CVE-2018-19298 CVE-2018-19299 IPv6 resource exhaustion

4th Apr, 2019 | Software

Summary

RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries.

The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device… Full story

CVE-2019–3924 Dude agent vulnerability

22nd Feb, 2019 | Security

On February 21, Tenable published a new CVE, describing a vulnerability, which allows to proxy a TCP/UDP request through the routers Winbox port, if it's open to the internet. Tenable had previously contacted MikroTik about this issue, so a fix has already been released on February 11, 2019 in… Full story

CVE-2018-14847 winbox vulnerability

9th Oct, 2018 | Security

A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year, the new attack method found by Tenable Research exploits the same vulnerability, but takes it… Full story

Bugfix update 6.40.9 released

23rd Aug, 2018 | Software

We have released a new version in the RouterOS bugfixes-only channel. The bugfixes-only channel is considered the "stable" branch of RouterOS releases and is updated rarely, only when important fixes must be included. This is the most stable and most tested of the RouterOS release channels.

!) security - fixed… Full story

CVE-2018-115X issues discovered by Tenable

23rd Aug, 2018 | Security

MikroTik was contacted by Tenable Inc. who had discovered several issues in RouterOS web server. The issues only affect authenticated users, meaning, to exploit them, there must be a known username and password on the device. Your data, access to the system and configuration are not under risk. All the… Full story

WPA2 preshared key brute force attack

9th Aug, 2018 | Security

It has come to our attention that a new way of brute force attack based on WPA2 standard using PMKID has come to light.

This attack actually is a brute force attack on WPA2 preshared key. The reason this attack is considered effective is because it can be performed offline… Full story

Web service vulnerability

30th May, 2018 | Security

This post summerizes the facts around the www service vulnerability in RouterOS which was published by Wikileaks as part of the Vault 7 document release. The vulnerability affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it. MikroTik fixed the vulnerability in the… Full story

CVE-2018-14847 winbox vulnerability

25th Mar, 2018 | Security

This post summarises the Winbox server vulnerability in RouterOS, discovered and fixed in RouterOS on April 23, 2018. Note that although Winbox was used as point of attack, the vulnerabilitty was in RouterOS. This issue was later assigned a universal identifier CVE-2018-14847. How it works: The vulnerability allowed a special… Full story