Community discussions

MikroTik App
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Announcement regarding CVE-2023-32154

Mon May 22, 2023 12:34 pm

 
User avatar
pothi
newbie
Posts: 46
Joined: Fri Sep 14, 2018 7:48 pm
Location: Srivilliputhur, Tamil Nadu, India
Contact:

Re: Announcement regarding CVE-2023-32154

Mon May 22, 2023 1:27 pm

Thanks for the heads-up. Updated to 7.9.1 . Awaiting other versions. I can wait, as I don't use IPv6. Where I have IPv6 enabled, I have not configured such specific settings.

The vendor may have met with someone who is a Mikrotik distributor or a trainer. Or simply a Mikrotik user who used Mikrotik in large scale. We trust you, MikroTik!
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Announcement regarding CVE-2023-32154

Mon May 22, 2023 3:06 pm

ROS6 will be patched also?

Regards.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Announcement regarding CVE-2023-32154

Mon May 22, 2023 3:10 pm

That's what the announcement indicates, yes.
Recommended course of action: You can disable IPv6 advertisements, or upgrade to RouterOS 7.10beta7, 7.9.1, 6.49.8, 6.48.7 or newer versions. Some versions are not yet released, please monitor our download page for changes.
 
JJT211
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Sun Apr 28, 2019 9:01 pm

Re: Announcement regarding CVE-2023-32154

Mon May 22, 2023 4:41 pm

ROS6 will be patched also?

Regards.
Yes, it says so, but it appears it hasnt been released yet. That said, it appears its a rarely used setting combination.

None of my routers have it set that way
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Mon May 22, 2023 4:57 pm

ROS6 will be patched also?

Regards.
Yes, it says so, but it appears it hasnt been released yet. That said, it appears its a rarely used setting combination.

None of my routers have it set that way
viewtopic.php?t=196303#p1003392
 
Swordforthelord
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Jul 08, 2010 10:18 pm

Re: Announcement regarding CVE-2023-32154

Mon May 22, 2023 6:47 pm

ROS6 will be patched also?

Regards.
Yes, it says so, but it appears it hasnt been released yet. That said, it appears its a rarely used setting combination.

None of my routers have it set that way
It's still a good idea to check; a couple of my routers that I upgraded from v6 to v7 did end up with Accept Router Advertisements set to Yes, which is not the default (a few other non-default settings were also in place post-upgrade).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Tue May 23, 2023 2:31 am

Look, I guarantee you that if you don't put it there on purpose, or it wasn't already there before,
there is no update or installation that triggers the problem.
It must be done on purpose...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Announcement regarding CVE-2023-32154

Tue May 23, 2023 1:57 pm

Update, fixes released in ALL channels. Please upgrade.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: Announcement regarding CVE-2023-32154

Tue May 23, 2023 2:21 pm

I know I have complained in the past about how security updates have been announced. In this case it have been flawless. Many thanks for this!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Announcement regarding CVE-2023-32154

Tue May 23, 2023 3:04 pm

Can we use that RCE to obtain root access to the router? For research purposes :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Announcement regarding CVE-2023-32154

Tue May 23, 2023 4:58 pm

You crack me up........... A positive thinker. Look at everything as an opportunity!
Lets us know what you find ;-)
 
uCZBpmK6pwoZg7LR
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Jun 15, 2015 12:23 pm

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 1:18 pm

It is extremely shame not to fix critical vuln during almost half year. So it means that somebody could root your device for relatively small amount of money.
Last edited by uCZBpmK6pwoZg7LR on Wed May 24, 2023 1:19 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 1:19 pm

It is extremely shame not to fix critical vuln during almost half year.
And it's even more shameful that you write bullshit without knowing what you're writing.

On 10/05/2023 (May 10th, 2023) MikroTik received information about a new vulnerability, which is assigned the ID CVE-2023-32154.
The report stated, that vendor (MikroTik) was contacted in December, but we did not find record of such communication.
The original report also says, that vendor was informed in person in an event in Toronto, where MikroTik was not present in any capacity.
Last edited by rextended on Wed May 24, 2023 1:20 pm, edited 2 times in total.
 
uCZBpmK6pwoZg7LR
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Jun 15, 2015 12:23 pm

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 1:20 pm


And it's even more shameful that you write bullshit without knowing what you're writing.
Tell me more or i can say same about you. Ok this is just Mikrotiks words against somebody else words. Basically it means that somebody who was entitled as Mikrotik representation may be false entitled was aware about issue during half year.
Last edited by uCZBpmK6pwoZg7LR on Wed May 24, 2023 1:24 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 1:21 pm

Tell me more .
Added quoted text.
Nobody reported the bug to MikroTik before May 10th.
(and by the way it's an useless bug)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 1:31 pm

Since both were not present and we cannot know the truth,
given the uselessness and low danger of the bug,
given the extreme ease with which it was resolved,
I believe much more in MikroTik than in any other person,
(who maybe he didn't intentionally communicate the bug immediately to resell it on the dark web).
 
uCZBpmK6pwoZg7LR
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Jun 15, 2015 12:23 pm

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 1:38 pm

Added quoted text.
Nobody reported the bug to MikroTik before May 10th.
(and by the way it's an useless bug)
As i told before most probably somebody under false flag (if to believe to Mktik) entitled itself as Mikrotik person and took a part at pwn2own and got details about attack.
Well done. It means that issue was on black market during half year. And yes it is still shame that somebody can take a part in such events represent themself as official vendor. let stop with this we never find truth.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 1:55 pm

Source: https://www.zerodayinitiative.com/advis ... DI-23-710/
ADDITIONAL DETAILS
12/09/22 – ZDI reported the vulnerability to the vendor during Pwn2Own Toronto.
05/09/23 – ZDI asked for an update.
05/10/23 – The ZDI re-disclosed the report at the vendor’s request.
05/10/23 – The ZDI informed the vendor that the case will be published as a zero-day advisory on 05/17/23.

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.

DISCLOSURE TIMELINE
2022-12-29 - Vulnerability reported to vendor
2023-05-17 - Coordinated public release of advisory
This is the page they could have used: https://mikrotik.com/supportsec Then, if they used the support e-mail then they would hsve been a ticket number returned. So most likely they used the proper e-mail address here but failed to inform after two days if there is a acknowledgement of the issue.

I strongly suggest that Mikrotik sent an receipt e-mail that the e-mail was received and than also always respond back with their findings. This way you can't get a "black hole" like now seems to have happened.

I also suggest to add the link to the "supportsec" page on the "about" page:

Company Name SIA Mikrotīkls
Sales e-mail sales@mikrotik.com
Technical Support e-mail support@mikrotik.com
Responsible disclosure https://mikrotik.com/supportsec
Phone (International) +371-6-7317700
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 3:46 pm

let stop with this we never find truth.
+1
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 6:42 pm

is there any way to block the issue using firewall?
maybe it's useful for someone that still cannot upgrade their router for some reason.

thx
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 7:10 pm

1) The attacker must be directly connected to the router (no remote exploit)
2) For use the hack you must useless change the config on ipv6 settings to one unexpected config...

Paste this on router, are the defaults on all versions, if you not changed that for no reason:

DEFAULT SECURE SETTINGS code

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled forward=yes
 
t0mm13b
just joined
Posts: 17
Joined: Sat Mar 04, 2023 5:11 pm

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 8:40 pm

1) The attacker must be directly connected to the router (no remote exploit)
2) For use the hack you must useless change the config on ipv6 settings to one unexpected config...

Paste this on router, are the defaults on all versions, if you not changed that for no reason:

DEFAULT SECURE SETTINGS code

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled forward=yes
This is dependent on the primary setting as shown, I don't use IPv6, have both of the attribute for the flags set to no.
2023-05-24_18-36.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Announcement regarding CVE-2023-32154

Wed May 24, 2023 9:05 pm

That screenshot is from v7, on v6 the IPv6 system package is usually disabled and must be enabled to be used, and do not have disable ipv6 on ipv6 settings.

Who is online

Users browsing this forum: BillyVan, Rox169 and 18 guests