On 10/05/2023 (May 10th, 2023) MikroTik received information about a new vulnerability, which is assigned the ID CVE-2023-32154. The report stated, that vendor (MikroTik) was contacted in December, but we did not find record of such communication. The original report also says, that vendor was informed in person in an event in Toronto, where MikroTik was not present in any capacity.
What this issue affects: The issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality. You are only affected if one of the below settings is applied:
ipv6/settings/ set accept-router-advertisements=yes
or
ipv6/settings/set forward=no accept-router-advertisements=yes-if-forwarding-disabled
If the above settings are not set up like in the example, you are not affected. Note that the vulnerable setting combination is not normally found in routers and is rarely used.
What this issue can cause: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability.
Recommended course of action: You can disable IPv6 advertisements, or upgrade to RouterOS 7.9.1, 6.49.8, 6.48.7, 7.10beta8 (all versions already released), and of course newer versions afterwards.
