Page 1 of 1

Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 1:57 pm
by bigcw
Yes, really, it's that serious!

It seems there is a bug in ROS that allows a remote attacker to crash any Mikrotik device if they can access it via v6. Even with firewalling you are still a sitting duck. Mikrotik have known about this for a year and have done nothing to fix it.

This information is due to be released to the public at UKNOF on 9th April. Yes, in 12 days anyone with a slight bit of knowledge about networks and a v6-enabled connection will be able to take any Mikrotik device (running v6) offline. No doubt an exploit script will follow soon after.

As a community it is absolutely critical that we push Mikrotik for a solution to this problem as a matter of upmost urgency. The consequences of this getting out into the wild before a fix is available would be disastrous for all of us. Please everyone pay attention and help in making sure Mikrotik understand just how critical this problem is.

There is a thread already running on this (viewtopic.php?f=2&t=147048) but the subject is such that most people will probably skip over it.

UKNOF presentation where this issue will be disclosed in full: https://indico.uknof.org.uk/event/46/contributions/667/
CVE report: https://cve.mitre.org/cgi-bin/cvename.c ... 2018-19299

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 2:24 pm
by R1CH
Somehow this is the first I've heard of this and I'm very concerned as I have a modern network that includes IPv6. You're saying Mikrotik have known about this for 50 weeks and it hasn't been fixed?!? What is going on over there?!

This is a completely unacceptable response for a security vulnerability. I think it's time for me to start moving away from RouterOS, either to OpenWRT or a different vendor that cares about security.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 3:17 pm
by IPANetEngineer
This is also a new one for me...will be digging into it

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 3:34 pm
by mkx
Something similar (if not the same) had been already discussed in this forum.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 3:37 pm
by bigcw
This is also a new one for me...will be digging into it
In a nutshell, it's a memory exhaustion issue. You send a v6 packet formed in a certain way (which I assume will be revealed on 9th April) to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I assume until the watchdog reboots it. There is no way to firewall as whatever this characteristic is that causes the problem can be set with any v6 packet.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 3:42 pm
by bigcw
Something similar (if not the same) had been already discussed in this forum.
I believe that thread refers to CVE-2018-19298 which is a similar incident. The later one (CVE-2018-19299) is far more sinister.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 4:07 pm
by IPANetEngineer
Even if there is no way to firewall it on a MikroTik, i'm assuming that once we know what is being set in the packet header, it can be mitigated with another solution based on flow detection and dropping the traffic in a switch. That won't work for everyone obviously, but it would work for a lot of the ISP and DC networks I consult on.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 4:08 pm
by tomaskir
Let's hope MikroTik can have a build ready with a fix before the full details of this go public...

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 4:19 pm
by bigcw
Let's hope MikroTik can have a build ready with a fix before the full details of this go public...
That is exactly what we are all hoping for. Unfortunately the silence from Mikrotik does not fill me with confidence that they even understand how bad this problem could turn out.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 4:25 pm
by r00t
Mikrotik have known about this for a year and have done nothing to fix it.
If this is true, then WTF are they even thinking?!
This only sends all the bad messaging: If you want a bug to be fixed, release it as zero day exploit. Doing it nice and proper way gets you nowhere...

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 5:01 pm
by sebastia
Something similar (if not the same) had been already discussed in this forum.
In this thread there two issues listed: nd cache & routing / stateful connection exhaustion. Which is is referred here?

First can be mitigated by state-full firewall which most end users will use. For non-end-user, address restrictions can help / resolve issue.
Second wasn't clarified what the actual issue was.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 5:17 pm
by timamplex
I'd like to add my voice to the Mikrotik community stating this must be addressed before public release.

Tim

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 6:23 pm
by cantanko
/ipv6 export file=hahahanoipv6foryou.rsc
/system package disable [find name=ipv6]
/system reboot
Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality.

Edit: It really is about time v6 stops being such a second-class citizen on RouterOS. I'm a proper advocate for it but when MikroTik pull this kind of stunt it makes you start questioning your decisions.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 7:13 pm
by jrpaz
/ipv6 export file=hahahanoipv6foryou.rsc
/system package disable [find name=ipv6]
/system reboot
Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality.

Edit: It really is about time v6 stops being such a second-class citizen on RouterOS. I'm a proper advocate for it but when MikroTik pull this kind of stunt it makes you start questioning your decisions.
Guess we won't be deploying IPv6 Q2 2019

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 7:37 pm
by ConnectivityEngineer
Interesting to say the least.

We have quite a number of networks we have deployed IPv6 into.
I always wish when things like this happened I knew more to be able to protect our clients - but of course that is the nature of the beast.

Hoping Mikrotik can patch the issue.

IPArchitects has a decent idea in regards to switch path in front of the routers as a possible solution to help direct traffic.

Time will tell I guess

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 7:39 pm
by honzam
Yes, really, it's that serious!
Thanks for info
Mikrotik have known about this for a year and have done nothing to fix it.
shock for me :shock: :shock: :shock:

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 7:43 pm
by icosasupport
Don't worry you can use kid control on your core routers to block them. :P

Seriously though, what is up over @ MT ?

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 8:24 pm
by neutronlaser
IPv6 isn't even out of beta yet, so no worries.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 9:19 pm
by anav
Glad I have not even turned on ipv6 packages yet, that link from mkx was back in 2017?? 50 days, how bout 2 years.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 10:01 pm
by proximus
Facts still have to matter. The narrative, response and criticism over this issue has gotten way ahead of the information available. Specially crafted packet / memory exhaustion issues (or any other vulnerability) are nothing new to even the largest network equipment manufacturers. They can be dealt with, and are done so routinely.

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 10:09 pm
by rua
Facts still have to matter. The narrative, response and criticism over this issue has gotten way ahead of the information available. Specially crafted packet / memory exhaustion issues (or any other vulnerability) are nothing new to even the largest network equipment manufacturers. They can be dealt with, and are done so routinely.

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
definately agree

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Thu Mar 28, 2019 11:22 pm
by sep
This is a total disaster for mikrotik's future if they do not fix, before customer impact. EVERYTHING we deploy last years have ipv6, most are ipv6 only, some dualstack

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 12:26 am
by vecernik87
The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
If vendor knows about it for over a year and do nothing?
You are actually right: That is irresponsible and unprofessional - from vendor!

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 1:15 am
by maznu
Hi,

I'm Marek Isalski.

I've been trying desperately to get MikroTik to resolve this issue since they acknowledged it on 2018-04-20. I know for a fact other people have figured this vulnerability out, and I believe I've seen exploitation of it in the wild in the last 2-4 weeks. MikroTik's response to my belief that there is exploitation going on was along the lines of "let's not jump to conclusions".

I have told MikroTik I am discussing these vulnerabilities at UKNOF — they didn't seem to care because they've repeatedly told me this is "just a bug".

See you all at UKNOF 43 — which has a live web stream.

Good luck, everyone.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 1:23 am
by maznu
Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality.

Edit: It really is about time v6 stops being such a second-class citizen on RouterOS. I'm a proper advocate for it but when MikroTik pull this kind of stunt it makes you start questioning your decisions.
My slide deck for UKNOF 43 includes screenshots of me crashing 6.44.1.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 1:26 am
by maznu
The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional.
I have been asking MikroTik for exactly this approach for nearly a year. They will not commit to a date, or even that they have begun work on it. The timeline will be made clear in my talk at UKNOF 43 — which MikroTik were made aware of well in advance.

Additionally I've been working with CERTs and other trusted ops groups to spread the word in advance, and was hoping that the likes of NCSC UK or NCSC NL would be able to mediate between myself and MikroTik as I view responsible disclosure as a priority.

Sadly I also believe there is exploitation in the wild — certainly in the last 2-4 weeks — and have shared this with MikroTik. They continue to view this as a "bug" not a "vulnerability".

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 2:01 am
by neutronlaser
why r u being so disruptive and trying to break mikrotik?

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 2:07 am
by R1CH
why r u being so disruptive and trying to break mikrotik?
That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashing your network and your firewall can't seem to do anything to stop it. They demand $5000 in bitcoin to stop the attack, no one knows how it's happening and Mikrotik can't help so you have to pay before you lose all your customers...

The issue was disclosed privately to Mikrotik 50 weeks ago. It should have been fixed 49 weeks ago, but it seems Mikrotik doesn't prioritize vulnerabilities until they are actively exploited, so here we are.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 2:24 am
by bigcw
That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashing your network and your firewall can't seem to do anything to stop it. They demand $5000 in bitcoin to stop the attack, no one knows how it's happening and Mikrotik can't help so you have to pay before you lose all your customers...

The issue was disclosed privately to Mikrotik 50 weeks ago. It should have been fixed 49 weeks ago, but it seems Mikrotik doesn't prioritize vulnerabilities until they are actively exploited, so here we are.
Very well said R1CH!

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 7:23 am
by cmurrayis
It's possible that this issue may be Kernel level and the only way to fix that could be v7 with the updated kernel. This may be why they've done nothing about it to date - because they can't on the current kernel.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 8:07 am
by maznu
why r u being so disruptive and trying to break mikrotik?
Multiple MikroTik staff have repeatedly and continuously called this a "bug" and not a "vulnerability". If reporting "bugs" is now deemed disruptive then could someone please stop the world, because I would like to get off.

Meanwhile, industry press is now calling me a "security researcher" but the bigger side of the story is that I am a network engineer. I have spoken at conferences, industry associations, network operators groups, and even a MikroTik MUM, about MikroTik and RouterOS and how to use these products to improve network reliability and security. My company has loads of MikroTik devices deployed in production in our provider network, and we look after many more in customers' networks. MikroTik has been our "go-to vendor of choice" for several years now. Some of my colleagues might go so far as to say I have been evangelical about their product line and network operating system.

I am utterly broken-hearted at MikroTik's response to this problem.

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 8:56 am
by doush
If its not fixed by now, it is probably kernel level.
I think MT usually reacts quite fast to security patches etc.. If this one is not patched for 50 weeks time, than there has to be something in the old linux kernel preventing it.
Just a guess..

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Posted: Fri Mar 29, 2019 9:28 am
by normis
Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.

Let's merge the topics:
viewtopic.php?f=2&t=147048