Mikrotik routers vulnerable to code execution via IPV6 RA processing

Mikrotik Router Vulnerability Allows Code Removal and Execution

A critical vulnerability has been discovered in the operating system RouterOS used in Mikrotik routes, which enables a non-asset user to remove code on the device by sending a specially designed announcement of the IPV6 router. The vulnerability was revealed in a report by the Zero Day Initiative, which caused concern over the absence of proper verification of the data received from the outside in the process responsible for the processing of requests IPV6 Ra (Router Advertisement).

The flaw allows one to achieve data abroad the allocated buffer and organize the execution of code with Root privileges. The vulnerability can be exploited in Mikrotik RouterOS V6.xx and V7.xx branches, when IPV6 RA (IPV6/settings/set AcCept-ROTERTIVERTISEMENTS or IPV6/Settings/Set Forward = NO ACC in the settings. EPT-ROUTER -ADVERTISENTS = Yes-IF-FORWARDING-DISBLED “). PWN2WN competitions in Toronto demonstrated the possibility of exploiting the vulnerability. Researchers received a reward of $100,000 for multistage hacking infrastructure with an attack on the Mikrotik router and using it as a bridgehead for attacking other components of the local network.

The manufacturer was notified of the vulnerability on December 29, 2022, by the Zero Day Initiative project. Their representatives claimed that they did not receive notifications and learned about the problem only on May 10, after sending the final warning about the disclosure of information. As reported in the blog, information about the essence of the problem was transmitted to the representative of Mikrotik in person during the PWN2WN competition in Toronto, but at the request of Mikrotik, the company’s employees did not participate in the event in any capacity. However, Mikrotik has now published updates (RouterOS 7.9.1, 6.49.8, 6.48.7, and 7.10beta8) to eliminate the vulnerability.

/Reports, release notes, official announcements.