Community discussions

MikroTik App
 
total13
newbie
Topic Author
Posts: 34
Joined: Fri Jul 08, 2016 2:29 pm

Vulnerability CVE-2018-5390

Wed Aug 08, 2018 1:58 pm

Hello everyone,

I am interested if Mikrotik RouterOS is affected by CVE-2018-5390, which affects CentOS or RedHat (versions 5,6,7), or on other Linux Kernel version 4.9+.

I see here: https://wiki.mikrotik.com/wiki/Manual:RouterOS_features that RouterOS is based on linux v3.3.5 kernel, so on first glance it is not affected.

Thank you for update!
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Vulnerability CVE-2018-5390

Wed Aug 08, 2018 2:19 pm

We are all waiting for MikroTik to use a 4.9+ kernel!
So far this hasn't happened.
Furthermore this type of vulnerability is not so much of interest for a router.
When you allow untrusted parties to setup TCP connections to your router you a vulnerable for many other reasons, so improve your firewall.
 
total13
newbie
Topic Author
Posts: 34
Joined: Fri Jul 08, 2016 2:29 pm

Re: Vulnerability CVE-2018-5390

Wed Aug 08, 2018 4:06 pm

We use Mikrotik for SSTP connectivity from home so for example port 443 is open for connections...
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Vulnerability CVE-2018-5390

Wed Aug 08, 2018 5:02 pm

That certainly is a risk!
Not for the reason mentioned in that CVE but there could certainly be a vulnerability in the SSTP server or the SSL and PPP layers used, and the authentication.
Once it is discovered it could mean your router is open to the world. Just like with the webserver and winbox vulnerabiities found earlier.
That is the fun of today's networking: you never know if you are secure or not, and the software is too complex to know if there are such vulnerabilities.
 
boyko
just joined
Posts: 11
Joined: Sun Feb 05, 2017 1:59 am

Re: Vulnerability CVE-2018-5390

Tue Aug 14, 2018 12:16 pm

We use Mikrotik for SSTP connectivity from home so for example port 443 is open for connections...
Maybe filter access to the SSTP service
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Vulnerability CVE-2018-5390

Tue Aug 14, 2018 1:25 pm

Just a side note - it is way too easy to create those CVE-2018-xxxx entries.. Anyone stubborn enough can do it, even without any actual knowledge of the subject, i think this should be restricted to companies only, for example MikroTik should do it itself.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
boyko
just joined
Posts: 11
Joined: Sun Feb 05, 2017 1:59 am

Re: Vulnerability CVE-2018-5390

Tue Aug 14, 2018 2:32 pm

Just a side note - it is way too easy to create those CVE-2018-xxxx entries.. Anyone stubborn enough can do it, even without any actual knowledge of the subject, i think this should be restricted to companies only, for example MikroTik should do it itself.
What do you mean by "create those entries"?
 
DotTest37
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: Vulnerability CVE-2018-5390

Mon Aug 20, 2018 3:47 pm

Just a side note - it is way too easy to create those CVE-2018-xxxx entries.. Anyone stubborn enough can do it, even without any actual knowledge of the subject, i think this should be restricted to companies only, for example MikroTik should do it itself.
Are you suggesting that this CVE report might be inaccurate or lacking validity?
Perhaps you can share with us how the issue described on that CVE is actually not an issue and the reporting entity was not accurate on the description.
As almost anybody could create a CVE, also almost anybody can step in and prove that is non-important or incorrect, you are welcomed to do so.
In the meantime, I would definitely suggest MIkrotik investigate, as this sounds like an important vulnerability.
And I would also suggest everyone using OpenVPN functionality on RouterOS following up.

We are not talking about a NAT issue, or a High-CPU usage by some process, but a security vulnerability instead, and one the main functions of RouterOS is "Firewalling", so this CVE sounds like something very important, way more than WiFi improvements, Winbox GUI changes, etc.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24605
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Vulnerability CVE-2018-5390

Mon Aug 20, 2018 3:53 pm

I think he meant this in a more generic sense. Anyone can submit something to the CVE database.
No answer to your question? How to write posts
 
DotTest37
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: Vulnerability CVE-2018-5390

Mon Aug 20, 2018 7:43 pm

I think he meant this in a more generic sense. Anyone can submit something to the CVE database.
I think so, but I wanted to make sure we dont minimize reality.
On which condition should we worry or not on this particular issue?
(OpenVPN implementation on RouterOS not able to check the validity of a server cert)
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Vulnerability CVE-2018-5390

Mon Aug 20, 2018 9:26 pm

On which condition should we worry or not on this particular issue?
Not worry when kernel version is below 4.9
 
DotTest37
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: Vulnerability CVE-2018-5390

Tue Aug 21, 2018 12:59 am

On which condition should we worry or not on this particular issue?
Not worry when kernel version is below 4.9
Im confused. So, should we worry about this vulnerability, or not.
If so, on which scenarios?
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 801
Joined: Tue Aug 03, 2004 9:01 am

Re: Vulnerability CVE-2018-5390  [SOLVED]

Tue Aug 21, 2018 1:15 am

DotTest37, go read the CVE. You are getting worked up over nothing. The published CVE has nothing to do with OpenVPN or SSTP security vulnerabilities. It has to do with possible DoS to a host via certain crafted TCP packets, not privilege escalation, not cert/data leakage, etc.

The "bug" (sounds more like a design flaw, but whatever) only exists in Linux 4.9 and later, up to current versions. Linux 4.9 came out in December 2016. RouterOS is based on Linux 3.3.5, which came out in December 2012. This implementation flaw does not exist in RouterOS, period.

pe1chl and total13 started talking about *hypothetical* other problems that *could* be in RouterOS, basically saying "you never know what security flaws might exist in the software, so as a general rule of thumb, you should carefully craft your firewall rules accordingly." They were just discussing general common-sense security practices after it was established that RouterOS is not vulnerable to this.

-- Nathan
 
DotTest37
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: Vulnerability CVE-2018-5390

Sat Aug 25, 2018 4:52 pm

DotTest37, go read the CVE. You are getting worked up over nothing. The published CVE has nothing to do with OpenVPN or SSTP security vulnerabilities. It has to do with possible DoS to a host via certain crafted TCP packets, not privilege escalation, not cert/data leakage, etc.

The "bug" (sounds more like a design flaw, but whatever) only exists in Linux 4.9 and later, up to current versions. Linux 4.9 came out in December 2016. RouterOS is based on Linux 3.3.5, which came out in December 2012. This implementation flaw does not exist in RouterOS, period.

pe1chl and total13 started talking about *hypothetical* other problems that *could* be in RouterOS, basically saying "you never know what security flaws might exist in the software, so as a general rule of thumb, you should carefully craft your firewall rules accordingly." They were just discussing general common-sense security practices after it was established that RouterOS is not vulnerable to this.

-- Nathan
My apologies, I was replying to the wrong thread.
I had multiple browser tabs at the same time and for whatever reason I was complaining in the wrong place.
My comments were supposed to be for CVE-2018-10066, not this one.
How can we delete my unrelated posts on this thread?

Who is online

Users browsing this forum: Baidu [Spider], Bambie, fabiandr, markmcn, Pea, sindy and 66 guests