Community discussions

 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: UKNOF 43 CVE

Fri Apr 05, 2019 1:35 pm

I have done several tests with GNS3 using CHR 6.44.2 (stable) and as long as the router has enough memory, it doesn't crash. In my tests, the attack 'steals' around 180 MiB.

Using a CHR with 256 MB, system resources shows a total memory of 224 MiB and free-memory of 197 MiB before attack. During the attack, only from one computer, the free memory decreases to around 20 MiB and sometimes to 13 MiB. Using two attackers, it seems the results are the same and not worst.

With 200 MB the router reboots because OOM.
I had a response from MikroTik earlier saying: "Next beta will have further improvements."

Fingers crossed, everyone…
Marek
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: UKNOF 43 CVE

Fri Apr 05, 2019 2:09 pm


This is far from over.

Please refer to ticket 2019040422005244 and advise.
I'm hearing reports that this isn't fixed on routers with 64Mb or less of RAM. Is your ticket about this, eben? Or something else? :-|
I've tried installing 6.44.2 on about 50 hAP Lites using manual update, Dude Update, Winbox update, Commandline update vir puTTY.

Fail on all fronts.

There isn't enough memory / storage for the update.
Eben: you are aware that you can pull the "all_packages.zip" file, only upload the modules you need and upgrade ?

Installing everything is not always an advantage and this is not the first time in the lifetime of RouterOS, that this has been an issue (example RB112 and 113c for ROS3 and upwards)

/M


Communication is the beginning of understanding
-- AT&T
 
User avatar
eben
Member
Member
Posts: 479
Joined: Mon Feb 16, 2009 8:37 pm
Location: Somerset West, South Africa
Contact:

Re: UKNOF 43 CVE

Fri Apr 05, 2019 2:31 pm

This is far from over.

Please refer to ticket 2019040422005244 and advise.
I'm hearing reports that this isn't fixed on routers with 64Mb or less of RAM. Is your ticket about this, eben? Or something else? :-|
I've tried installing 6.44.2 on about 50 hAP Lites using manual update, Dude Update, Winbox update, Commandline update vir puTTY.

Fail on all fronts.

There isn't enough memory / storage for the update.
Eben: you are aware that you can pull the "all_packages.zip" file, only upload the modules you need and upgrade ?

Installing everything is not always an advantage and this is not the first time in the lifetime of RouterOS, that this has been an issue (example RB112 and 113c for ROS3 and upwards)

/M
We can do package by package, not on a couple of thousand routers in three days.
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Posts: 730
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:

Re: UKNOF 43 CVE

Fri Apr 05, 2019 2:33 pm

This is far from over.

Please refer to ticket 2019040422005244 and advise.
I'm hearing reports that this isn't fixed on routers with 64Mb or less of RAM. Is your ticket about this, eben? Or something else? :-|
I've tried installing 6.44.2 on about 50 hAP Lites using manual update, Dude Update, Winbox update, Commandline update vir puTTY.

Fail on all fronts.

There isn't enough memory / storage for the update.
Eben: you are aware that you can pull the "all_packages.zip" file, only upload the modules you need and upgrade ?

Installing everything is not always an advantage and this is not the first time in the lifetime of RouterOS, that this has been an issue (example RB112 and 113c for ROS3 and upwards)

/M
We can do package by package, not on a couple of thousand routers in three days.
https://unimus.net/blog/network-wide-mi ... grade.html
-----
Mike Hammett

The Brothers WISP
 
User avatar
eben
Member
Member
Posts: 479
Joined: Mon Feb 16, 2009 8:37 pm
Location: Somerset West, South Africa
Contact:

Re: UKNOF 43 CVE

Fri Apr 05, 2019 3:25 pm

Can it do package by package, or just platform by platform?
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Posts: 730
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:

Re: UKNOF 43 CVE

Fri Apr 05, 2019 3:29 pm

Can it do package by package, or just platform by platform?
On the master ROS install, just have only the packages you do want.
-----
Mike Hammett

The Brothers WISP
 
pe1chl
Forum Guru
Forum Guru
Posts: 5566
Joined: Mon Jun 08, 2015 12:09 pm

Re: UKNOF 43 CVE

Fri Apr 05, 2019 3:54 pm

If I understood correctly pe1chl, the capturing of outward addresses is done at the connection=new level, but the dropping of packets has to be done before connection tracking to avoid the routing machinery to engage, so the dropping has to happen at the packet level at raw...
Correct!
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1700
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: UKNOF 43 CVE

Fri Apr 05, 2019 5:17 pm

In such form, it does introduce another potential issue: connections lasting longer than "timeout" can be impacted as their packets will get dropped for IPv6 implementing privacy features, which change ipv6 after a while.
Something to keep in mind.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5566
Joined: Mon Jun 08, 2015 12:09 pm

Re: UKNOF 43 CVE

Fri Apr 05, 2019 9:10 pm

Well to be more precise I add the entry for outgoing traffic AND src address not in list.
So an existing connection will survive when at least it has some outgoing traffic.
Besides, the type of usage we have usually don't notice an interrupted connection that has been sitting idle.
(mostly phones, tablets and laptops used for websurfing)
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: UKNOF 43 CVE

Fri Apr 05, 2019 10:51 pm

We can do package by package, not on a couple of thousand routers in three days.

I don't know, how you get the idea of package by package. You upload the needed packages. The bare minimum. Reboot. It installs all the npk files in one go.

It's no different than uploading the combined package. Just multiple files instead.

/M
Communication is the beginning of understanding
-- AT&T
 
tdw
Member Candidate
Member Candidate
Posts: 173
Joined: Sat May 05, 2018 11:55 am

Re: UKNOF 43 CVE

Sat Apr 06, 2019 12:37 am

Yes, externally initiated IPv6 traffic to random addresses is disallowed. I added this when NDP exhaustion attacks were discussed.
Due to the address list, only systems that have initiated outbound traffic (within the last 8 hours) plus a number of addresses of
servers put in the address list as static entries are allowed inbound.

But I had this rule in the /ipv6 firewall filter chain=forward list which should be fine to prevent NDP exhaustion attacks but apparently is not enough
for the route cache table overflow attack, so I moved it to /ipv6 firewall raw chain=prerouting list.
Of course there also is a rule in /ipv6 firewall filter chain=forward that adds the src address to the list (with 8 hour timeout) for new outbound traffic.
@pe1chl - having moved your rule from chain=forward to chain=prerouting do you add your WAN address to the list too (as chain=prerouting will affect input as well as forward traffic), or does your router not provide any external services?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5566
Joined: Mon Jun 08, 2015 12:09 pm

Re: UKNOF 43 CVE

Sat Apr 06, 2019 1:27 am

@pe1chl - having moved your rule from chain=forward to chain=prerouting do you add your WAN address to the list too (as chain=prerouting will affect input as well as forward traffic), or does your router not provide any external services?
We have no external IPv6 service on the router but indeed if you have, you should add it as a static entry.
(we do have that for a web- and a mailserver)

Edit: actually the mechanism is a little more complicated than I described which makes listing the router's own address unnecessary in my case, but if implemented
as I described it certainly is required to add the router's address as used on the link to the ISP.
Last edited by pe1chl on Sat Apr 06, 2019 12:28 pm, edited 1 time in total.
 
User avatar
eben
Member
Member
Posts: 479
Joined: Mon Feb 16, 2009 8:37 pm
Location: Somerset West, South Africa
Contact:

Re: UKNOF 43 CVE

Sat Apr 06, 2019 8:49 am

We can do package by package, not on a couple of thousand routers in three days.

I don't know, how you get the idea of package by package. You upload the needed packages. The bare minimum. Reboot. It installs all the npk files in one go.

It's no different than uploading the combined package. Just multiple files instead.

/M
We tested this on three routers during the night. It works - just, but there's no way we'll be able to finish within the time constraints.
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Posts: 730
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:

Re: UKNOF 43 CVE

Sat Apr 06, 2019 8:55 am

We can do package by package, not on a couple of thousand routers in three days.

I don't know, how you get the idea of package by package. You upload the needed packages. The bare minimum. Reboot. It installs all the npk files in one go.

It's no different than uploading the combined package. Just multiple files instead.

/M
We tested this on three routers during the night. It works - just, but there's no way we'll be able to finish within the time constraints.
How do you normally update your routers?
-----
Mike Hammett

The Brothers WISP
 
User avatar
eben
Member
Member
Posts: 479
Joined: Mon Feb 16, 2009 8:37 pm
Location: Somerset West, South Africa
Contact:

Re: UKNOF 43 CVE

Sat Apr 06, 2019 9:03 am

How do you normally update your routers?
We have a set of scripts. All non smips routers are done and dusted.
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: UKNOF 43 CVE

Wed Apr 10, 2019 1:45 pm

 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 183
Joined: Thu Feb 13, 2014 8:03 pm

Re: UKNOF 43 CVE

Wed Apr 10, 2019 10:51 pm

It can be firewalled like you say, I posted rules that give you ideas how (and you can tune it to your needs).
But many said that they have legitimate traffic coming from a single source to multiple destinations.
Of course it would still be possible to exploit it from the inside, but frankly I always worry more about exploiting from outside than from inside.
For some time I have a dynamic address list in IPv6 that contains all internal addresses that have attempted to make outgoing traffic (plus some static servers),
and drops all incoming traffic towards addresses not in that list. This drop is now in the forward chain, I will move it to the raw prerouting chain.

Of course this countermeasure generates a new attack surface, where local users are able to fill that address list with 2^64 entries, but as I wrote
I am not so worried that this will happen.
Hi,

I'd like to know about the 2^64 entries. Is this the limit for IPv6 address list entries? I'm guessing the attack you are mentioning is basically by producing a DoS since no more entries can be added to the ADL. If this is the case, where did you get the number? also, do you happen to know which one is for IPv4?

Regards,
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
User avatar
jprietove
Trainer
Trainer
Posts: 88
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: UKNOF 43 CVE

Wed Apr 10, 2019 11:17 pm

In ipv6 usual prefix is /64. So a local attack will not be filtered by the rules proposed and the number of possible hosts is 2^64 because ipv6 addresses are 128 bit numbers.

Enviado desde mi Mi A2 mediante Tapatalk

 
vmiskos
just joined
Posts: 1
Joined: Mon Jan 26, 2015 4:29 pm

Re: UKNOF 43 CVE

Thu Apr 11, 2019 8:09 pm

Since 2 days (9 April) all our mikrotik devices with 64Mb RAM are rebooting continuously after 1 minute and 40-50 seconds. IPv6 package was already disabled since long time. RouterOS versions are not latest but we have very strong security rules. Is this the same DDoS issue? We are not able to reboot or update firmware since reboot command is not responding. Any ideas?
 
reiniss2
MikroTik Support
MikroTik Support
Posts: 47
Joined: Wed Jan 02, 2019 12:14 pm
Location: Latvia
Contact:

Re: UKNOF 43 CVE

Fri Apr 12, 2019 2:14 pm

Since 2 days (9 April) all our mikrotik devices with 64Mb RAM are rebooting continuously after 1 minute and 40-50 seconds. IPv6 package was already disabled since long time. RouterOS versions are not latest but we have very strong security rules. Is this the same DDoS issue? We are not able to reboot or update firmware since reboot command is not responding. Any ideas?
If IPv6 was not enabled, then this CVE could not be the reason. Please isolate at least one of the devices which get rebooted, generate a Supout.rif file and send it to support@mikrotik.com, of course, if you have any additional information, provide that too.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5913
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: UKNOF 43 CVE

Fri Apr 12, 2019 2:48 pm

Anyone who still had problems with small RAMs -> viewtopic.php?f=21&t=146087&p=726299#p726296
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 183
Joined: Thu Feb 13, 2014 8:03 pm

Re: UKNOF 43 CVE

Fri Apr 12, 2019 4:13 pm

In ipv6 usual prefix is /64. So a local attack will not be filtered by the rules proposed and the number of possible hosts is 2^64 because ipv6 addresses are 128 bit numbers.

Enviado desde mi Mi A2 mediante Tapatalk
Hey,

I still don't quite get it. I do understand that this vector won't the blocked from inside by the proposed rules. What I don't get is why it'll open a new vector.

If I do get what he's doing correctly this is what is happening:

1.- Host A internally initiates traffic towards the outside
2.- Router adds an address list item with Host A local IP
3.- Return traffic comes in and checks dst-address-list looking for the Host A IP address
4.- If it is, the traffic is allowed if not, it's discarded
5.- Address list entries timeout in 8 hours

What is this attack surface he's talking about? this is what I'm not fully getting

A.- allowing all the /64 ips in that subnet unrestricted inbound access?
B.- DoS the entire the network because it's not possible to have more than 2^64 addresses into the address-list so other subnets trying to initiate traffic can't due to the return traffic getting blocked?

Or am I missing something here?

Regards,
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
pe1chl
Forum Guru
Forum Guru
Posts: 5566
Joined: Mon Jun 08, 2015 12:09 pm

Re: UKNOF 43 CVE

Fri Apr 12, 2019 7:13 pm

What is this attack surface he's talking about? this is what I'm not fully getting
The issue is that you can set an outgoing address for your device, send a packet to outside, the address will be added
to the address list, then you set another address, send a packet, another address added to the address list, etc.
When you repeat this for all 2^64 possible addresses all the RAM in the router will be used up for this address list.
(of course happens long before that number of addresses is tried)

This requires a malicious user on the inside, which I consider a much lower risk than an outside user who would
scan all the addresses inside your space (which would cause the issue that was described in the CVE).
 
keefe007
Member Candidate
Member Candidate
Posts: 124
Joined: Sun Jun 25, 2006 3:01 am

Re: UKNOF 43 CVE

Fri Jun 07, 2019 5:39 pm

What are the symptoms of this issue?

Who is online

Users browsing this forum: No registered users and 33 guests