Hello everyone,
I am interested if Mikrotik RouterOS is affected by CVE-2018-5390, which affects CentOS or RedHat (versions 5,6,7), or on other Linux Kernel version 4.9+.
I see here: https://wiki.mikrotik.com/wiki/Manual:RouterOS_features that RouterOS is based on linux v3.3.5 kernel, so on first glance it is not affected.
Thank you for update!
We are all waiting for MikroTik to use a 4.9+ kernel!
So far this hasn’t happened.
Furthermore this type of vulnerability is not so much of interest for a router.
When you allow untrusted parties to setup TCP connections to your router you a vulnerable for many other reasons, so improve your firewall.
We use Mikrotik for SSTP connectivity from home so for example port 443 is open for connections…
That certainly is a risk!
Not for the reason mentioned in that CVE but there could certainly be a vulnerability in the SSTP server or the SSL and PPP layers used, and the authentication.
Once it is discovered it could mean your router is open to the world. Just like with the webserver and winbox vulnerabiities found earlier.
That is the fun of today’s networking: you never know if you are secure or not, and the software is too complex to know if there are such vulnerabilities.
Maybe filter access to the SSTP service
Just a side note - it is way too easy to create those CVE-2018-xxxx entries.. Anyone stubborn enough can do it, even without any actual knowledge of the subject, i think this should be restricted to companies only, for example MikroTik should do it itself.
What do you mean by “create those entries”?
Are you suggesting that this CVE report might be inaccurate or lacking validity?
Perhaps you can share with us how the issue described on that CVE is actually not an issue and the reporting entity was not accurate on the description.
As almost anybody could create a CVE, also almost anybody can step in and prove that is non-important or incorrect, you are welcomed to do so.
In the meantime, I would definitely suggest MIkrotik investigate, as this sounds like an important vulnerability.
And I would also suggest everyone using OpenVPN functionality on RouterOS following up.
We are not talking about a NAT issue, or a High-CPU usage by some process, but a security vulnerability instead, and one the main functions of RouterOS is “Firewalling”, so this CVE sounds like something very important, way more than WiFi improvements, Winbox GUI changes, etc.
I think he meant this in a more generic sense. Anyone can submit something to the CVE database.
I think so, but I wanted to make sure we dont minimize reality.
On which condition should we worry or not on this particular issue?
(OpenVPN implementation on RouterOS not able to check the validity of a server cert)
Not worry when kernel version is below 4.9
Im confused. So, should we worry about this vulnerability, or not.
If so, on which scenarios?
DotTest37, go read the CVE. You are getting worked up over nothing. The published CVE has nothing to do with OpenVPN or SSTP security vulnerabilities. It has to do with possible DoS to a host via certain crafted TCP packets, not privilege escalation, not cert/data leakage, etc.
The “bug” (sounds more like a design flaw, but whatever) only exists in Linux 4.9 and later, up to current versions. Linux 4.9 came out in December 2016. RouterOS is based on Linux 3.3.5, which came out in December 2012. This implementation flaw does not exist in RouterOS, period.
pe1chl and total13 started talking about hypothetical other problems that could be in RouterOS, basically saying “you never know what security flaws might exist in the software, so as a general rule of thumb, you should carefully craft your firewall rules accordingly.” They were just discussing general common-sense security practices after it was established that RouterOS is not vulnerable to this.
– Nathan
My apologies, I was replying to the wrong thread.
I had multiple browser tabs at the same time and for whatever reason I was complaining in the wrong place.
My comments were supposed to be for CVE-2018-10066, not this one.
How can we delete my unrelated posts on this thread?