Any info about this ? ZDI-23-710 CVE-2023-32154

Thu May 18, 2023 7:34 pm

RADVD Out-Of-Bounds Write Remote Code Execution Vulnerability

https://www.zerodayinitiative.com/advis ... DI-23-710/
https://cve.mitre.org/cgi-bin/cvename.c ... 2023-32154

12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto.

eworm · Thu May 18, 2023 7:40 pm

I guess Mikrotik has its own implementation and is not effected.

jcortega · Thu May 18, 2023 7:46 pm

I guess Mikrotik has its own implementation and is not effected.

It’s an specific RouterOS vulnerability

r00t · Thu May 18, 2023 8:04 pm

This one seems particularly bad vulnerability, especially if it's in the router advertisement/neighbor discovery as described, as these are active by default and left enabled by most users:

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Router Advertisement Daemon. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root.

Larsa · Thu May 18, 2023 8:52 pm

RADVD Out-Of-Bounds Write Remote Code Execution Vulnerability

Is this a joke?

There is is no technical analysis, no info if it concerns RoS v6 or V7, and lastly CVE-2023-32154 does not even appear to be registered with NIST...

Thu May 18, 2023 9:03 pm

i think details are not revealed until a fix is released/confirmed, to prevent mass exploitation

https://en.wikipedia.org/wiki/Coordinat ... disclosure

eworm · Thu May 18, 2023 9:04 pm

I guess Mikrotik has its own implementation and is not effected.

Oh, my fault...

I just read "radvd" and did not follow the links.

Well, we will see... Let's hope we will have results in the coming days.

Larsa · Thu May 18, 2023 10:01 pm

Well, then it’s either a leak at NIST (cve) or a fake.

Fri May 19, 2023 2:15 pm

Blog entry following soon, together with RouterOS upgrade in all channels. Upgrade needed if using IPv6 advertisement settings.

rextended · Fri May 19, 2023 2:19 pm

So, for be clear, if is

/ipv6 settings
set accept-router-advertisements=no

no worry...?

Fri May 19, 2023 2:20 pm

ONLY affected if:

ipv6/settings/ set accept-router-advertisemnets=yes

or

ipv6/settings/set forward=no accept-router-advertisemnets=yes-if-forwarding-disabled

rextended · Fri May 19, 2023 2:22 pm

Well, I have already configured all devices with this setting (set accept-router-advertisements=no) from the beginning

Fri May 19, 2023 2:24 pm

Yes, it is certainly not normal to have it on. Somebody coud have it on by mistake, or in very specific scenarios.

rextended · Fri May 19, 2023 2:25 pm

If I do not remember bad the default on both v6 and v7 is accept-router-advertisements=yes-if-forwarding-disabled and forward=yes

Blog entry following soon, together with RouterOS upgrade in all channels. Upgrade needed if using IPv6 advertisement settings.

Sorry, is also included 6.48.6 (long-term) and 6.49.7 (stable), over the 7.9 (stable) / 7.10beta5 (development)?
Thanks.

Fri May 19, 2023 2:28 pm

RouterOS 7.10beta7, 7.9.1, 6.49.8 coming soon

rextended · Fri May 19, 2023 2:30 pm

No hope on 6.48.7?

pe1chl · Fri May 19, 2023 5:58 pm

Blog entry following soon

Blog? I did not know it still existed...

spippan · Sat May 20, 2023 6:29 pm

Blog entry following soon
Blog? I did not know it still existed...

blog = new help docs?

Sat May 20, 2023 6:38 pm

Is it correct this is already known for over 6 months ?

pe1chl · Sat May 20, 2023 9:01 pm

blog = new help docs?

No, blog = https://blog.mikrotik.com/
But nothing has been posted there for nearly two years...

Sun May 21, 2023 4:48 am

AFAIK this is not being exploited in the wild, so we have to be patient

Buckeye · Sun May 21, 2023 6:29 am

If I do not remember bad the default on both v6 and v7 is accept-router-advertisements=yes-if-forwarding-disabled and forward=yes

It seems that rextended has good memory, and so by default (at least on 7.8 ) you should not be vulnerable (based on @normis post) because forward=yes

Here is RB760iGS with 7.8

[demo@RB760iGS-1] > ipv6/settings/export
# may/20/2023 23:22:09 by RouterOS 7.8
# software id = ****-****
#
# model = RB760iGS
# serial number = ************
[demo@RB760iGS-1] > ipv6/settings/export verbose
# may/20/2023 23:22:14 by RouterOS 7.8
# software id = ****-****
#
# model = RB760iGS
# serial number = ************
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=4096
[demo@RB760iGS-1] >

But this isn't a good sign, it apparently fell through the cracks at MikroTik for 6 months? (from https://www.zerodayinitiative.com/advis ... DI-23-710/)
ADDITIONAL DETAILS
12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto.
05/09/23 – ZDI asked for an update.

gabacho4 · Sun May 21, 2023 9:17 am

Don't forget how the vendor then asked for the vulnerability info to be resent. So the intial notification was either not truly received or someone at Mikrotik missed it, saw it and forgot, or they just hit delete. I really like Mikrotik but this chain of events concerns me. And while a fix has been promised, how long before they'll release it? This is a 0-day exploit and we're already 6 months behind.

Buckeye · Sun May 21, 2023 9:55 am

Hopefully, this is a wakeup call that MikroTik needs to have a relationship with the vulnerability testings organizations, so things like this don't end up in junk mail.

I am sure when they received the "final" notice, it was something like this xkcd students cartoon, but it didn't have as happy an ending.

spippan · Sun May 21, 2023 12:52 pm

blog = new help docs?
No, blog = https://blog.mikrotik.com/
But nothing has been posted there for nearly two years...

thanks. totally forgot about that one

anyway, hoping there will be a fix out soon
for those not using ipv6 the temp. fix/workaround should mitigate the problem a bit at least.

r00t · Mon May 22, 2023 1:40 am

So only way to get some action response out of Mikrotik is to threaten to release it as zero day after 6 months?
Does Mikrotik really wants to be in "that" group of companies?

Mon May 22, 2023 9:23 am

MikroTik received first communication about this a few days ago, despite what the "researchers" say. Blog and fix will follow today.
Our mailserver logs have nothing pertaining to this mater up to May 10, 2023. At this date our support team member asked for more info, received a PoC ZIP file and we started to work on this issue.

Mon May 22, 2023 9:26 am

Then it might be beneficial you communicate as such.
As it is presented now, it looks like you have been sitting on it for 6 months.

Ofcourse I understand the fix needs to be out first. No need to ruffle the feathers earlier.

Buckeye · Mon May 22, 2023 10:06 am

I just searched for MikroTik security disclosure and did find this page.

Responsible disclosure of discovered vulnerabilities

And it has been there at least since 3-Dec-2022. You can verify this on the wayback machine

https://web.archive.org/web/20221203224140/https://mikrotik.com/supportsec

So it should have been easily found by ZDI (Trend Micro) who claimed to be the one that notified "the vendor". The "researchers" evidently reported to ZDI, and ZDI then uses the info (and claims to notify the vendor, but that is being called into question by normis).

So if no mail was ever received that is unfortunate for MikroTik.

After the problems have been addressed, someone should do a postmortem to determine why the "notification" didn't work.

It's possible that Trend Micro (aka ZDI) didn't really "make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw" as they claim they do here:https://www.zerodayinitiative.com/about/

Mon May 22, 2023 10:09 am

They sent a screenshot of an email, but it is not clear wheather it was actually sent out, or if they did not get "mail delivery failure" in return. Things happen, internet outages happen. It would have been nice, if they would ask "hey, did you get this", when nobody responded. Anyway. Fix is out today in a few hours. As far as we know, issue has not been exploited and default config is not vulnerable.

rextended · Mon May 22, 2023 10:13 am

[…] default config is not vulnerable […]

It is a very particular configuration, which rarely finds application in any user-side RouterBOARD,
and since the vulnerability to be exploited requires that the peripheral is directly connected, it is quite difficult, if not very rare,
that devices configured in such a particular way are attacked.

In a nutshell: The bug is there, it's serious, but it's useless.

I discovered that with the car you can run over pedestrians, but they haven't fixed this bug yet...

Buckeye · Mon May 22, 2023 10:18 am

This is interesting: https://nakedsecurity.sophos.com/2022/12/12/pwn2own-toronto-54-hacks-63-new-bugs-1-million-in-bounties/

Excerpt:

The devices put forward by their vendors, and the prize money offered for successful hacks, looked like this:

---snip---
HACK A SOHO ROUTER.. AND WIN:
TPLink AX1800 $20,000 ($5000 if via LAN)
NETGEAR RAX30 $20,000 ($5000 if via LAN)
Synology RT6600ax $20,000 ($5000 if via LAN)
Cisco C921-4P $30,000 ($15,000 if via LAN)
Microtik RB2011 $30,000 ($15,000 if via LAN)
Ubiquiti EdgeRouter $30,000 ($15,000 if via LAN)
---snip---

This is a good sign, that MikroTik is willing to put up a bug bounty to have people try to break it. And it shows that MikroTik is more confident in their security than TPLink, NETGEAR and Synology are (based on rewards offered, especially look at the "LAN" side bounties, compared to the "consumer" brands).

So, the question is, what does "12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto." mean? Was a MikroTik representaive there? The point being, there may not have been any email to MikroTik.

Buckeye · Mon May 22, 2023 10:38 am

They sent a screenshot of an email, but it is not clear whether it was actually sent out, or if they did not get "mail delivery failure" in return.

I agree, a screen shot isn't too hard to create "after the fact" either.

I also agree that a single mail doesn't qualify as "every effort".

And I agree with rextended's assessment.

Mon May 22, 2023 10:39 am

Sorry but this is also false, MikroTik was not directly involved in this event or prize.
Edit: that is about the PwnToronto event.

Mon May 22, 2023 10:42 am

It is possible the event organizer confused MikroTik with some other company or maybe a local reseller, this is why the info never reached us. MikroTik is based in Latvia (EU), we do not attend such events so far away.

Buckeye · Mon May 22, 2023 10:44 am

Sorry but this is also false, MikroTik was not directly involved in this event or prize.
Edit: that is about the PwnToronto event.

Yes, making any assumptions of validity of what you read/see on the internet is a dangerous activity. But it is one reason I like to include the source I am quoting.

gabacho4 · Mon May 22, 2023 10:45 am

Appreciate Normis's candor on this matter and definitely look forward to the update addressing it. As I said before, I'm a huge fan of Mikrotik devices and want to be able to keep singing their praise to friends and coworkers. Seems there is more to the story than reported initially. I'm more than willing to give Mikrotik the benefit of the doubt. Thanks for the seemingly very serious approach being taken!

rextended · Mon May 22, 2023 10:46 am

This is a good sign, that MikroTik is willing to put up a bug bounty to have people try to break it.

No, for me it is a sign that since it is more widespread than tplink & co., and has objectively become harder to hack, the reward could only be higher...
These events are then financed by selling the vulnerabilities on the darknet?,
so it is obvious that they mysteriously do not communicate the vulnerabilities efficiently... If they fix them immediately, they earn less or nothing...

Mon May 22, 2023 10:53 am

We will be releasing fix in all version trees, including long-term. First to be released is most likely 7.9.1 today. Rest will follow tomorrow (as full tests need to be done with each version)

Buckeye · Mon May 22, 2023 11:05 am

These events are then financed by selling the vulnerabilities on the darknet?,
so it is obvious that they mysteriously do not communicate the vulnerabilities efficiently... If they fix them immediately, they earn less or nothing...

There have been cases of "insider trading", like this Rogue HackerOne employee steals bug reports to sell on the side

Happens with Credit card loss reporting as well. About 12 years ago, my wife couldn't find a credit card, called the official number (from my card) and reported it stollen. Then there were fraudulent charges on the card later that day. Then two days latter, she found the card at home on the desk where she had ordered something. She called back to let them know she had found the card, and that's when she found out there were fraudulent charges. They were happy she called back, because they were then able to trace other fraud to the employee that had taken the call, they would delay reporting the card stollen, and would give the card number to accomplices that knew the card would be reported as lost the next day.

rextended · Mon May 22, 2023 12:20 pm

precisely...

rextended · Mon May 22, 2023 12:23 pm

including long-term

6.48.7 (long-term)???

please, please, please, not from 6.49.7 (stable) to 6.49.8 (long-term)....

Mon May 22, 2023 12:35 pm

7.9.1 released
blog: https://blog.mikrotik.com/security/cve-2023-32154.html

pe1chl · Mon May 22, 2023 12:51 pm

The blog says "with enabled IPv6 advertisement functionality" but I think that should be read as "with enabled IPv6 advertisement receiver functionality", right?
I.e. merely having IPv6 router advertisement enabled is not a problem?

Mon May 22, 2023 12:56 pm

yes, will clarify on the post

markuspri · Mon May 22, 2023 1:55 pm

Thanks Normis. This is being handled well by Mikrotik. Appreciate the good communication.

pothi · Mon May 22, 2023 7:14 pm

I saw this thread only today. Thanks for all the efforts by the team behind MikroTik!

Znevna · Mon May 22, 2023 7:44 pm

It is possible the event organizer confused MikroTik with some other company or maybe a local reseller, this is why the info never reached us. MikroTik is based in Latvia (EU), we do not attend such events so far away.

Your over the seas rockstar - MikroTik celebrity - knows nothing about this?
That's a huge amount of money in the name of MikroTik, money that MikroTik didn't provide (?).

vecernik87 · Mon May 22, 2023 9:27 pm

@Znevna: why not? If I wanted to hack mikrotik, I am not going to do that heavy lifting all by myself. Putting up a bounty (which I may not even pay in the end) and then pretending to be from the vendor sounds like an efficient strategy.

@normis

They sent a screenshot of an email

12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto.

Publicly, they did not mention they contacted you with email, but privately they sent you a screenshot of email which wouldn't be needed if they contacted your representative during the event... Interesting

I am surely looking forward to see where this ends. Your past reactions to potential CVEs were not exactly stellar but I see lots of improvement since then and in this case, ZDI's claims really does not make much sense.

If you truly made the fix in 10 days after learning about this CVE, you deserve a big applause and apology from ZDI.