CVE-2022-34960

Name of the Vulnerable Software and Affected Versions MikroTik RouterOS version 7.4beta4

Description The issue is related to the container package in MikroTik RouterOS, which allows an attacker to create mount points pointing to symbolic links. These links can resolve to locations on the host device, enabling the attacker to mount any arbitrary file to any location on the host. This is due to incorrect link resolution before accessing a file, which can be exploited by a remote attacker.

Recommendations For MikroTik RouterOS version 7.4beta4, consider disabling the container package until a patch is available to prevent exploitation. Restrict access to the container package to minimize the risk of arbitrary file mounting. Avoid using the container package for mounting files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.