A critical vulnerability (CVE-2023-32154) has been identified in the RouterOS operating system used in MikroTik routers, which allows an unauthenticated user to remotely execute code on a device by sending a specially crafted IPv6 router announcement (RA, Router Advertisement).
The problem is caused by the lack of proper verification of data coming from outside in the process responsible for processing IPv6 RA (Router Advertisement) requests, which made it possible to write data beyond the bounds of the allocated buffer and organize the execution of your code with root privileges. The vulnerability manifests itself in the MikroTik RouterOS v6.xx and v7.xx branches, when IPv6 RA messages are enabled in the settings for receiving messages ("ipv6/settings/ set accept-router-advertisements=yes" or "ipv6/settings/set forward=no accept-router -advertisements=yes-if-forwarding-disabled").
The ability to exploit the vulnerability in practice was demonstrated at the Pwn2Own competition in Toronto, during which the researchers who identified the problem received a reward of $ 100,000 for a multi-stage hacking of the infrastructure with an attack on the Mikrotik router and using it as a springboard to attack other components of the local network (hereinafter attacking took control of a Canon printer, where the vulnerability was also disclosed).
Information about the vulnerability was originally published before the patch was generated by the manufacturer (0-day), but updates to RouterOS 7.9.1, 6.49.8, 6.48.7, 7.10beta8 have already been published with the vulnerability fixed. According to information from the ZDI (Zero Day Initiative) project, which holds the Pwn2Own competition, the manufacturer was notified of the vulnerability on December 29, 2022. Representatives of MikroTik claim that they did not receive notification and learned about the problem only on May 10, after sending the final warning about information disclosure. In addition, the vulnerability report mentions that information about the nature of the problem was transmitted to a MikroTik representative in person during the Pwn2Own competition in Toronto, but according to MikroTik, company employees did not participate in the event in any capacity.
Source: opennet.ru