Community discussions

 
User avatar
dynek
Member Candidate
Member Candidate
Topic Author
Posts: 187
Joined: Tue Jan 21, 2014 10:03 pm

UKNOF 43 CVE

Wed Mar 27, 2019 4:08 pm

Hey,

Just discovered: https://indico.uknof.org.uk/event/46/contributions/667/
During some research which found CVE-2018-19298 (MikroTik IPv6 Neighbor Discovery Protocol exhaustion), I uncovered a larger problem with MikroTik RouterOS’s handling of IPv6 packets. This led to CVE-2018-19299, an unpublished and as yet unfixed (despite almost one year elapsing since vendor acknowledgement) vulnerability in RouterOS which allows for remote, unauthenticated denial of service. Unpublished… until UKNOF 43!
Any comment Mikrotik ? :-)

Thanks
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: UKNOF 43 CVE

Thu Mar 28, 2019 1:43 pm

I've been talking to Marek (the presenter) this morning. In a nutshell, if you run v6 on a public-facing interface, you're f***ed come 9th April. Every script kiddie out there can remotely crash your router, and do it over and over again. The only solution is to disable ipv6, not even firewalling will help here.

Mikrotik: I hope you have every developer you have available working on a fix for this. The consequences of you not having a patch in time for the 9th do not bear thinking about.
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Thu Mar 28, 2019 1:50 pm

We are aware of this issue and are working on it.
No answer to your question? How to write posts
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: UKNOF 43 CVE

Thu Mar 28, 2019 2:07 pm

I am not convinced that your statement is acceptable, Normis. This is a serious issue that could destroy many businesses and cost millions. Given the gravity of the situation, I would expect at the very least:

1. Reassurance that you are taking the matter seriously (unlike the past year where it has been ignored)
2. A statement to the effect that you are putting every bit of development effort available to you towards identifying the source of this problem
3. A guarantee that a fix will be available in good time before this knowledge is made public

I look forward to your response.
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
User avatar
dynek
Member Candidate
Member Candidate
Topic Author
Posts: 187
Joined: Tue Jan 21, 2014 10:03 pm

Re: UKNOF 43 CVE

Thu Mar 28, 2019 2:18 pm

…and sadly @mikrotik_com continue to stonewall me saying this remote unauthenticated denial of service is a “bug” not a “security vulnerability” — which is probably why they haven’t prioritised it for the last 50 weeks.
https://twitter.com/maznu
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: UKNOF 43 CVE

Thu Mar 28, 2019 2:26 pm

…and sadly @mikrotik_com continue to stonewall me saying this remote unauthenticated denial of service is a “bug” not a “security vulnerability” — which is probably why they haven’t prioritised it for the last 50 weeks.
https://twitter.com/maznu
My point exactly. Marek was kind enough to show me a video demonstrating the problem (I promised I would not share otherwise I would post here). It is very much as bad as it sounds. Why are you not taking responsibility, Mikrotik?
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: UKNOF 43 CVE

Thu Mar 28, 2019 3:28 pm

I highly recommend MikroTik look into implementing something like the Safe 4.5 Lean-Agile framework for their company. It will help to get a handle on the continuous release cycle that is their type of company. This is a business process for how to organize, coordinate, and manage simultaneous hardware and software releases.
 
jamesmck
just joined
Posts: 1
Joined: Thu Jan 31, 2019 3:14 pm

Re: UKNOF 43 CVE

Thu Mar 28, 2019 6:14 pm

If you just have the package enabled and absolutely no configuration from an IPv6 perspective are you okay?
 
highonsnow
newbie
Posts: 34
Joined: Fri Oct 19, 2007 3:30 am

Re: UKNOF 43 CVE

Thu Mar 28, 2019 6:34 pm

This is going to need every possible resource. Don't let this one slide guys.
 
jrpaz
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Wed Jun 05, 2013 5:54 am

Re: UKNOF 43 CVE

Thu Mar 28, 2019 7:12 pm

The fix is in v7 guys c'mon
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2274
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: UKNOF 43 CVE

Thu Mar 28, 2019 7:28 pm

We are aware of this issue and are working on it.
No info on blog.mikrotik.com
Will the patch be released this week?
LAN, FTTx, Wireless. ISP operator
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1589
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: UKNOF 43 CVE

Thu Mar 28, 2019 7:59 pm

So far, Mikrotik communicated on the blog after the release of a fix.
 
User avatar
adhielesmana
Trainer
Trainer
Posts: 23
Joined: Tue Aug 25, 2009 11:01 am
Location: Monrovia, Liberia
Contact:

Re: UKNOF 43 CVE

Thu Mar 28, 2019 8:29 pm

Oh Shi'''t my whole isp core network & cpe run public ipv6 with mikrotik.
No choice, Im have to disable my ipv6 then
 
storp
newbie
Posts: 47
Joined: Tue Nov 24, 2015 2:53 pm

Re: UKNOF 43 CVE

Thu Mar 28, 2019 8:36 pm

We are aware of this issue and are working on it.
You might need to put in some overtime hours to get this fixed! ;) Free pizza to the programmers is always a recipe for success :)

To be serious, I really hope there will be a fix out in time. Personally I just can disable IPv6 but for many that isn't an option.
 
neutronlaser
Member Candidate
Member Candidate
Posts: 193
Joined: Thu Jan 18, 2018 5:18 pm

Re: UKNOF 43 CVE

Thu Mar 28, 2019 8:58 pm

I've been talking to Marek (the presenter) this morning. In a nutshell, if you run v6 on a public-facing interface, you're f***ed come 9th April. Every script kiddie out there can remotely crash your router, and do it over and over again. The only solution is to disable ipv6, not even firewalling will help here.

Mikrotik: I hope you have every developer you have available working on a fix for this. The consequences of you not having a patch in time for the 9th do not bear thinking about.
No foul language please
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 970
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: UKNOF 43 CVE

Thu Mar 28, 2019 10:08 pm

Would somebody please post some additional information about this.
I need to understand what is the problem, the potential impact and what vulnerabilities are possible.
Where can I find information to read/learn about this?

North Idaho Tom Jones
 
highonsnow
newbie
Posts: 34
Joined: Fri Oct 19, 2007 3:30 am

Re: UKNOF 43 CVE

Thu Mar 28, 2019 11:46 pm

We've dropped IPv6 transit across our whole ISP network until this is resolved. Outrageous.
 
cmurrayis
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Fri May 15, 2009 4:31 am

Re: UKNOF 43 CVE

Fri Mar 29, 2019 1:21 am

No Choice - IPv6 Peers disabled.
 
fredyz
just joined
Posts: 6
Joined: Wed Jun 13, 2018 7:07 pm

Re: UKNOF 43 CVE

Fri Mar 29, 2019 1:31 am

That's normal standard from Mikrotik when they are faced with a problem to resolve and they have no idea. They shoot the messenger, they don't like, they refuse to take the responsibility and probably they believe they have no obligation to give any reasonable satisfaction to their public. They might think they may only do that "if they feel like". It is their culture, they never change and as more people bring issues both with the product and with their culture more "ego-hurted" they become.

That explains well this type of statement you could read, kind of: "We are aware of this but we are not giving you any satisfaction, any timeframes, any workaround or any information it may be useful to you in the meantime because we don't feel that necessary and we are bothered to deal with this".

It's a total lack of organization and care, that is not from now, but for quiet a while and seems to come from the top.
I am not convinced that your statement is acceptable, Normis. This is a serious issue that could destroy many businesses and cost millions. Given the gravity of the situation, I would expect at the very least:

1. Reassurance that you are taking the matter seriously (unlike the past year where it has been ignored)
2. A statement to the effect that you are putting every bit of development effort available to you towards identifying the source of this problem
3. A guarantee that a fix will be available in good time before this knowledge is made public

I look forward to your response.
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 970
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 1:44 am

Hey , come on now … Please - let's not be negative about/to Mikrotik

I'm sure that Mikrotik will release an upgrade to resolve this IPv6 issue (hopefully in time).
Mikrotik is the cost-effective solution for smaller-Carrier-Grade ISPs and businesses.

I for one - welcome any information that helps me operate my ISP business.

North Idaho Tom Jones
 
shanecaznet
just joined
Posts: 14
Joined: Thu Jul 13, 2017 10:52 am

Re: UKNOF 43 CVE

Fri Mar 29, 2019 4:33 am

We are aware of this issue and are working on it.
Oh... good.... only a year late.

I can live with what I consider a priority and what Mikrotik considers a priority not aligning (read: multi threaded BGP etc). However, I cannot live with a known security problem being ignored for so long.

Security should always be number 1, above all else, no exceptions.

This may be the final straw. Time to start researching other products.
 
jimmer
just joined
Posts: 2
Joined: Wed Mar 06, 2019 10:06 am

Re: UKNOF 43 CVE

Fri Mar 29, 2019 5:36 am

The fact that a bug thats now a year old, a critical bug no less, is being taken so casually by Mikrotik has me concerned with my investment in the products, I like many others here will be looking at alternative platforms should it not be fixed within the next few days, turning off IPv6 is not a mitigation option for us, A resolution to this issue should have the priority it deserves or at the very least a filter to mitigate the Denial of service that this issue could impose.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 8:28 am

Would somebody please post some additional information about this.
I need to understand what is the problem, the potential impact and what vulnerabilities are possible.
Where can I find information to read/learn about this?
MikroTik acknowledged this issue on 2018-04-20.

To learn more about it: I am presenting at UKNOF 43 on 2019-04-09 (April 9th), and there will be a live stream.

MikroTik support was made aware of my intention to speak at UKNOF on 2019-03-04, which is when UKNOF accepted my talk. This gave MikroTik over a month of notice that I intended to discuss these issues.

Since 2019-03-04 I have told MikroTik that I believe there is exploitation in the wild already, and that they should reprioritise their efforts to fix this.

I am not aware of any workarounds or mitigations any of us can use.

Despite my repeated pleas for this to be treated as a security issue, everyone I have interacted with at MikroTik says the same. Even normis has stated it is not a "vulnerability" in MikroTik's eyes — it is just a "bug".
Last edited by maznu on Fri Mar 29, 2019 9:51 am, edited 1 time in total.
Marek
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Fri Mar 29, 2019 9:26 am

That's normal standard from Mikrotik when they are faced with a problem to resolve
That is not true at all! We have always reacted to issues quickly, all the previous vulnerabilities have been fixed within hours or days time.

Even in this case, we did reproduce and acknowledge the issue. In this case though, the cause is very low level and is not simple to fix. The person who submitted it, has given a publication date. We have therefore a target date before which the issue must be fixed. In fact, most CVE reports have a release date set, before which the software company can fix the issue. The date has not yet come to pass.
No answer to your question? How to write posts
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 985
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 9:45 am

That's normal standard from Mikrotik when they are faced with a problem to resolve
That is not true at all! We have always reacted to issues quickly, all the previous vulnerabilities have been fixed within hours or days time.

Even in this case, we did reproduce and acknowledge the issue. In this case though, the cause is very low level and is not simple to fix. The person who submitted it, has given a publication date. We have therefore a target date before which the issue must be fixed. In fact, most CVE reports have a release date set, before which the software company can fix the issue. The date has not yet come to pass.
Thanks for the update Normis. Since you mentioned in the other thread this is a kernel issue and very difficult to patch, do you expect there to be a fix within the next 10 days?
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
thobias
just joined
Posts: 22
Joined: Thu Nov 30, 2017 8:45 pm

Re: UKNOF 43 CVE

Fri Mar 29, 2019 9:53 am

If you just have the package enabled and absolutely no configuration from an IPv6 perspective are you okay?
I also would like to know this.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Fri Mar 29, 2019 9:56 am

We aim to fix the issue before the mentioned publication date.
No answer to your question? How to write posts
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 9:57 am

If you just have the package enabled and absolutely no configuration from an IPv6 perspective are you okay?
I also would like to know this.
If you cannot route IPv6 packets, you should be safe.
Marek
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 640
Joined: Fri Nov 10, 2017 8:19 am

Re: UKNOF 43 CVE

Fri Mar 29, 2019 9:58 am

Quote from second thread:
Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.
Is that v7 announcement? :D Hurray!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Fri Mar 29, 2019 9:58 am

If you just have the package enabled and absolutely no configuration from an IPv6 perspective are you okay?
I also would like to know this.
Even if you haven't configured it, you still have a link-local address. An attacker in your network can target that address.
No answer to your question? How to write posts
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 985
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 10:01 am

Would somebody please post some additional information about this.
I need to understand what is the problem, the potential impact and what vulnerabilities are possible.
Where can I find information to read/learn about this?
I am not aware of any workarounds or mitigations any of us can use.
I believe I saw you comment that this can't be mitigated in MIkroTik at Layer3.

What about using a MikroTik router at Layer 2 (or a non-MikroTik) inline in bridge mode before the Internet connection and using the firewall to filter out whatever is in the crafted packet that creates the issue? I'm assuming something is getting set in the header to cause this which means we ought to be able to apply the same types of techniques that are used to detect and mitigate zero day attacks by WAFs, DDoS filters, L7 firewalls, etc. Even if a non-MikroTik solution is required until the patch is released.
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 10:02 am

We aim to fix the issue before the mentioned publication date.
That is very welcome news, normis.

If you or your developers wish to contact me privately for any further information, you've got my email address.

Good luck!
Marek
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 10:05 am

I believe I saw you comment that this can't be mitigated in MIkroTik at Layer3.

What about using a MikroTik router at Layer 2 (or a non-MikroTik) inline in bridge mode before the Internet connection and using the firewall to filter out whatever is in the crafted packet that creates the issue? I'm assuming something is getting set in the header to cause this which means we ought to be able to apply the same types of techniques that are used to detect and mitigate zero day attacks by WAFs, DDoS filters, L7 firewalls, etc. Even if a non-MikroTik solution is required until the patch is released.
I do not believe that this approach will be useful to mitigate the problem.

Sorry, you will have to wait for disclosure at UKNOF 43 for full technical details.
Marek
 
thobias
just joined
Posts: 22
Joined: Thu Nov 30, 2017 8:45 pm

Re: UKNOF 43 CVE

Fri Mar 29, 2019 10:20 am

If you just have the package enabled and absolutely no configuration from an IPv6 perspective are you okay?
I also would like to know this.
Even if you haven't configured it, you still have a link-local address. An attacker in your network can target that address.
Would below be enough to mitigate it?
>ipv6 export
>/ipv6 nd
>set [ find default=yes ] disabled=yes
>/ipv6 settings
>set accept-redirects=no accept-router-advertisements=no forward=no
and then remove all addresses from ipv6->addresses?
I would like to not have to disable the package and reboot untill a fix is released and tested for a while.
 
User avatar
eben
Member
Member
Posts: 479
Joined: Mon Feb 16, 2009 8:37 pm
Location: Somerset West, South Africa
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 10:52 am

That's normal standard from Mikrotik when they are faced with a problem to resolve
That is not true at all! We have always reacted to issues quickly, all the previous vulnerabilities have been fixed within hours or days time.

Even in this case, we did reproduce and acknowledge the issue. In this case though, the cause is very low level and is not simple to fix. The person who submitted it, has given a publication date. We have therefore a target date before which the issue must be fixed. In fact, most CVE reports have a release date set, before which the software company can fix the issue. The date has not yet come to pass.
You've had close to a year to work on a fix...

The matter way reported to you last year but from what I am seeing, you did not do much about it and it's only since the threat of Mikrotik being "outed" on a live stream that can be seen around the world, that you are doing something about it.

What if some kid who can't get a date on a Saturday night figures this out by himself and starts letting his or her script loose before 9 April, "just because they can" ?

This is a very serious issue that needs to be addressed as a matter of urgency. There are ISPs out there with tens of thousands of routers that need to be patched. It takes us between a week and 10 days to roll a RouterOS update out over our network. We have less than 10,000 customers. How is a company with 50,000 hAPs in the field going to do this within the time frame?

On 2 April I have two choices:

Either roll out a patch, or

/sy package print
/sy package disble ipv6
/sy reb
y

I run what could very well be the largest IPv6 network in South Africa. Disabling IPv6 would be very unfortunate. We're already not using Mikrotik for new wireless installationsd. It would be sad if we also stopped using Mikrotik for routing.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1716
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: UKNOF 43 CVE

Fri Mar 29, 2019 12:15 pm


You've had close to a year to work on a fix...
If you take a look at original post there is a link and quote.
From what i understand original CVE, was not considered a vulnerability until 2nd one come along. And details of that will be revealed on given date.
So all this "close to year" shouting is overestimation. So i suggest to keep calm and wait for release, as MikroTik admitted 2nd CVE as vulnerability.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 12:19 pm

So all this "close to year" shouting is overestimation. So i suggest to keep calm and wait for release, as MikroTik admitted 2nd CVE as vulnerability.
Second "bug" was acknowledged by MikroTik on 2018-04-20.
Marek
 
Dude2048
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Sep 01, 2016 4:04 pm

Re: UKNOF 43 CVE

Fri Mar 29, 2019 12:47 pm

Quote from second thread:
Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.
Is that v7 announcement? :D Hurray!
You have made my day!
 
the.max
just joined
Posts: 9
Joined: Sun Apr 01, 2007 3:47 pm
Location: Czech Republic, Bilina
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 12:58 pm

The fix is in v7 guys c'mon
Ros 7 is like the Yeti or Mrs. Colombo. Everyone talks about it, but nobody has ever seen it.
Gentoo linux
 
mkx
Forum Guru
Forum Guru
Posts: 2468
Joined: Thu Mar 03, 2016 10:23 pm

Re: UKNOF 43 CVE

Fri Mar 29, 2019 1:14 pm

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues.

Hopefully fix will land in other (stable and long term) branches shortly.
BR,
Metod
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 1:35 pm

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues.

Hopefully fix will land in other (stable and long term) branches shortly.
CVE-2018-19299 is not fixed in 6.45beta22, I am afraid.
Marek
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1589
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: UKNOF 43 CVE

Fri Mar 29, 2019 2:16 pm

Hey maznu

Would you mind posting a link to your presentation / video on this forum once it's presented?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Fri Mar 29, 2019 2:17 pm

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues.

Hopefully fix will land in other (stable and long term) branches shortly.
CVE-2018-19299 is not fixed in 6.45beta22, I am afraid.
Please clarify
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Fri Mar 29, 2019 3:00 pm

For everyone here, I wanted to clarify, that to my best knowledge, the author of the CVE has not contacted MikroTik and we are in the dark as to what he plans to publish.
No answer to your question? How to write posts
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 3:00 pm

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues.

Hopefully fix will land in other (stable and long term) branches shortly.
CVE-2018-19299 is not fixed in 6.45beta22, I am afraid.
Please clarify

https://www.youtube.com/watch?v=TzC-JVjMK8k

And if you need a diagram of the lab:

https://twitter.com/maznu/status/1111589812111319041

You already know the commands I'm running to launch the attack, because I supplied them to you in emails on 2018-04-17.
Last edited by maznu on Fri Mar 29, 2019 3:05 pm, edited 1 time in total.
Marek
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 3:03 pm

For everyone here, I wanted to clarify, that to my best knowledge, the author of the CVE has not contacted MikroTik and we are in the dark as to what he plans to publish.
There has been plenty of communications on this matter, normis. The most recent, specifically about what I plan to publish, was an email in Ticket#2018040822000592 on 2019-03-04, which Martins S subsequently replied to saying that you had no update:
The UK Network Operators' Forum has accepted my talk about this subject: "Scanning IPv6 Address Space… and the remote vulnerabilities it uncovers"

https://indico.uknof.org.uk/event/46/co ... s/speakers

I shall be discussing IPv6 neighbor discovery exhaustion, and also how RouterOS will crash when routing IPv6 packets, i.e. both vulnerabilities I have disclosed to MikroTik in April 2018, currently unpublished as CVE-2018-19298 and CVE-2018-19299.

Do you think that MikroTik will have an update about these vulnerabilities that I can include in my presentation on April 9th?
I would be more than happy to send you my slides… just drop me an email. It's on the ticket.
Last edited by maznu on Fri Mar 29, 2019 3:06 pm, edited 1 time in total.
Marek
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Fri Mar 29, 2019 3:06 pm

We fixed the crashes that were reported to us. You said, we have not fixed "The CVE". I don't know what you will publish in the CVE. You have only provided a video that doesn't help at all. If you can reproduce an issue that we can't reproduce, please email support and describe the method you used now, after beta 22.
No answer to your question? How to write posts
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 3:09 pm

We fixed the crashes that were reported to us. You said, we have not fixed "The CVE". I don't know what you will publish in the CVE. You have only provided a video that doesn't help at all.
The CVE, CVE-2018-19299, was communicated to you in October 2018. It is literally just the number that MITRE assigned when I registered two CVEs for two separate issues:

CVE-2018-19298 = NDP exhaustion
CVE-2018-19299 = IPv6 routing exhaustion

You know the details. They're on your own tickets. The commands you need to run to trigger the exploit were given to you last year.

Let's stop playing this out in public. Drop me an email. I actually want you to fix this, not turn it into a pantomime, please.
Marek
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: UKNOF 43 CVE

Fri Mar 29, 2019 3:19 pm

This version fixes:
1) Soft lockup when IPv6 router is forwarding IPv6 packets;
2) Soft lockup when the router is forwarding packets to a local network (directly connected) due to large IPv6 Neighbor table.

We are still working on improvements for IPv6 Neighbor table processing in userspace which can lead up to OOM condition.
Since CVE detials are not yet published, we did assume that CVE targets software lockup (#2) which we did fix in this release.
No answer to your question? How to write posts
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Mar 29, 2019 3:23 pm

This version fixes:
1) Soft lockup when IPv6 router is forwarding IPv6 packets;
2) Soft lockup when the router is forwarding packets to a local network (directly connected) due to large IPv6 Neighbor table.

We are still working on improvements for IPv6 Neighbor table processing in userspace which can lead up to OOM condition.
Since CVE detials are not yet published, we did assume that CVE targets software lockup (#2) which we did fix in this release.
I've sent through all the details in a new ticket, Ticket#2019032922005182, which I hope includes all the information you need collated into one place.

I'm very glad you've prioritised this issue with your development team, and I look forward to testing releases that address the problem soon.
Marek

Who is online

Users browsing this forum: No registered users and 29 guests