Hello.
Couldnt find any information about last MikroTik ROS vulnerability, that vas published 2018-03-16 20:16:27
Remote code execution in MikroTik RouterOS
Severity: Medium
Patch available : YES
Number of vulnerabilities: 1
CVE ID: CVE-2018-7445
CVSSv3: 7.8 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID: CWE-121
Exploitation vector: Local network
Public exploit: Not available
Vulnerable software : MikroTik RouterOS
Vulnerable software versions:
MikroTik RouterOS 6.41.2
MikroTik RouterOS 6.41.1
MikroTik RouterOS 6.41
Hide more
MikroTik RouterOS 6.40.6
MikroTik RouterOS 6.40.3
MikroTik RouterOS 6.40.2
MikroTik RouterOS 6.40.5
MikroTik RouterOS 6.40.4
MikroTik RouterOS 6.40.1
MikroTik RouterOS 6.40
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a stack-based buffer overflow when processing NetBIOS session request messages. A remote unauthenticated attacker can send a specially crafted NetBIOS session request message with malformed NetBIOS names, trigger stack-based buffer overflow and cause denial of service conditions or execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain full access to the affected router but requires that SMB service is running.
Decision:
Update to version 6.41.3
Source link:
https://www.cybersecurity-help.cz/vdb/SB2018031609
From MikroTik support:
[quote=normis post_id=648933 time=1521450665 user_id=5]
Please note, that SMB service had to be enabled on the LAN side, and only the LAN users could exploit this.
[/quote]
Please note, that SMB service had to be enabled on the LAN side, and only the LAN users could exploit this.
Sorry, Forgot about description.
Can you explan?
- Its dangerous only from LAN with SMB service enable LAN interface on Router
- Its not dangerous from WAN
No. MikroTik devices have firewall on WAN by default. Also, since you have to explicitly enable SMB support, normally a person wouldn’t configure it for access from WAN …
Hi,
Today all our customers who has puplic ip with Mikrotik device stop working. When we check to understand what happen, we see that ethernet interfaces of these devices are not working , and some SXT reseted. İs that related with this vulnerabilities ?
Thanks.
Do you have SMB enabled? is your WAN interface accepting SMB requests?
Hi Muqatil,
normaly we do not enable SMB on devices. we leave them as default
enabled: no
domain: MSHOME
comment: MikrotikSMB
allow-guests: yes
interfaces: all
I wonder if this vulnerability may affected. cause all of this devices down today.
it’s actually there partially:
“Exploitation vector: Local network”
thanks doneware,
do you have any idea why this happen ? all mikrotik device down today which are using puplic ip on their interface…
Thanks
Please stop posting in all topics that are not related to your question. There is a high likelihood you suffered ESD damage due to static discharge in the atmosphere. Not all problems are caused by “evil hackers”
yes you are right Im sorry for that. so I opened new topic and also sent mail to support. I dont think that ESD damage due to static discharge, I have many Mikrotik device on customers but only devices with puplic ip address failed and all of them down yesterday, nearly 50 device with same problem. ethernet interface comes for 5-10 seconds than goes. netinstall also not work.
Everything points to hardware issue. Please continue discussion in support ticket, not here.
while waiting answer from support , I wanted to share it thinking that I could get help from here
thanks normis.