Is RouterOS vulnerable to CVE-2023-48795 ?

December 19, 2023

Is RouterOS vulnerable to CVE-2023–48795 ?

Terrapin attack is the name of a ssh protocol weakness

Update (20/12/2023) : Terrapin scanner no longer crashes and correctly identifies RouterOS as not being vulnerable to the Terrapin attack — thanks to @TrueSkrillor

It was recently discovered that the SSH protocol has a weakness that enables an attacker with the ability to perform a man in the middle to affect the negotiation of protocol security features without the client or server noticing.

Here is a table showing whether the two main RouterOS branches are vulnerable to CVE-2023–48795, based on the output of Terrapin-scanner:

+---------+----------------+| version | vulnerable     |+---------+----------------+| 6.49.6  | not vulnerable || 6.49.8  | not vulnerable || 7.12rc7 | not vulnerable || 7.11.2  | not vulnerable || 7.12.1  | not vulnerable || 7.13    | not vulnerable |+---------+----------------+

Versions greater than 7.12rc7 are unknown because the Terrapin scanner (at version 1.0.2) is unable to determine whether this is vulnerable and gives an error:

panic: error while reading packet length of binary packet: EOFgoroutine 1 [running]:main.main() /home/ubuntu/go/pkg/mod/github.com/!r!u!b-!n!d!s/!terrapin-!scanner@v1.0.2/main.go:314 +0x1e4

Take this with a pinch of salt — Terrapin-scanner does not warrant or guarantee that the results are without error!

I’ve created a PR on Github — you can track the progress here

Quick and dirty RouterOS forensics Network defence using RouterOS (Part 1)