MikroTik RouterOS IPv6 UDP Traceroute Firewall Bypass Vulnerability

A vulnerability has been identified in MikroTik RouterOS 7, prior to 7.14, allowing a firewall bypass for incoming IPv6 UDP traceroute packets. The default firewall configuration in RouterOS 7 accepted UDP packets in the traceroute port range, which an attacker could exploit by crafting packets to manipulate the acceptance of these packets. This exposure could lead to unauthorized access to UDP services such as CAPsMAN, DNS, and containers, where enabled.

Impact

Exploitation of this vulnerability could bypass the default IPv6 firewall, allowing unauthorized access to exposed UDP services.

Reproduction

The vulnerability can be reproduced by sending crafted IPv6 UDP packets within the traceroute port range of 33434 to 33534. These packets will be accepted by the default firewall rules, bypassing any intended protections.

Remediation

Users are advised to update to MikroTik RouterOS version 7.14 or later, and to adjust their firewall scripts to specify the destination port range of 33434 to 33534.