Nuglaanta halista ah (CVE-2023-32154) ayaa lagu aqoonsaday nidaamka hawlgalka ee RouterOS ee loo isticmaalo router-yada MikroTik, kaas oo u oggolaanaya isticmaale aan la aqoonsan inuu meel fog ka hirgeliyo koodka aaladda isagoo diraya xayeysiis gaar ah oo IPv6 router ah (RA, Advertisement Router).
Dhibaatadu waxa sabab u ah la'aanta xaqiijinta saxda ah ee xogta dibadda ka imanaysa ee habka mas'uulka ka ah socodsiinta codsiyada IPv6 RA (Router Advertisement), taas oo suurtogal ka dhigtay in la qoro xogta ka baxsan xudduudaha kaydka loo qoondeeyey oo abaabulo fulinta koodkaaga. oo leh mudnaanta xididka. Nuglaanta waxay ka muuqataa MikroTik RouterOS v6.xx iyo v7.xx laamood, marka IPv6 RA la furo goobaha lagu helo fariimaha IPv6 RA ("ipv6/settings/ set accept-router-advertisements=haa" ama"ipvXNUMX/settings/ set forward=no accept-router -advertisements=haa-if-forwarding-disabled").
Suurtagalnimada in looga faa'iidaysto nuglaanshaha ficil ahaan ayaa lagu soo bandhigay tartanka Pwn2Own ee Toronto, inta lagu gudajiray cilmi-baarayaasha aqoonsaday dhibaatadu waxay heleen abaalmarin dhan $ 100,000 jabsiga marxaladaha badan ee kaabayaasha iyadoo la weerarayo router Mikrotik iyo adeegsiga gundhig loogu talagalay weerar lagu qaado qaybaha kale ee shabakada maxaliga ah (Weerarayaashii ka dib waxay heleen xakamaynta daabacaha Canon, macluumaadka ku saabsan nuglaanshaha kaas oo sidoo kale la shaaciyay).
Macluumaadka ku saabsan nuglaanta ayaa markii hore la daabacay ka hor inta aan balastarku soo saarin soo saaraha (0-maalin), laakiin RouterOS 7.9.1, 6.49.8, 6.48.7, 7.10beta8 cusboonaysiinta hagaajinta dayacanka ayaa mar hore la daabacay. Marka loo eego macluumaadka laga helay mashruuca ZDI (Zero Day Initiative), kaas oo maamula tartanka Pwn2Own, soo saaraha ayaa la ogeysiiyay dayacanka Diisambar 29, 2022. Wakiilada MikroTik waxay sheeganayaan in aysan helin ogeysiis oo ay ogaadeen dhibaatada 10-kii Maajo, ka dib markii ay direen digniinta ugu dambeysa ee shaacinta. Intaa waxaa dheer, warbixinta u nuglaanshaha waxay sheegaysaa in macluumaadka ku saabsan nooca dhibaatada lala socodsiiyay wakiilka MikroTik shaqsi ahaan intii lagu jiray tartankii Pwn2Own ee Toronto, laakiin sida laga soo xigtay MikroTik, shaqaalaha MikroTik kama qayb galin dhacdada wax kasta oo ay tahay.
Source: opennet.ru