Community discussions

MikroTik App
 
markos222
just joined
Topic Author
Posts: 24
Joined: Tue Dec 15, 2015 9:15 pm

CVE-2021-41987

Thu Apr 21, 2022 12:08 pm

Hi,

What is about this CVE?

Thanks
 
Guntis
MikroTik Support
MikroTik Support
Posts: 158
Joined: Fri Jul 20, 2018 1:40 pm

Re: CVE-2021-41987

Thu Apr 21, 2022 12:18 pm

This issue was first fixed in 6.48.6, 6.49.1, 7.1, as such, subsequent versions, and current releases are not affected by it.
 
markos222
just joined
Topic Author
Posts: 24
Joined: Tue Dec 15, 2015 9:15 pm

Re: CVE-2021-41987

Thu Apr 21, 2022 12:28 pm

Hi Guntis

The question is how the attacker acts, do you have to have the web port? winbox? or how this cve affects us

With firewalled ports we are safe?

Thanks
 
markos222
just joined
Topic Author
Posts: 24
Joined: Tue Dec 15, 2015 9:15 pm

Re: CVE-2021-41987

Thu Apr 21, 2022 12:58 pm

Hi

Do I need to have a certificate installed for this attack to occur?

Thanks
 
Guntis
MikroTik Support
MikroTik Support
Posts: 158
Joined: Fri Jul 20, 2018 1:40 pm

Re: CVE-2021-41987

Thu Apr 21, 2022 1:10 pm

SCEP has to be configured, and the attacker needs to know the path name, furthermore its a somewhat complex attack with a low probability of success: https://teamt5.org/en/posts/vulnerabili ... 021-41987/
 
markos222
just joined
Topic Author
Posts: 24
Joined: Tue Dec 15, 2015 9:15 pm

Re: CVE-2021-41987

Thu Apr 21, 2022 1:39 pm

Ok , thanks!
 
suran
just joined
Posts: 18
Joined: Fri Dec 16, 2011 9:43 pm

Re: CVE-2021-41987

Wed May 18, 2022 2:39 am

Guntis - do you know when the vulnerable code was first introduced? Is the list of versions supplied complete, or are there other versions? I note the CVE says 6.46.*, does that mean all 6.46 versions? What about 6.45, etc?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: CVE-2021-41987

Wed May 18, 2022 11:19 am

"CVE says"?
https://nvd.nist.gov/vuln/detail/CVE-2021-41987
Current Description

In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution.
The attacker must know the scep_server_name value. This affects RouterOS 6.46.8, 6.47.9, and 6.47.10.

But you do not have any reason to not upgrade/update to latest long-term 6.48.6
 
suran
just joined
Posts: 18
Joined: Fri Dec 16, 2011 9:43 pm

Re: CVE-2021-41987

Wed May 18, 2022 8:11 pm

CVE actually says:

cpe:2.3:o:mikrotik:routeros:6.47.9:*:*:*:*:*:*:*
cpe:2.3:o:mikrotik:routeros:6.46:*:*:*:*:*:*:*
cpe:2.3:o:mikrotik:routeros:6.46.8:*:*:*:*:*:*:*
cpe:2.3:o:mikrotik:routeros:6.47.10:*:*:*:*:*:*:*
https://www.opencve.io/cve/CVE-2021-41987

I completely agree with your statement about upgrading. That said, a complete list of affected versions is a reasonable and normal request.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: CVE-2021-41987

Thu May 19, 2022 1:54 am

You read all the page?
Like the Values Removed?

But the point is: upgrade/update it instead to search an excuse to not upgrade it.

There are also UNpublished bugs, you know?...
 
suran
just joined
Posts: 18
Joined: Fri Dec 16, 2011 9:43 pm

Re: CVE-2021-41987

Thu May 19, 2022 2:24 am

This has nothing to do with updating or not.

I am obligated to report on what devices (all of which were immediately upgraded) were impacted by the CVE. In order to do that I must know which versions are affected. It's as simple as that. The exploit code that was published specifically targets the listed versions, but that does NOT mean the vulnerable code was introduced in those versions.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: CVE-2021-41987

Thu May 19, 2022 9:04 am

What is about this CVE?

This may only happen if you both expose http and enable SCEP ("/certificate scep-server add...") to the internet thus the attack vector is probably very low in general. And even if you do, the probability of a regular crash is significantly higher than that of a successful remote code execution (RCE) because it all depends on an exact configuration and dynamic memory allocation.

Who is online

Users browsing this forum: emunt6, menyarito, stef70 and 73 guests