Community discussions

Search found 197 matches

by maznu
Tue May 28, 2019 12:33 pm
Forum: Useful user articles
Topic: How to opitimize list of IP4 addresses
Replies: 6
Views: 1270

Re: How to opitimize list of IP4 addresses

This tool exists http://manpages.ubuntu.com/manpages/disco/en/man1/aggregate.1.html Also you can use https://github.com/snar/bgpq3 , for example: bgpq3 -A -4 -j AS-FACEBOOK Here I'm using JSON output format so that I can have access to a prefix-length range, but you could equally use bgpq3 -A -4 AS...
by maznu
Fri Apr 05, 2019 1:35 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

I have done several tests with GNS3 using CHR 6.44.2 (stable) and as long as the router has enough memory, it doesn't crash. In my tests, the attack 'steals' around 180 MiB. Using a CHR with 256 MB, system resources shows a total memory of 224 MiB and free-memory of 197 MiB before attack. During th...
by maznu
Thu Apr 04, 2019 6:14 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

It is an upgrade problem because of no free space on the router, not related to this thread at all.
I have 6.43.14 installed on a hAP ac lite (64Mb RAM), and it is still vulnerable. Ticket#2019040222005195 and Ticket#2019032922005182
by maznu
Thu Apr 04, 2019 5:14 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

This is far from over.

Please refer to ticket 2019040422005244 and advise.
I'm hearing reports that this isn't fixed on routers with 64Mb or less of RAM. Is your ticket about this, eben? Or something else? :-|
by maznu
Thu Apr 04, 2019 2:31 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

What I don't understand: why is it not possible to firewall against it. When you limit the addresses that are routed, e.g. by dropping traffic in the raw prerouting table, does it still create entries for the dropped traffic in the route cache or neighbor table? Why? If you DROP in PREROUTING then ...
by maznu
Thu Apr 04, 2019 12:44 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Just wondering what will happen / be the effect when "under attack" and hitting memory limit? * on neighbour mem limit * on routing cache limit Router will survive, but what with the legit connections? The tests I did on 6.45beta23 suggested different levels of memory usage would be used for the IP...
by maznu
Thu Apr 04, 2019 12:18 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Fixel also in long-term - 6.43.14
and Current - 6.44.2
Attacked both, and both releases fix CVE-2018-19299. Fantastic news — but now the hard work for all us network operators begins:

1. 🔬 test

2. 🧠 plan

3. 🔨 deploy

4. 🔍 monitor

5. 🍺🍻🎉

6. 😴 🛌
by maznu
Tue Apr 02, 2019 7:43 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

With extreme fragmentation, it can result in no contiguous memory that satisfies the malloc() or realloc() and you either segfault in userland or (I'd imagine) panic in the kernel, hence the reboot even with memory theoretically available. The data structure that the Linux kernel used in RouterOS v...
by maznu
Tue Apr 02, 2019 5:26 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

More testing has yielded more data. This has not been properly replicated by anyone else that I know of, so take it as plausible hypothesis. I think I found more fallout from the ipv6 flaw: boxes that have their ND cache or their ipv6 route cache run up but not to the point of OOM reload experience...
by maznu
Tue Apr 02, 2019 10:42 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

@maznu - beta23 fixes both vulnerability? Did you test? I emailed MikroTik yesterday, tweeted, and posted about this on the 6.45beta thread - yes! MikroTik has said that another beta is expected to make the settings on the affected components more "optimal" for devices with low RAM. I hope it lands...
by maznu
Tue Apr 02, 2019 2:03 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Also, send @maznu a present/gift/bounty/4011. He sure as hell earned it.
That's very kind, but after we've all got the patch in longterm and stable, I want to know how I can mail order a crate of beer to MikroTik's offices to say thank you for getting this fixed.
by maznu
Mon Apr 01, 2019 8:17 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

maznu - can you contact me via Twitter? I sent you a tweet already.
My timeline exploded a bit, as you might imagine. I'm @maznu on Twitter, DMs are open :)
by maznu
Mon Apr 01, 2019 5:31 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

where the reporter didn't report it as a security concern and left it for 6 months till he was able to get a CVE The full timeline will be available next week. But when I reported this in April 2018, my request to MikroTik was to plead with support to treat this as a serious security vulnerability,...
by maznu
Mon Apr 01, 2019 12:08 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66456

Re: v6.45beta [testing] is released!

Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb. Hopefully this fix will be in long-term and current branches soon. I concur....
by maznu
Sun Mar 31, 2019 8:50 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

FastNetMon may work if the netflow is being generated by an intermediate device in the path (like off of a tap), it's very fast and can potentially mitigate assuming null routing is performed before cache write. EDIT: with only: * a route back to the attacker * and only a default null route in my v...
by maznu
Sun Mar 31, 2019 3:48 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66456

Re: v6.45beta [testing] is released!

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you tr...
by maznu
Sun Mar 31, 2019 3:45 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66456

Re: v6.45beta [testing] is released!

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you tr...
by maznu
Sun Mar 31, 2019 12:07 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Sorry @maznu but I don't get the same md5sum you expected. Maybe mine is a different but correlated attack It is possible we are using different tools to trigger the same issue — there is more than one way to make some IPv6 packets. ;-) If you're happy to discuss in private anyway, please drop me a...
by maznu
Sun Mar 31, 2019 12:03 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

I have been spreading the word around in other forums. If it's of any interest / help I am happy to act as a remote test case providing no harm is done. At this stage, my best advice would be that people monitor the memory usage on their routers and graph it. If your memory usage is stable for many...
by maznu
Sun Mar 31, 2019 11:50 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

As a consequence, I am now assuming the exploit is out there in the wild and is being used. Thanks for this information, @MichaelHallager. I've saw something similar several times in the first two weeks of March this year, and advised MikroTik on 2019-03-15 about this, asking for urgent action. At ...
by maznu
Sun Mar 31, 2019 11:18 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

When I launch the attack, the chr reboots but the other routers are not affected by the attack. Firewall rules seems not to be effective. But if I increase the chr memory from about 300 MiB to 3000 MiB the router seems to be ok: the free memory goes between 2200 and 2400. As my lab is made in gns3 ...
by maznu
Sun Mar 31, 2019 11:02 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

now that we know what command to run @IPANetEngineer: do you want to compare notes now that we are probably on the same page? Prompted by something MikroTik told me last thing on Friday about the nature of the underlying problem, and following my own research last night, I've got some good news to ...
by maznu
Sun Mar 31, 2019 1:16 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

If you haven't already, I would strongly encourage those of you who discovered and reverse engineered these bugs to compare notes and check that they are in fact the same methods - the last thing we need is for MikroTik to release a fix for the original issue, and then find that those who reverse e...
by maznu
Sat Mar 30, 2019 5:47 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

despite the author has being less than helpful about providing details. I have provided MikroTik with every detail at every step of the way. I cannot provide anyone else with any more detail at all as this would literally give them the means to carry out the attack. I have not shared any mitigation...
by maznu
Sat Mar 30, 2019 10:30 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Normis...i'm pretty confident we have replicated the conditions of one of the CVEs from doing some digging on our own for this issue. Without the rules, the router crashed. When we added the rules the router stayed online. Meanwhile CVE-2018-19299 still needs fixing, because even with those perform...
by maznu
Sat Mar 30, 2019 8:33 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Maznu, do the following: ip service disable [find] Verify that even with all Mikrotik access media services the problem occurs? Yes, that is still vulnerable (my test lab has no services enabled because it has no Internet connectivity - only console access). These IPv6 handling problems are not abo...
by maznu
Fri Mar 29, 2019 10:52 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Maznu, thank you for showing that you are seeking a solution for the whole community. Could you inform me if disabling SSH and Winbox service also works the exploit? Using RoMon only can be a "temporary" solution? How you access the router isn't the major factor here… I'm not sure I understand your...
by maznu
Fri Mar 29, 2019 6:23 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Normis...i'm pretty confident we have replicated the conditions of one of the CVEs from doing some digging on our own for this issue. Without the rules, the router crashed. When we added the rules the router stayed online. May I please add "discovered independently by a third party" to the timeline...
by maznu
Fri Mar 29, 2019 5:23 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

For CVE-2018-19299, Are systems that do not have IPv6 connection tracking enabled affected?
Yes.
by maznu
Fri Mar 29, 2019 5:12 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

No. He did not send proof of concept for all issues, just a generic report about a crash. When he now said that CVE number such and such is not fixed, It was not clear, since we don't know what he will publish in that CVE. There is not a single issue, there are multiple issues, we fixed most, now h...
by maznu
Fri Mar 29, 2019 3:23 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

This version fixes: 1) Soft lockup when IPv6 router is forwarding IPv6 packets; 2) Soft lockup when the router is forwarding packets to a local network (directly connected) due to large IPv6 Neighbor table. We are still working on improvements for IPv6 Neighbor table processing in userspace which c...
by maznu
Fri Mar 29, 2019 3:09 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

We fixed the crashes that were reported to us. You said, we have not fixed "The CVE". I don't know what you will publish in the CVE. You have only provided a video that doesn't help at all. The CVE, CVE-2018-19299, was communicated to you in October 2018. It is literally just the number that MITRE ...
by maznu
Fri Mar 29, 2019 3:03 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

For everyone here, I wanted to clarify, that to my best knowledge, the author of the CVE has not contacted MikroTik and we are in the dark as to what he plans to publish. There has been plenty of communications on this matter, normis. The most recent, specifically about what I plan to publish, was ...
by maznu
Fri Mar 29, 2019 3:00 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues. Hopefully fix will land in other (stable and long term) branches shortly. CVE-2018-19299 is not fixed in 6.45beta22, I am afraid. Please clarify https://www.youtube.com/watch?v=...
by maznu
Fri Mar 29, 2019 1:40 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66456

Re: v6.45beta [testing] is released!

will it be backported to versions 6.40.x and 6.43.x? Version 6.45beta22 has been released. !) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299); !) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298); Sorry, but CVE-2018-19299 is not fixed in 6.4...
by maznu
Fri Mar 29, 2019 1:35 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues.

Hopefully fix will land in other (stable and long term) branches shortly.
CVE-2018-19299 is not fixed in 6.45beta22, I am afraid.
by maznu
Fri Mar 29, 2019 12:19 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

So all this "close to year" shouting is overestimation. So i suggest to keep calm and wait for release, as MikroTik admitted 2nd CVE as vulnerability.
Second "bug" was acknowledged by MikroTik on 2018-04-20.
by maznu
Fri Mar 29, 2019 10:05 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

I believe I saw you comment that this can't be mitigated in MIkroTik at Layer3. What about using a MikroTik router at Layer 2 (or a non-MikroTik) inline in bridge mode before the Internet connection and using the firewall to filter out whatever is in the crafted packet that creates the issue? I'm a...
by maznu
Fri Mar 29, 2019 10:02 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

We aim to fix the issue before the mentioned publication date.
That is very welcome news, normis.

If you or your developers wish to contact me privately for any further information, you've got my email address.

Good luck!
by maznu
Fri Mar 29, 2019 9:57 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

If you just have the package enabled and absolutely no configuration from an IPv6 perspective are you okay?
I also would like to know this.
If you cannot route IPv6 packets, you should be safe.
by maznu
Fri Mar 29, 2019 8:28 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 37997

Re: UKNOF 43 CVE

Would somebody please post some additional information about this. I need to understand what is the problem, the potential impact and what vulnerabilities are possible. Where can I find information to read/learn about this? MikroTik acknowledged this issue on 2018-04-20. To learn more about it: I a...
by maznu
Fri Mar 29, 2019 8:07 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 14675

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

why r u being so disruptive and trying to break mikrotik? Multiple MikroTik staff have repeatedly and continuously called this a "bug" and not a "vulnerability". If reporting "bugs" is now deemed disruptive then could someone please stop the world, because I would like to get off. Meanwhile, indust...
by maznu
Fri Mar 29, 2019 1:26 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 14675

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional. I have been asking MikroTik for exactly this approach for nearly a year. They will not commit to a date, or even t...
by maznu
Fri Mar 29, 2019 1:23 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 14675

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality. Edit: It real...
by maznu
Fri Mar 29, 2019 1:15 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 14675

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Hi, I'm Marek Isalski. I've been trying desperately to get MikroTik to resolve this issue since they acknowledged it on 2018-04-20. I know for a fact other people have figured this vulnerability out, and I believe I've seen exploitation of it in the wild in the last 2-4 weeks. MikroTik's response to...
by maznu
Wed Dec 05, 2018 3:54 pm
Forum: Forwarding Protocols
Topic: OSPF loses routes after days
Replies: 23
Views: 2093

Re: OSPF loses routes after days

How many routes do you have? We have not experienced this issue at all with OSPFv2 with 450 OSPFv2 routes and 130 routers. It's been completely stable. 760000 in BGPv4, 60000 in BGPv6 And was several hundred in OSPFv2 (/32 per customer device), and several hundred in OSPFv3 (/48, /56, /64 per custo...
by maznu
Wed Dec 05, 2018 9:06 am
Forum: Forwarding Protocols
Topic: OSPF loses routes after days
Replies: 23
Views: 2093

Re: OSPF loses routes after days

The log will repeat this when it breaks until I flap the instance: 08:28:37 route,ospf,info OSPFv2 neighbor 10.255.0.3: state change from Full to 2-Way 08:29:18 route,ospf,info Database Description packet has different master status flag 08:29:18 route,ospf,info new master flag=false 08:29:18 route...
by maznu
Sat Nov 17, 2018 8:24 pm
Forum: RouterBOARD hardware
Topic: Anyone tried the new CRS305-1G-4S+IN switch? [SOLVED]
Replies: 1
Views: 1002

Re: Anyone tried the new CRS305-1G-4S+IN switch? [SOLVED]

We're using one for OEO of a 10G wave: https://twitter.com/NetworkMoose/status ... 4025182209

Thumbs up for this device so far!
by maznu
Sat Oct 13, 2018 10:27 am
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 32399

Re: Security announcement blog

I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different. This is an out-of-the-box configuration, plus IPv6, NOTRACK, and some static routes. MikroTik confirmed to me back in March that they have reproduced this issue. I'm just ho...
by maznu
Fri Oct 12, 2018 1:23 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 32399

Re: Security announcement blog

ND is like ARP. It is used to find the hardware address corresponding to the IPv6 address. Transit routers to not use it. (but they could use tracking) To refer you back to my post, and why ND is not to blame (despite using an "ND exhaustion tool"): RaspberryPi ---- hAP ac2 ---- hEX If I run this o...