Can it be prevented with firewall?
It can be firewalled by not routing any IPv6. But if you have a RouterOS device anywhere in the path between one subnet and another subnet, even if not directly connected to that router, and it is forwarding IPv6 packets, it is vulnerable to being crashed.
Maybe you need to publish it to generate some pressure...
I'm starting to believe that this is the only way forward, sadly.
A router should be able to *route* packets. It should not crash just because lots of different addresses were used. The quickest way to demonstrate/test the vulnerability is to use a "flooding tool" — but we see organisations are starting to scan IPv6 address space, which if done quickly enough, will cause a crash for an IPv6 transit provider.
I don't believe IPv6 ND should crash RouterOS either — that's also a denial of service security issue in my mind. But the ticket I refer to affects all RouterOS devices between the source and destination, regardless of whether the attacker or target subnet are directly connected to the victim router.
Several forum members have been involved in this discovery:
viewtopic.php?f=2&t=125841&p=654538
Please, MikroTik, consider this to be a denial of service vulnerability.