During some research which found CVE-2018-19298 (MikroTik IPv6 Neighbor Discovery Protocol exhaustion), I uncovered a larger problem with MikroTik RouterOS’s handling of IPv6 packets. This led to CVE-2018-19299, an unpublished and as yet unfixed (despite almost one year elapsing since vendor acknowledgement) vulnerability in RouterOS which allows for remote, unauthenticated denial of service. Unpublished… until UKNOF 43!
I’ve been talking to Marek (the presenter) this morning. In a nutshell, if you run v6 on a public-facing interface, you’re fed come 9th April.* Every script kiddie out there can remotely crash your router, and do it over and over again. The only solution is to disable ipv6, not even firewalling will help here.
Mikrotik: I hope you have every developer you have available working on a fix for this. The consequences of you not having a patch in time for the 9th do not bear thinking about.
I am not convinced that your statement is acceptable, Normis. This is a serious issue that could destroy many businesses and cost millions. Given the gravity of the situation, I would expect at the very least:
Reassurance that you are taking the matter seriously (unlike the past year where it has been ignored)
A statement to the effect that you are putting every bit of development effort available to you towards identifying the source of this problem
A guarantee that a fix will be available in good time before this knowledge is made public
…and sadly @mikrotik_com continue to stonewall me saying this remote unauthenticated denial of service is a “bug” not a “security vulnerability” — which is probably why they haven’t prioritised it for the last 50 weeks.
My point exactly. Marek was kind enough to show me a video demonstrating the problem (I promised I would not share otherwise I would post here). It is very much as bad as it sounds. Why are you not taking responsibility, Mikrotik?
I highly recommend MikroTik look into implementing something like the Safe 4.5 Lean-Agile framework for their company. It will help to get a handle on the continuous release cycle that is their type of company. This is a business process for how to organize, coordinate, and manage simultaneous hardware and software releases.
Would somebody please post some additional information about this.
I need to understand what is the problem, the potential impact and what vulnerabilities are possible.
Where can I find information to read/learn about this?
That’s normal standard from Mikrotik when they are faced with a problem to resolve and they have no idea. They shoot the messenger, they don’t like, they refuse to take the responsibility and probably they believe they have no obligation to give any reasonable satisfaction to their public. They might think they may only do that “if they feel like”. It is their culture, they never change and as more people bring issues both with the product and with their culture more “ego-hurted” they become.
That explains well this type of statement you could read, kind of: “We are aware of this but we are not giving you any satisfaction, any timeframes, any workaround or any information it may be useful to you in the meantime because we don’t feel that necessary and we are bothered to deal with this”.
It’s a total lack of organization and care, that is not from now, but for quiet a while and seems to come from the top.
Hey , come on now … Please - let’s not be negative about/to Mikrotik
I’m sure that Mikrotik will release an upgrade to resolve this IPv6 issue (hopefully in time).
Mikrotik is the cost-effective solution for smaller-Carrier-Grade ISPs and businesses.
I for one - welcome any information that helps me operate my ISP business.
Free pizza to the programmers is always a recipe for success