · April 21, 2022, 10:39am

Ok , thanks!

suran · May 17, 2022, 11:39pm

Guntis - do you know when the vulnerable code was first introduced? Is the list of versions supplied complete, or are there other versions? I note the CVE says 6.46.*, does that mean all 6.46 versions? What about 6.45, etc?

rextended · May 18, 2022, 8:19am

“CVE says”?
https://nvd.nist.gov/vuln/detail/CVE-2021-41987

Current Description

In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution.
The attacker must know the scep_server_name > value. > This affects RouterOS 6.46.8, 6.47.9, and 6.47.10> .

But you do not have any reason to not upgrade/update to latest long-term 6.48.6

suran · May 18, 2022, 5:11pm

CVE actually says:

cpe:2.3:o:mikrotik:routeros:6.47.9:::::::*
cpe:2.3:o:mikrotik:routeros:6.46:::::::*
cpe:2.3:o:mikrotik:routeros:6.46.8:::::::*
cpe:2.3:o:mikrotik:routeros:6.47.10:::::::*
https://www.opencve.io/cve/CVE-2021-41987

I completely agree with your statement about upgrading. That said, a complete list of affected versions is a reasonable and normal request.

rextended · May 18, 2022, 10:54pm

You read all the page?
Like the Values Removed?

But the point is: upgrade/update it instead to search an excuse to not upgrade it.

There are also UNpublished bugs, you know?..

suran · May 18, 2022, 11:24pm

This has nothing to do with updating or not.

I am obligated to report on what devices (all of which were immediately upgraded) were impacted by the CVE. In order to do that I must know which versions are affected. It’s as simple as that. The exploit code that was published specifically targets the listed versions, but that does NOT mean the vulnerable code was introduced in those versions.

Larsa · May 19, 2022, 6:04am

This may only happen if you both expose http and enable SCEP (“/certificate scep-server add…”) to the internet thus the attack vector is probably very low in general. And even if you do, the probability of a regular crash is significantly higher than that of a successful remote code execution (RCE) because it all depends on an exact configuration and dynamic memory allocation.