Community discussions

 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 1:57 pm

Yes, really, it's that serious!

It seems there is a bug in ROS that allows a remote attacker to crash any Mikrotik device if they can access it via v6. Even with firewalling you are still a sitting duck. Mikrotik have known about this for a year and have done nothing to fix it.

This information is due to be released to the public at UKNOF on 9th April. Yes, in 12 days anyone with a slight bit of knowledge about networks and a v6-enabled connection will be able to take any Mikrotik device (running v6) offline. No doubt an exploit script will follow soon after.

As a community it is absolutely critical that we push Mikrotik for a solution to this problem as a matter of upmost urgency. The consequences of this getting out into the wild before a fix is available would be disastrous for all of us. Please everyone pay attention and help in making sure Mikrotik understand just how critical this problem is.

There is a thread already running on this (viewtopic.php?f=2&t=147048) but the subject is such that most people will probably skip over it.

UKNOF presentation where this issue will be disclosed in full: https://indico.uknof.org.uk/event/46/contributions/667/
CVE report: https://cve.mitre.org/cgi-bin/cvename.c ... 2018-19299
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
R1CH
Forum Veteran
Forum Veteran
Posts: 884
Joined: Sun Oct 01, 2006 11:44 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 2:24 pm

Somehow this is the first I've heard of this and I'm very concerned as I have a modern network that includes IPv6. You're saying Mikrotik have known about this for 50 weeks and it hasn't been fixed?!? What is going on over there?!

This is a completely unacceptable response for a security vulnerability. I think it's time for me to start moving away from RouterOS, either to OpenWRT or a different vendor that cares about security.
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1020
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 3:17 pm

This is also a new one for me...will be digging into it
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
mkx
Forum Guru
Forum Guru
Posts: 2825
Joined: Thu Mar 03, 2016 10:23 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 3:34 pm

Something similar (if not the same) had been already discussed in this forum.
BR,
Metod
 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 3:37 pm

This is also a new one for me...will be digging into it
In a nutshell, it's a memory exhaustion issue. You send a v6 packet formed in a certain way (which I assume will be revealed on 9th April) to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I assume until the watchdog reboots it. There is no way to firewall as whatever this characteristic is that causes the problem can be set with any v6 packet.
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 3:42 pm

Something similar (if not the same) had been already discussed in this forum.
I believe that thread refers to CVE-2018-19298 which is a similar incident. The later one (CVE-2018-19299) is far more sinister.
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1020
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 4:07 pm

Even if there is no way to firewall it on a MikroTik, i'm assuming that once we know what is being set in the packet header, it can be mitigated with another solution based on flow detection and dropping the traffic in a switch. That won't work for everyone obviously, but it would work for a lot of the ISP and DC networks I consult on.
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 4:08 pm

Let's hope MikroTik can have a build ready with a fix before the full details of this go public...
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 4:19 pm

Let's hope MikroTik can have a build ready with a fix before the full details of this go public...
That is exactly what we are all hoping for. Unfortunately the silence from Mikrotik does not fill me with confidence that they even understand how bad this problem could turn out.
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
r00t
Member Candidate
Member Candidate
Posts: 184
Joined: Tue Nov 28, 2017 2:14 am

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 4:25 pm

Mikrotik have known about this for a year and have done nothing to fix it.
If this is true, then WTF are they even thinking?!
This only sends all the bad messaging: If you want a bug to be fixed, release it as zero day exploit. Doing it nice and proper way gets you nowhere...
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1775
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 5:01 pm

Something similar (if not the same) had been already discussed in this forum.
In this thread there two issues listed: nd cache & routing / stateful connection exhaustion. Which is is referred here?

First can be mitigated by state-full firewall which most end users will use. For non-end-user, address restrictions can help / resolve issue.
Second wasn't clarified what the actual issue was.
 
timamplex
just joined
Posts: 17
Joined: Tue Feb 23, 2016 4:50 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 5:17 pm

I'd like to add my voice to the Mikrotik community stating this must be addressed before public release.

Tim
 
cantanko
newbie
Posts: 28
Joined: Mon Apr 05, 2010 12:53 am

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 6:23 pm

/ipv6 export file=hahahanoipv6foryou.rsc
/system package disable [find name=ipv6]
/system reboot
Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality.

Edit: It really is about time v6 stops being such a second-class citizen on RouterOS. I'm a proper advocate for it but when MikroTik pull this kind of stunt it makes you start questioning your decisions.
 
jrpaz
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Wed Jun 05, 2013 5:54 am

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 7:13 pm

/ipv6 export file=hahahanoipv6foryou.rsc
/system package disable [find name=ipv6]
/system reboot
Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality.

Edit: It really is about time v6 stops being such a second-class citizen on RouterOS. I'm a proper advocate for it but when MikroTik pull this kind of stunt it makes you start questioning your decisions.
Guess we won't be deploying IPv6 Q2 2019
 
User avatar
ConnectivityEngineer
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Dec 19, 2015 10:57 pm
Location: Ohio, USA
Contact:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 7:37 pm

Interesting to say the least.

We have quite a number of networks we have deployed IPv6 into.
I always wish when things like this happened I knew more to be able to protect our clients - but of course that is the nature of the beast.

Hoping Mikrotik can patch the issue.

IPArchitects has a decent idea in regards to switch path in front of the routers as a possible solution to help direct traffic.

Time will tell I guess
Glenn Kelley | MCTNA, MTCWE, MTCTCE, RHCE, RHCSS
http://Connectivity.Engineer
USA Based 24x7x365 Mikrotik, Juniper, Ubiquiti TAC & WISP / ISP Blind Label Support Call Center
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2286
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 7:39 pm

Yes, really, it's that serious!
Thanks for info
Mikrotik have known about this for a year and have done nothing to fix it.
shock for me :shock: :shock: :shock:
LAN, FTTx, Wireless. ISP operator
 
icosasupport
just joined
Posts: 22
Joined: Fri Oct 13, 2017 8:37 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 7:43 pm

Don't worry you can use kid control on your core routers to block them. :P

Seriously though, what is up over @ MT ?
 
neutronlaser
Member Candidate
Member Candidate
Posts: 204
Joined: Thu Jan 18, 2018 5:18 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 8:24 pm

IPv6 isn't even out of beta yet, so no worries.
 
anav
Forum Guru
Forum Guru
Posts: 2938
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 9:19 pm

Glad I have not even turned on ipv6 packages yet, that link from mkx was back in 2017?? 50 days, how bout 2 years.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
proximus
Member Candidate
Member Candidate
Posts: 108
Joined: Tue Oct 04, 2011 1:46 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 10:01 pm

Facts still have to matter. The narrative, response and criticism over this issue has gotten way ahead of the information available. Specially crafted packet / memory exhaustion issues (or any other vulnerability) are nothing new to even the largest network equipment manufacturers. They can be dealt with, and are done so routinely.

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
 
rua
just joined
Posts: 12
Joined: Fri Aug 01, 2014 8:53 pm
Location: copenhagen, DK

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 10:09 pm

Facts still have to matter. The narrative, response and criticism over this issue has gotten way ahead of the information available. Specially crafted packet / memory exhaustion issues (or any other vulnerability) are nothing new to even the largest network equipment manufacturers. They can be dealt with, and are done so routinely.

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
definately agree
MTCNA, MTCRE
Copenhagen, Denmark
Consulting, building and managing networks.
 
sep
just joined
Posts: 11
Joined: Thu Nov 28, 2013 2:34 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thu Mar 28, 2019 11:22 pm

This is a total disaster for mikrotik's future if they do not fix, before customer impact. EVERYTHING we deploy last years have ipv6, most are ipv6 only, some dualstack
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 12:26 am

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
If vendor knows about it for over a year and do nothing?
You are actually right: That is irresponsible and unprofessional - from vendor!
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 1:15 am

Hi,

I'm Marek Isalski.

I've been trying desperately to get MikroTik to resolve this issue since they acknowledged it on 2018-04-20. I know for a fact other people have figured this vulnerability out, and I believe I've seen exploitation of it in the wild in the last 2-4 weeks. MikroTik's response to my belief that there is exploitation going on was along the lines of "let's not jump to conclusions".

I have told MikroTik I am discussing these vulnerabilities at UKNOF — they didn't seem to care because they've repeatedly told me this is "just a bug".

See you all at UKNOF 43 — which has a live web stream.

Good luck, everyone.
Marek
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 1:23 am

Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality.

Edit: It really is about time v6 stops being such a second-class citizen on RouterOS. I'm a proper advocate for it but when MikroTik pull this kind of stunt it makes you start questioning your decisions.
My slide deck for UKNOF 43 includes screenshots of me crashing 6.44.1.
Marek
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 1:26 am

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
I have been asking MikroTik for exactly this approach for nearly a year. They will not commit to a date, or even that they have begun work on it. The timeline will be made clear in my talk at UKNOF 43 — which MikroTik were made aware of well in advance.

Additionally I've been working with CERTs and other trusted ops groups to spread the word in advance, and was hoping that the likes of NCSC UK or NCSC NL would be able to mediate between myself and MikroTik as I view responsible disclosure as a priority.

Sadly I also believe there is exploitation in the wild — certainly in the last 2-4 weeks — and have shared this with MikroTik. They continue to view this as a "bug" not a "vulnerability".
Marek
 
neutronlaser
Member Candidate
Member Candidate
Posts: 204
Joined: Thu Jan 18, 2018 5:18 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 2:01 am

why r u being so disruptive and trying to break mikrotik?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 884
Joined: Sun Oct 01, 2006 11:44 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 2:07 am

why r u being so disruptive and trying to break mikrotik?
That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashing your network and your firewall can't seem to do anything to stop it. They demand $5000 in bitcoin to stop the attack, no one knows how it's happening and Mikrotik can't help so you have to pay before you lose all your customers...

The issue was disclosed privately to Mikrotik 50 weeks ago. It should have been fixed 49 weeks ago, but it seems Mikrotik doesn't prioritize vulnerabilities until they are actively exploited, so here we are.
 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 2:24 am

That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashing your network and your firewall can't seem to do anything to stop it. They demand $5000 in bitcoin to stop the attack, no one knows how it's happening and Mikrotik can't help so you have to pay before you lose all your customers...

The issue was disclosed privately to Mikrotik 50 weeks ago. It should have been fixed 49 weeks ago, but it seems Mikrotik doesn't prioritize vulnerabilities until they are actively exploited, so here we are.
Very well said R1CH!
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
cmurrayis
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Fri May 15, 2009 4:31 am

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 7:23 am

It's possible that this issue may be Kernel level and the only way to fix that could be v7 with the updated kernel. This may be why they've done nothing about it to date - because they can't on the current kernel.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 8:07 am

why r u being so disruptive and trying to break mikrotik?
Multiple MikroTik staff have repeatedly and continuously called this a "bug" and not a "vulnerability". If reporting "bugs" is now deemed disruptive then could someone please stop the world, because I would like to get off.

Meanwhile, industry press is now calling me a "security researcher" but the bigger side of the story is that I am a network engineer. I have spoken at conferences, industry associations, network operators groups, and even a MikroTik MUM, about MikroTik and RouterOS and how to use these products to improve network reliability and security. My company has loads of MikroTik devices deployed in production in our provider network, and we look after many more in customers' networks. MikroTik has been our "go-to vendor of choice" for several years now. Some of my colleagues might go so far as to say I have been evangelical about their product line and network operating system.

I am utterly broken-hearted at MikroTik's response to this problem.
Marek
 
doush
Long time Member
Long time Member
Posts: 616
Joined: Thu Jun 04, 2009 3:11 pm

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 8:56 am

If its not fixed by now, it is probably kernel level.
I think MT usually reacts quite fast to security patches etc.. If this one is not patched for 50 weeks time, than there has to be something in the old linux kernel preventing it.
Just a guess..
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24142
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Fri Mar 29, 2019 9:28 am

Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.

Let's merge the topics:
viewtopic.php?f=2&t=147048
No answer to your question? How to write posts

Who is online

Users browsing this forum: Bing [Bot] and 42 guests