CVE-2023-32154: A MikroTik IPv6 Vulnerability

Last month saw the discovery of CVE-2023-32154, a vulnerability affecting MikroTik RouterOS devices. This article looks into the specifics of this vulnerability, its implications for MikroTik users, and the steps that can be taken to mitigate potential risks.

Discovery and Communication

On May 10th, 2023, MikroTik was alerted to a vulnerability within RouterOS, tagged with the identifier CVE-2023-32154. Despite reports that attempts were made to notify the vendor as early as December, MikroTik has clarified that there was no record of such communication. Moreover, the claims of in-person notification at an event in Toronto were refuted by MikroTik, stating they had no representation at the said event. This discrepancy in communication highlights the challenges sometimes faced in the cybersecurity field regarding vulnerability reporting and vendor notification.

Affected Systems

CVE-2023-32154 impacts MikroTik RouterOS versions v6.xx and v7.xx, specifically devices with the IPv6 advertisement receiver functionality enabled. The vulnerability is conditional upon the device being configured with one of the following settings:

  • ipv6/settings/ set accept-router-advertisements=yes
  • ipv6/settings/set forward=no accept-router-advertisements=yes-if-forwarding-disabled

It is important to note that the affected configuration is not commonly used in most routers, indicating that the vulnerability may not be widespread. However, for those devices configured as described, the risk is significant.

The Vulnerability and Its Risks

The core of CVE-2023-32154 lies in its ability to allow network-adjacent attackers to execute arbitrary code on the compromised RouterOS installations without requiring authentication. This capability opens the door to a range of malicious activities, from data theft and network disruption to the establishment of a foothold within the network for further exploitation. Given the potential severity of these actions, understanding and addressing this vulnerability is crucial for maintaining network integrity and security.

Mitigation and Protective Measures

In response to the discovery of CVE-2023-32154, MikroTik has already released updates that address this vulnerability. Users of affected RouterOS versions are strongly advised to take one of the following actions:

  • Disable IPv6 Advertisements: For those who do not require IPv6 advertisement functionality, disabling this feature can immediately mitigate the vulnerability.
  • Upgrade RouterOS: MikroTik has made patches available in the following versions: 7.9.1, 6.49.8, 6.48.7, and 7.10beta8, along with newer versions that follow. Upgrading to these versions is recommended to secure devices against CVE-2023-32154.

Conclusion

The discovery of CVE-2023-32154 serves as a reminder of the ever-present risks in the realm of network security and the importance of maintaining up-to-date systems. MikroTik's prompt response and release of patched versions demonstrate their commitment to addressing security vulnerabilities. For administrators and users of MikroTik RouterOS, taking proactive steps to assess their devices and apply necessary updates is essential. As the digital landscape continues to grow, so does the complexity of maintaining secure networks. Staying informed and responsive to new vulnerabilities is key to safeguarding against potential threats.

Was this page helpful?