Community discussions

MikroTik App
 
User avatar
seriousblack
newbie
Topic Author
Posts: 36
Joined: Tue Apr 03, 2018 4:02 am
Contact:

CVE-2020-11881 PATCH

Sun Sep 13, 2020 5:28 am

Any progress in patching this Vulnerability?

https://github.com/botlabsDev/CVE-2020-11881
 
santyx32
Member Candidate
Member Candidate
Posts: 215
Joined: Fri Oct 25, 2019 2:17 am

Re: CVE-2020-11881 PATCH

Sun Sep 13, 2020 4:52 pm

You do not have the required permissions to view the files attached to this post.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: CVE-2020-11881 PATCH

Sun Sep 13, 2020 6:32 pm

Very disappointing if this was disclosed to them in April! Luckily SMB is not a feature that should be enabled by most users.
 
User avatar
seriousblack
newbie
Topic Author
Posts: 36
Joined: Tue Apr 03, 2018 4:02 am
Contact:

Re: CVE-2020-11881 PATCH

Sun Sep 13, 2020 10:05 pm

Hope this wakes them Up!

Considering RPKI isn't in Prod yet ;(
 
User avatar
seriousblack
newbie
Topic Author
Posts: 36
Joined: Tue Apr 03, 2018 4:02 am
Contact:

Re: CVE-2020-11881 PATCH

Sun Sep 13, 2020 10:06 pm

Very disappointing if this was disclosed to them in April! Luckily SMB is not a feature that should be enabled by most users.
So sad! This' a blow
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 8:55 am

Gentlemen, let me quote the Changelog:

What's new in 6.46.7 (2020-Sep-07 07:38):
*) smb - fixed file path validation (introduced in v6.46);
*) smb - fixed possible memory leak;
*) smb - limit active session count to 5 per connection;
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 9:38 am

Gentlemen, let me quote the Changelog:
Normis, there is a section on the linked homepage of the CVE which states that the vulnerability was inded fixed in 6.47 but re-appeared in 6.47.2 and 6.47.3. Could you please have a look in this direction?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 9:54 am

There is an entry for 6.47.2 which states
*) smb - fixed SMB server (introduced in v6.47);
So in 6.47 maybe SMB was broken anyway, so the vulnerability didn't have what to crash?
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 10:07 am

Normis, I appreciate the new version which includes the fix, but please, do not fake release dates.
EDIT: Understood. Date is related to "build" not "release".
This release was definitely not live week ago, on 7th September. Why does changelog (and your post) claim it was?

The topic with this release was published just one hour ago. And changelog page also did not list this change two days ago:
https://webcache.googleusercontent.com/ ... clnk&gl=au
Screenshot 2020-09-14 170335.png
You do not have the required permissions to view the files attached to this post.
Last edited by vecernik87 on Mon Sep 14, 2020 10:29 am, edited 2 times in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 10:12 am

If you are watching the release dates so close you'd notice that atleast the last 3 (maybe more) long term builds were released to public after ~7 days of probably inside testing since they were built.
Read first, blame later.
Cheers.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 10:22 am

Changelog always has referenced last build date, not release date.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 10:24 am

I do not check them "so closely" and I think in 99% of time few days does not matter. I accept your point that this may be part of the thorough testing process for Longterm branch. (I edited my original post now to reflect this)

But if BootlabsDev claims:
The bug was reported on 06.04.2020 and wasn't fixed on 12.09.2020 even after multiple requests.
and normis responds:
Gentlemen, let me quote the Changelog:

What's new in 6.46.7 (2020-Sep-07 07:38):
Then it certainly does not feel right. It actually feels quite convenient for Mikrotik to have this long difference between "claimed release date" and "true release date" because now they can claim "he lies, we did fix it before 12 September".

ps: And yes, I am again stirred up due to another CVE alegedly reported ages ago and not fixed until widely published.
There was a lot of discussion about this few years ago and general opinion of users was, that nobody minds if CVE is found because that happens. What people really don't like is, if vendor actively refuses to fix reported vulnerability by denying it until whistleblower is forced to release it to public.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 11:50 am

Communication could use improvements on the side of Mikrotik.

It is not lying but just not telling.
- the fixed version was ready last week but that was not communicated with the CVE publishers.
- in this thread Mikrotik should have written, "it was fixed last week and fix was released today".

It is just the way of communicating that irritates the buyers. We are on your side and we are pleased that it was fixed but please don't sit on it and don't inform the ones finding it, and then insult your buyers by leaving out information claiming what you not had released yet.

Play by the rules and you have happy buyers of your products.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 12:51 pm

So what has be stumped here is what is vulnerable and what is not. The Github repro says this:
Affected Versions(tested)
6.41.3 (long term release)
6.45.8 (long term release)
6.45.9 (long term release)

6.46.4 (stable release)
6.47.2 (stable)
6.47.3 (stable)

7.0beta5 (beta)
7.1beta2 and below
So if true I would like to get a propper statement from Mikrotik on CVE-2020-11881 and why oooo why is this blog not updated with info (https://blog.mikrotik.com/security/)
You might as well close this as nothing is being added!

So with other words if the fixes from 6.47.2 and forward branch is in new Long-Term release we still have this issue as you can see that 6.47.2 is vulnerable again.
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: CVE-2020-11881 PATCH  [SOLVED]

Mon Sep 14, 2020 1:21 pm

Currently only the long-term version channel (v6.46.7) has all the necessary fixes for this CVE. We are working on getting them published in stable and testing channels as well. Sorry for any inconvenience.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 3:01 pm

Currently only the long-term version channel (v6.46.7) has all the necessary fixes for this CVE. We are working on getting them published in stable and testing channels as well. Sorry for any inconvenience.
Thanks for the clarification.
 
User avatar
seriousblack
newbie
Topic Author
Posts: 36
Joined: Tue Apr 03, 2018 4:02 am
Contact:

Re: CVE-2020-11881 PATCH

Mon Sep 14, 2020 6:32 pm

Currently only the long-term version channel (v6.46.7) has all the necessary fixes for this CVE. We are working on getting them published in stable and testing channels as well. Sorry for any inconvenience.
Thanks.. Let's wait for that.
 
millap
just joined
Posts: 2
Joined: Tue Sep 09, 2014 9:09 pm

Re: CVE-2020-11881 PATCH

Sat Jun 11, 2022 2:35 pm

Does anyone at Mikrotik have any update on when this CVE is going to be fixed. According to OpenVAS scans, even 7.3.x is still vulnerable and I haven't found anything in the release notes to suggest its fixed.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: CVE-2020-11881 PATCH

Sat Jun 11, 2022 3:00 pm

Please provide some links with proper info when you wake up 2 years old topic.
 
millap
just joined
Posts: 2
Joined: Tue Sep 09, 2014 9:09 pm

Re: CVE-2020-11881 PATCH

Sat Jun 11, 2022 11:43 pm

Please provide some links with proper info when you wake up 2 years old topic.
Links for what? It's a simple question on whether this CVE is fixed, as there's no indication in the release notes it has been resolved in anything except 6.47.x.

This is from a recent scan of a customers group of MT's.
Screenshot 2022-06-11 at 21.34.28.png
All of their devices are running 7.3.1 as of 0300 this morning.
You do not have the required permissions to view the files attached to this post.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: CVE-2020-11881 PATCH

Sat Jun 11, 2022 11:59 pm

To be precise .. github checked a while ago ... no 7.2 or 7.3 version ... only old test beta ones:
11881.PNG
I'm not Devil's advocate of MT but if you start rocking a boat please give references to facts.
There were some 6.48.x versions after 6.47 and there is 7.3 now so maybe "is still" is not justified.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: CVE-2020-11881 PATCH

Sun Jun 12, 2022 12:00 am

@millap Did you even read that screenshot?
Or do you need some other tool to do that for you? :)
 
kevinds
Long time Member
Long time Member
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: CVE-2020-11881 PATCH

Thu Jun 16, 2022 2:36 am

@millap Did you even read that screenshot?
Or do you need some other tool to do that for you? :)
@millap your "scan/detection tool" is terrible...

It is going show an issue with every 7. release because it says that 7.x is vulnerable. From that screenshot, until RouterOS v8 comes out, it will keep showing the warnings.

You could also avoid it completely by turning off the SMB server in RouterOS, which I haven't found a good use-case yet for turning it on anyways.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: CVE-2020-11881 PATCH

Thu Jun 16, 2022 5:38 am

I bet it's not even enabled.
 
Edrard
just joined
Posts: 5
Joined: Tue Mar 05, 2019 3:54 pm

Re: CVE-2020-11881 PATCH

Thu Jun 22, 2023 2:38 pm

Still interesting if this fixed in 7.x tree, I just looked at all changelogs and cant see any fix
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: CVE-2020-11881 PATCH

Thu Jun 22, 2023 3:22 pm

Still interesting if this fixed in 7.x tree, I just looked at all changelogs and cant see any fix
Tell me clearly where it says 7.1 (stable) and later are vulnerable.
 
Edrard
just joined
Posts: 5
Joined: Tue Mar 05, 2019 3:54 pm

Re: CVE-2020-11881 PATCH

Thu Jun 22, 2023 5:38 pm

Still interesting if this fixed in 7.x tree, I just looked at all changelogs and cant see any fix
Tell me clearly where it says 7.1 (stable) and later are vulnerable.
Because it's not wrote in any changelog from 7.0 beta till 7.10.0. Can support clear say, yes it's vulnerable or no it's not, that's not hard.
Last edited by Edrard on Thu Jun 22, 2023 6:04 pm, edited 1 time in total.
 
Edrard
just joined
Posts: 5
Joined: Tue Mar 05, 2019 3:54 pm

Re: CVE-2020-11881 PATCH

Thu Jun 22, 2023 5:59 pm

Okay, just to be clear.
I installed latest stable 7.10 and test it with https://github.com/botlabsDev/CVE-2020-11881

The result was
[smb]: online
[dos]: ok
[smb]: online
And smbclient result after this
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available
So I think its fixed, just not reported
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: CVE-2020-11881 PATCH

Thu Aug 24, 2023 9:18 am

The fix is in all branches and issue does not affect any version on our download page, as you can verify using above mentioned tests.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], britgent, Google [Bot], mozerd, sindy and 107 guests