Can you explain this vulnerability to me?

CVE-2024-27686 is a Denial of Service (DoS) vulnerability affecting the SMB service on MikroTik RouterOS devices running versions 6.40.5 through 6.44 and 6.48.1 through 6.49.10 on x86 architecture.

The vulnerability is caused by memory corruption, specifically a segmentation fault triggered by crafted SMB packets that cause the service to access invalid memory locations.

Exploitation results in the SMB service crashing and closing the affected port (TCP 445), making the service unavailable.

For lower versions (6.40.5-6.44), the SMB service typically does not recover automatically and requires a manual restart, while for higher versions (6.48.1-6.49.10), the kernel may restart the service after about 60 seconds, allowing repeated exploitation.

Although the current proof of concept only demonstrates a DoS condition, there is a suggestion that further exploitation might lead to Remote Code Execution (RCE), but this has not been achieved.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause the SMB service on affected MikroTik RouterOS devices to crash, resulting in a denial of service.

When exploited, the SMB service becomes unavailable, disrupting network services that rely on SMB communication over TCP port 445.

For devices running lower vulnerable versions, the service will remain down until manually restarted, potentially causing prolonged downtime.

For devices running higher vulnerable versions, the service may restart automatically after about 60 seconds, but this allows repeated exploitation and intermittent service disruption.

Overall, the impact is service unavailability and potential network disruption, which could affect business operations relying on these devices.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects the SMB service on MikroTik RouterOS devices listening on TCP port 445. Detection can involve monitoring for crashes or unavailability of the SMB service on these devices.

One practical approach is to use the provided Proof of Concept (POC) script smb_crash.py from the GitHub repository to test if a device is vulnerable by sending crafted SMB packets and observing if the SMB service crashes or becomes unresponsive.

Additionally, network administrators can check for devices running MikroTik RouterOS versions 6.40.5 through 6.49.10 on the network and verify if the SMB service on port 445 is active and stable.

• Use network scanning tools (e.g., nmap) to identify devices with port 445 open: nmap -p 445 <target-ip>
• Run the smb_crash.py script from the GitHub repository against suspected devices to test for vulnerability.
• Monitor logs or device behavior for SMB service crashes or restarts, which may indicate exploitation attempts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading MikroTik RouterOS devices to version 7 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, consider disabling or restricting access to the SMB service on TCP port 445 to prevent remote exploitation.

Implement network-level controls such as firewall rules to block or limit inbound traffic to port 445 from untrusted sources.

• Upgrade RouterOS to version 7 or later.
• Block or restrict TCP port 445 access on vulnerable devices.
• Monitor devices for SMB service crashes and restart the service manually if needed for versions prior to 7.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of CVE-2024-27686 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0