CVE-2023-47310: MikroTik RouterOS IPv6 UDP Traceroute Firewall Bypass
This blog post details a security vulnerability, CVE-2023-47310, affecting MikroTik RouterOS. A misconfiguration in the default settings allows incoming IPv6 UDP traceroute packets, potentially bypassing firewall rules. This affects RouterOS 7 versions prior to v7.14.
Vulnerability Details
- CVE ID: CVE-2023-47310
- Description: A misconfiguration in the default settings of MikroTik RouterOS 7 allows incoming IPv6 UDP traceroute packets, which can bypass firewall rules. This issue is fixed in v7.14.
- CVSS Score: 6.5 (MEDIUM)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- CVSS Explanation: This means an attacker on the network can potentially read or modify some data due to the bypassed firewall rules. The impact on availability is none. No user interaction is required to trigger this.
- Exploit Requirements: An attacker needs to be on the network (or have a path to) the vulnerable MikroTik router and send specially crafted IPv6 UDP traceroute packets.
- Affected Vendor: MikroTik
- Affected Product: RouterOS 7
- Affected Version: Versions prior to 7.14
- CWE ID: CWE-1174
- CWE Name: Improper Output Encoding for Logs
- CWE Explanation: Although the CVE doesn't directly involve logs, CWE-1174 broadly covers scenarios where improperly handled input can bypass security mechanisms. In this case, the traceroute packets are not being properly filtered by the firewall due to the misconfiguration.
Timeline of Events
- 2023: Vulnerability Introduced
- Later: Vulnerability Discovered
- Later: MikroTik Develops Patch
- 2025-06-30: CVE Published
- v7.14: Fix Released (inferred)
Exploitability & Real-World Risk
While the CVSS score is Medium, the real-world risk depends on the network configuration. If the MikroTik router is acting as a perimeter firewall, this bypass could allow malicious traffic inside the network. In internal networks, it might facilitate lateral movement. The impact could be increased if the attacker combines this bypass with other vulnerabilities.
Recommendations
- Upgrade to RouterOS v7.14 or later: This is the primary mitigation.
- Review Firewall Rules: Even after upgrading, review your firewall rules to ensure they are correctly configured and are not overly permissive.
- Monitor Network Traffic: Implement network monitoring to detect suspicious activity and traceroute attempts.
Technical Insight
The vulnerability stems from a misconfiguration in the default firewall rules. The rules are not correctly filtering incoming IPv6 UDP traceroute packets, causing them to bypass the intended security checks. The specific technical details of the misconfiguration are not publicly available, but upgrading to v7.14 addresses the issue.
Credit to Researcher(s)
The original researcher is not mentioned in the source, but the MikroTik forum post acknowledges the finding.
References
Tags
#CVE-2023-47310 #MikroTik #RouterOS #IPv6 #Firewall #Security #Vulnerability
Summary: CVE-2023-47310 details a security vulnerability in MikroTik RouterOS 7 (prior to v7.14) where a misconfiguration allows incoming IPv6 UDP traceroute packets to bypass firewall rules. This can enable unauthorized network access. Upgrading to v7.14 is crucial for mitigation.
CVE ID: CVE-2023-47310
Risk Analysis: Successful exploitation could allow an attacker to bypass firewall restrictions, potentially leading to unauthorized access to internal network resources or the ability to conduct further attacks.
Recommendation: Upgrade MikroTik RouterOS to version 7.14 or later to address the vulnerability. Review and strengthen firewall rules to prevent similar bypasses.
Timeline
- 2023: Vulnerability introduced in MikroTik RouterOS 7
- 2025-06-30: CVE-2023-47310 published
- v7.14: Fix released in MikroTik RouterOS v7.14