Since RouterOS is based on older Linux kernel, if you have any open TCP ports then you are likely vulnerable. Note that RouterOS default config firewall will protect you from this, only if you have open ports are you at risk from internet-based attacks.
Workaround is to add this to the top of your input rules. Adjust MSS as needed if you have some weird clients:
Code: Select all
/ip firewall filter add action=drop chain=input comment="CVE-2019-11477, CVE-2019-11478, CVE-2019-11479" protocol=tcp tcp-flags=syn tcp-mss=0-500