It seems there is a bug in ROS that allows a remote attacker to crash any Mikrotik device if they can access it via v6. Even with firewalling you are still a sitting duck. Mikrotik have known about this for a year and have done nothing to fix it.
This information is due to be released to the public at UKNOF on 9th April. Yes, in 12 days anyone with a slight bit of knowledge about networks and a v6-enabled connection will be able to take any Mikrotik device (running v6) offline. No doubt an exploit script will follow soon after.
As a community it is absolutely critical that we push Mikrotik for a solution to this problem as a matter of upmost urgency. The consequences of this getting out into the wild before a fix is available would be disastrous for all of us. Please everyone pay attention and help in making sure Mikrotik understand just how critical this problem is.
Somehow this is the first I’ve heard of this and I’m very concerned as I have a modern network that includes IPv6. You’re saying Mikrotik have known about this for 50 weeks and it hasn’t been fixed?!? What is going on over there?!
This is a completely unacceptable response for a security vulnerability. I think it’s time for me to start moving away from RouterOS, either to OpenWRT or a different vendor that cares about security.
In a nutshell, it’s a memory exhaustion issue. You send a v6 packet formed in a certain way (which I assume will be revealed on 9th April) to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I assume until the watchdog reboots it. There is no way to firewall as whatever this characteristic is that causes the problem can be set with any v6 packet.
Even if there is no way to firewall it on a MikroTik, i’m assuming that once we know what is being set in the packet header, it can be mitigated with another solution based on flow detection and dropping the traffic in a switch. That won’t work for everyone obviously, but it would work for a lot of the ISP and DC networks I consult on.
That is exactly what we are all hoping for. Unfortunately the silence from Mikrotik does not fill me with confidence that they even understand how bad this problem could turn out.
If this is true, then WTF are they even thinking?!
This only sends all the bad messaging: If you want a bug to be fixed, release it as zero day exploit. Doing it nice and proper way gets you nowhere…
In this thread there two issues listed: nd cache & routing / stateful connection exhaustion. Which is is referred here?
First can be mitigated by state-full firewall which most end users will use. For non-end-user, address restrictions can help / resolve issue.
Second wasn’t clarified what the actual issue was.
Thankfully I’m in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I’ve had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it’s a complete hoax. Either is better than what appears to be reality.
Edit: It really is about time v6 stops being such a second-class citizen on RouterOS. I’m a proper advocate for it but when MikroTik pull this kind of stunt it makes you start questioning your decisions.
We have quite a number of networks we have deployed IPv6 into.
I always wish when things like this happened I knew more to be able to protect our clients - but of course that is the nature of the beast.
Hoping Mikrotik can patch the issue.
IPArchitects has a decent idea in regards to switch path in front of the routers as a possible solution to help direct traffic.
Facts still have to matter. The narrative, response and criticism over this issue has gotten way ahead of the information available. Specially crafted packet / memory exhaustion issues (or any other vulnerability) are nothing new to even the largest network equipment manufacturers. They can be dealt with, and are done so routinely.
The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
