#VU10752 Memory corruption in MikroTik RouterOS
Vulnerability identifier: #VU10752
Vulnerability risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MikroTik RouterOS
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Vendor: MikroTik
Description
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to boundary error error within IKE1 implementation when handling IPv6 packets. A remote attacker can send a series of specially crafted packets and trigger memory corruption.
Successful exploitation of the vulnerability may result in denial of service (DoS) attack.
Mitigation
Update your firmware to version 6.40.6 or 6.41.
Vulnerable software versions
MikroTik RouterOS: 6.40 - 6.40.5
External links
http://mikrotik.com/download/changelogs/current-release-tree
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
