CVE-2024-54952
📋 TL;DR
MikroTik RouterOS 6.40.5 contains a memory corruption vulnerability in its SMB service. Remote, unauthenticated attackers can send specially crafted packets to trigger a null pointer dereference, causing a Remote Denial of Service (DoS) that renders the SMB service unavailable. This affects all systems running the vulnerable RouterOS version with SMB enabled.
💻 Affected Systems
- MikroTik RouterOS
📦 What is this software?
Routeros by Mikrotik
⚠️ Risk & Real-World Impact
Worst Case
Complete SMB service disruption on affected routers, potentially impacting file sharing and network services that rely on SMB functionality.
Likely Case
Remote attackers cause SMB service crashes, disrupting file sharing capabilities until service restart.
If Mitigated
Limited to SMB service disruption without affecting other router functions if SMB is isolated.
🎯 Exploit Status
The GitHub reference suggests proof-of-concept code exists. The vulnerability requires only specially crafted packets, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RouterOS versions after 6.40.5
Vendor Advisory: https://mikrotik.com
Restart Required: Yes
Instructions:
1. Log into RouterOS via WinBox or SSH. 2. Check current version with '/system package update check'. 3. Update to latest stable version using '/system package update install'. 4. Reboot the router after update completes.
🔧 Temporary Workarounds
Disable SMB Service
allCompletely disable the vulnerable SMB service to prevent exploitation.
/ip smb set enabled=no
Restrict SMB Access
allLimit SMB service to trusted networks using firewall rules.
/ip firewall filter add chain=input protocol=tcp dst-port=445 src-address=!TRUSTED_NETWORK action=drop
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SMB services from untrusted networks
- Deploy network intrusion detection systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check RouterOS version with '/system resource print'. If version is 6.40.5 and SMB is enabled, the system is vulnerable.Check Version:
/system resource printVerify Fix Applied:
After update, verify version is newer than 6.40.5 and test SMB service functionality.📡 Detection & Monitoring
Log Indicators:
- SMB service crash logs
- Unexpected SMB service restarts
- Memory error messages in system logs
Network Indicators:
- Multiple malformed SMB packets from single source
- SMB service becoming unresponsive
SIEM Query:
source="routeros" AND ("SMB" OR "port 445") AND ("crash" OR "memory" OR "null")