MikroTik weblog – CVE-2023-32154
twenty second Might, 2023 | Security
On 10/05/2023 (Might tenth, 2023) MikroTik obtained details about a brand new vulnerability, which is assigned the ID CVE-2023-32154. The report acknowledged, that vendor (MikroTik) was contacted in December, however we didn’t discover file of such communication. The unique report additionally says, that vendor was knowledgeable in individual in an occasion in Toronto, the place MikroTik was not current in any capability.
What this subject impacts: The problem impacts gadgets working MikroTik RouterOS variations v6.xx and v7.xx with enabled IPv6 commercial receiver performance. You might be solely affected if one of many under settings is utilized:
ipv6/settings/ set accept-router-advertisements=sure or ipv6/settings/set ahead=no accept-router-advertisements=yes-if-forwarding-disabled
If the above settings should not arrange like within the instance, you aren’t affected. Be aware that the susceptible setting mixture isn’t usually present in routers and is never used.
What this subject could cause: This vulnerability permits network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. Authentication isn’t required to use this vulnerability.
Advisable plan of action: You possibly can disable IPv6 commercials, or improve to RouterOS 7.10beta7, 7.9.1, 6.49.8, 6.48.7 or newer variations. Some variations should not but launched, please monitor our obtain web page for modifications.