Potential security issues in Mikrotik RouterOS

Published: 2017-08-04 12:13:27
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID N/A
CVSSv3 6.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CWE ID CWE-264
Exploitation vector Network
Public exploit Not available
Vulnerable software MikroTik RouterOS
Vulnerable software versions MikroTik RouterOS 6.40
Vendor URL MikroTik

Security Advisory

1) Potential security issues

Description

Multiple issues have been fixed in Mikrotik RouterOS 6.40. Due to vendor’s policy not to report on security issues, we treat all new releases as security updates.

The list of bugfixes:

*) bonding - improved reliability on bonding interface removal;
*) chr - fixed false warnings on upgrade reboots;
*) dhcpv6-client - do not run DHCPv6 client when IPv6 package is disabled;
*) export - fixed export for different parameters where numerical range or constant string is expected;
*) firewall - properly remove "address-list" entry after timeout ends;
*) interface - improved interface state change handling when multiple interfaces are affected at the same time;
*) lte - fixed LTE not passing any traffic while in running state;
*) ovpn-client - fixed incorrect netmask usage for pushed routes (introduced in 6.40);
*) pppoe-client - fixed incorrectly formed PADT packet;
*) rb2011 - fixed possible LCD blinking along with ethernet LED (introduced in 6.40);
*) rb922 - restored missing wireless interface on some boards;
*) torch - fixed Torch on PPP tunnels (introduced in 6.40);
*) trafficgen - fixed "lost-ratio" showing incorrect statistics after multiple sequences;
*) winbox - added "none-dynamic" and "none-static" options for "address-list-timeout" parameter under NAT, Mangle and RAW rules;

Remediation

Update to version 6.40.1.

External links

https://mikrotik.com/download/changelogs/current-release-tree

Back to List