Hello everyone,
I am interested if Mikrotik RouterOS is affected by CVE-2018-5390, which affects CentOS or RedHat (versions 5,6,7), or on other Linux Kernel version 4.9+.
I see here: https://wiki.mikrotik.com/wiki/Manual:RouterOS_features that RouterOS is based on linux v3.3.5 kernel, so on first glance it is not affected.
Thank you for update!
Re: Vulnerability CVE-2018-5390
We are all waiting for MikroTik to use a 4.9+ kernel!
So far this hasn't happened.
Furthermore this type of vulnerability is not so much of interest for a router.
When you allow untrusted parties to setup TCP connections to your router you a vulnerable for many other reasons, so improve your firewall.
So far this hasn't happened.
Furthermore this type of vulnerability is not so much of interest for a router.
When you allow untrusted parties to setup TCP connections to your router you a vulnerable for many other reasons, so improve your firewall.
Re: Vulnerability CVE-2018-5390
We use Mikrotik for SSTP connectivity from home so for example port 443 is open for connections...
Re: Vulnerability CVE-2018-5390
That certainly is a risk!
Not for the reason mentioned in that CVE but there could certainly be a vulnerability in the SSTP server or the SSL and PPP layers used, and the authentication.
Once it is discovered it could mean your router is open to the world. Just like with the webserver and winbox vulnerabiities found earlier.
That is the fun of today's networking: you never know if you are secure or not, and the software is too complex to know if there are such vulnerabilities.
Not for the reason mentioned in that CVE but there could certainly be a vulnerability in the SSTP server or the SSL and PPP layers used, and the authentication.
Once it is discovered it could mean your router is open to the world. Just like with the webserver and winbox vulnerabiities found earlier.
That is the fun of today's networking: you never know if you are secure or not, and the software is too complex to know if there are such vulnerabilities.
Re: Vulnerability CVE-2018-5390
Maybe filter access to the SSTP serviceWe use Mikrotik for SSTP connectivity from home so for example port 443 is open for connections...
Re: Vulnerability CVE-2018-5390
Just a side note - it is way too easy to create those CVE-2018-xxxx entries.. Anyone stubborn enough can do it, even without any actual knowledge of the subject, i think this should be restricted to companies only, for example MikroTik should do it itself.
Re: Vulnerability CVE-2018-5390
What do you mean by "create those entries"?Just a side note - it is way too easy to create those CVE-2018-xxxx entries.. Anyone stubborn enough can do it, even without any actual knowledge of the subject, i think this should be restricted to companies only, for example MikroTik should do it itself.
Re: Vulnerability CVE-2018-5390
Are you suggesting that this CVE report might be inaccurate or lacking validity?Just a side note - it is way too easy to create those CVE-2018-xxxx entries.. Anyone stubborn enough can do it, even without any actual knowledge of the subject, i think this should be restricted to companies only, for example MikroTik should do it itself.
Perhaps you can share with us how the issue described on that CVE is actually not an issue and the reporting entity was not accurate on the description.
As almost anybody could create a CVE, also almost anybody can step in and prove that is non-important or incorrect, you are welcomed to do so.
In the meantime, I would definitely suggest MIkrotik investigate, as this sounds like an important vulnerability.
And I would also suggest everyone using OpenVPN functionality on RouterOS following up.
We are not talking about a NAT issue, or a High-CPU usage by some process, but a security vulnerability instead, and one the main functions of RouterOS is "Firewalling", so this CVE sounds like something very important, way more than WiFi improvements, Winbox GUI changes, etc.
Re: Vulnerability CVE-2018-5390
I think he meant this in a more generic sense. Anyone can submit something to the CVE database.
Re: Vulnerability CVE-2018-5390
I think so, but I wanted to make sure we dont minimize reality.I think he meant this in a more generic sense. Anyone can submit something to the CVE database.
On which condition should we worry or not on this particular issue?
(OpenVPN implementation on RouterOS not able to check the validity of a server cert)
Re: Vulnerability CVE-2018-5390
Not worry when kernel version is below 4.9On which condition should we worry or not on this particular issue?
Re: Vulnerability CVE-2018-5390
Im confused. So, should we worry about this vulnerability, or not.Not worry when kernel version is below 4.9On which condition should we worry or not on this particular issue?
If so, on which scenarios?
Re: Vulnerability CVE-2018-5390 [SOLVED]
DotTest37, go read the CVE. You are getting worked up over nothing. The published CVE has nothing to do with OpenVPN or SSTP security vulnerabilities. It has to do with possible DoS to a host via certain crafted TCP packets, not privilege escalation, not cert/data leakage, etc.
The "bug" (sounds more like a design flaw, but whatever) only exists in Linux 4.9 and later, up to current versions. Linux 4.9 came out in December 2016. RouterOS is based on Linux 3.3.5, which came out in December 2012. This implementation flaw does not exist in RouterOS, period.
pe1chl and total13 started talking about *hypothetical* other problems that *could* be in RouterOS, basically saying "you never know what security flaws might exist in the software, so as a general rule of thumb, you should carefully craft your firewall rules accordingly." They were just discussing general common-sense security practices after it was established that RouterOS is not vulnerable to this.
-- Nathan
The "bug" (sounds more like a design flaw, but whatever) only exists in Linux 4.9 and later, up to current versions. Linux 4.9 came out in December 2016. RouterOS is based on Linux 3.3.5, which came out in December 2012. This implementation flaw does not exist in RouterOS, period.
pe1chl and total13 started talking about *hypothetical* other problems that *could* be in RouterOS, basically saying "you never know what security flaws might exist in the software, so as a general rule of thumb, you should carefully craft your firewall rules accordingly." They were just discussing general common-sense security practices after it was established that RouterOS is not vulnerable to this.
-- Nathan
Re: Vulnerability CVE-2018-5390
My apologies, I was replying to the wrong thread.DotTest37, go read the CVE. You are getting worked up over nothing. The published CVE has nothing to do with OpenVPN or SSTP security vulnerabilities. It has to do with possible DoS to a host via certain crafted TCP packets, not privilege escalation, not cert/data leakage, etc.
The "bug" (sounds more like a design flaw, but whatever) only exists in Linux 4.9 and later, up to current versions. Linux 4.9 came out in December 2016. RouterOS is based on Linux 3.3.5, which came out in December 2012. This implementation flaw does not exist in RouterOS, period.
pe1chl and total13 started talking about *hypothetical* other problems that *could* be in RouterOS, basically saying "you never know what security flaws might exist in the software, so as a general rule of thumb, you should carefully craft your firewall rules accordingly." They were just discussing general common-sense security practices after it was established that RouterOS is not vulnerable to this.
-- Nathan
I had multiple browser tabs at the same time and for whatever reason I was complaining in the wrong place.
My comments were supposed to be for CVE-2018-10066, not this one.
How can we delete my unrelated posts on this thread?
Who is online
Users browsing this forum: alibloke and 108 guests