Mikrotik RouterOS Denial-of-Service Vulnerability in SMB Service

A denial-of-service vulnerability has been identified in Mikrotik RouterOS versions 6.40.5 through 6.49.10 on the x86 architecture. This vulnerability allows remote attackers to cause the device to crash by sending crafted packet data to the SMB service over TCP port 445. The issue has been fixed in RouterOS version 7.

Impact

Exploitation of this vulnerability leads to a device crash, causing the SMB service to become unresponsive. On affected devices running RouterOS versions 6.40.5 to 6.44, the SMB service does not automatically recover and requires a manual restart. In contrast, devices running versions 6.48.1 to 6.49.10 may temporarily restore the service after about 60 seconds, but this recovery is inconsistent.

Reproduction

The vulnerability can be reproduced by sending a specific crafted packet to the SMB service on TCP port 445. This can be done using the proof-of-concept script 'smb_crash.py', available on the exploit author's GitHub repository. The script automates the process by prompting the user to select the target RouterOS version and then sends the appropriate payload to cause the denial-of-service condition.

Remediation

Users are advised to upgrade to Mikrotik RouterOS version 7, where this vulnerability has been fixed.