Page 2 of 7

Re: v6.45beta [testing] is released!

Posted: Mon Mar 18, 2019 6:26 pm
by Neilson
I installed the latest Beta 6.45Beta16 on an hAP ac lite (Coming from 6.45Beta11).

Reboot to install packages
Reboot to update routerboot
- wlan2 interface disappears
Reboot again
- wlan2 interface appears again

So for other users this may need a further reboot.

Mikrotik may want to run this test themselves to see if reproducible. I can make a supout if needed.

Regards
Alexander

Re: v6.45beta [testing] is released!

Posted: Tue Mar 19, 2019 6:47 pm
by Cha0s
In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.
In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostname is always needed to achieve VPN/Online Cameras/RDP. But when it comes to doing an IPSec VPN setup with a Mikrotik router, the hostnames can't be used as you can't enter them into sa-dst-address, thereby forcing you to go make a script and putting that script on a scheduler.

Edit: Non-road warrior basically.
++

Re: v6.45beta [testing] is released!

Posted: Wed Mar 20, 2019 4:37 pm
by Zoolander06
So I gave a try to the new vendor class identifier matcher feature, it works well but it's quite limited : one can only reserve a pool of IPs to a certain type of devices.
It would be nice to be able to send different options to certain devices.
Example : I have Yealink and Cisco IP phones on my network, each one need a different TFTP server name (option 66) to provision, but I can only set one per dhcp server.
With this beta version I can control which IP my phones will have, but I still can't specify a distinct option 66 for each type.

Or am I missing something ?

Re: v6.45beta [testing] is released!

Posted: Thu Mar 21, 2019 2:39 pm
by mrz
You can specify DHCP option set per DHCP network.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 22, 2019 12:47 pm
by emils
Version 6.45beta19 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta19 (2019-Mar-22 07:30):

Changes in this release:

*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1) (CLI only);
*) certificate - removed DSA (D) flag;
*) ike1 - improved stability for transport mode policies on initiator side;
*) ike2 - added support for ECDSA certificate authentication (rfc4754);
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - renamed "rsa-signature" authentication method to "digital-signature";
*) smb - fixed possible buffer overflow;
*) sms - added USSD message functionality under "/tool sms" (CLI only);
*) ssh - do not generate host key on configuration export;
*) wireless - improved DFS radar detection when using non-ETSI regulated country;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 22, 2019 2:48 pm
by Mikrotiker
after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all

ROS Update, reboot
Wireless interface disappeared

Routerboot update, reboot
Wireless interface disappeared

reboot
Wireless interface disappeared

Log: DefConf gen: Unable to find Wireless interface(s)

I will send you a supout with the reference to this thread.

I did a downgrade to 6.45beta16 and everything is back and running. except the remote unit.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 22, 2019 3:56 pm
by Zoolander06
You can specify DHCP option set per DHCP network.
You're right, but I usually need all my phones to be on the same network.
I think I could make some subnets, maybe it would work, but it would be easier and more logical to set the options in the vendor class identifier matcher, or in the pool.

Thank you for answering me :)

Re: v6.45beta [testing] is released!

Posted: Fri Mar 22, 2019 4:25 pm
by kitit
after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all

ROS Update, reboot
Wireless interface disappeared

Routerboot update, reboot
Wireless interface disappeared

reboot
Wireless interface disappeared

Log: DefConf gen: Unable to find Wireless interface(s)
RouterBOARD 962UiGS-5HacT2HnT

In Log: 15:26:21 script,warning DefConf gen: Unable to find wireless interface(s)

Wireless 5GHz not found in interafaces

Re: v6.45beta [testing] is released!

Posted: Fri Mar 22, 2019 7:21 pm
by ArtursL
In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 22, 2019 7:42 pm
by honzam
In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.
The same problem on AR5008 (711GA-5HnD). Please check it.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 22, 2019 7:46 pm
by dhoulbrooke
Hi Arturs,

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.

The 5GHz interface disappears on the wAP ac also.

Re: v6.45beta [testing] is released!

Posted: Sat Mar 23, 2019 11:50 am
by arnis128
Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis

Re: v6.45beta [testing] is released!

Posted: Sun Mar 24, 2019 5:26 pm
by korniza
Same here! I'm afraid this update killed my old rb751 :(

Re: v6.45beta [testing] is released!

Posted: Sun Mar 24, 2019 11:33 pm
by msatter
Thanks for adding ECDSA certificates!

Re: v6.45beta [testing] is released!

Posted: Mon Mar 25, 2019 2:42 pm
by wispmikrotik
Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis
Hi,

Same problem in a mAP Lite, after restarting and testing again to install the version this is installed correctly. Verified the correct installation.

Greeting

Re: v6.45beta [testing] is released!

Posted: Tue Mar 26, 2019 8:53 am
by emils
Version 6.45beta20 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta20 (2019-Mar-25 10:07):

Changes in this release:

*) certificate - made RAM the default CRL storage location;
*) ike1 - adjusted debug packet logging topics;
*) ipsec - fixed freshly created identity not taken in action;
*) lte - allow to specify URL for firmware upgrade "firmware-file" parameter;
*) sms - fixed long message parsing (introduced in v6.45beta19);
*) wireless - fixed 5GHz interface disappearing after upgrade (introduced in v6.45beta19);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Tue Mar 26, 2019 9:41 pm
by kmansoft
Will this be fixed please so that EC certificates can be used for IPSec auth?
Thank you for this in beta 19!

( now support for ed25519 would be great too... hint hint... )

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 1:03 pm
by emils
Version 6.45beta22 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta22 (2019-Mar-29 08:37):

Changes in this release:

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
*) certificate - added "key-type" field (CLI only);
*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) export - fixed SMS "allowed-number" compact export (introduced in v6.45beta);
*) fetch - added SFTP support;
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - added support for RADIUS accounting;
*) ipsec - fixed policies becoming invalid after changing priority;
*) snmp - added OID for neighbor "interface";
*) snmp - added "write-access" column to community print;
*) snmp - allow setting interface "adminStatus";
*) ssh - fixed multiline non-interactive command execution;
*) ssh - improved session rekeying process on exchanged data size threshold;
*) supout - added "kid-control devices" section to supout file;
*) userman - updated authorize.net gateway DNS name;
*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 1:12 pm
by eworm
*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 1:34 pm
by ludvik
will it be backported to versions 6.40.x and 6.43.x?
Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 1:40 pm
by maznu
will it be backported to versions 6.40.x and 6.43.x?
Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
Sorry, but CVE-2018-19299 is not fixed in 6.45beta22.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 1:43 pm
by marekm
What's new in 6.45beta22 (2019-Mar-29 08:37):

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);

*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;
1. ipv6 - thanks for the CVE fixes, hope to see them in stable/long-term soon. Then, with this out of the way, please work on Delegated-IPv6-Prefix for PPPoE so many people can actually deploy IPv6 :)
2. w60g - does it try weaker APs in turn after it fails to connect to the strongest one? Could happen with wrong key, or exceeded limit of stations per AP (1 or 8 depending on license), or denied by MAC ACL (if ever implemented for w60g, as in 2.4/5GHz wifi).

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 1:53 pm
by msatter
@markim the creator of the CVE states in the post above yours, that the first CVE 19299 was not fixed by this beta.

When Mikrotik is giving more info about this we will know if it is fixed in their eyes.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 2:30 pm
by marekm
The two posts were written at about the same time. I guess there will be another beta to test soon...

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 2:50 pm
by normis
Issues that were reported to Mikrotik have been fixed. Device no longer can be crashed. maznu, if you have any more details, please email support and explain what you meant.

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 4:38 pm
by ErfanDL
and when release for stable channel ?!

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 8:04 pm
by Farseer
@emils

Is the scenario sufficient for IPSec sa-dst/src-address hostname name usage?

Re: v6.45beta [testing] is released!

Posted: Fri Mar 29, 2019 11:03 pm
by Chupaka
and when release for stable channel ?!
As soon as it’s ready

Re: v6.45beta [testing] is released!

Posted: Sun Mar 31, 2019 6:48 am
by kiler129
Is there any plans to address the 5Ghz interface crash on RB4011?

Re: v6.45beta [testing] is released!

Posted: Sun Mar 31, 2019 11:30 am
by strods
There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

Re: v6.45beta [testing] is released!

Posted: Sun Mar 31, 2019 3:28 pm
by jrpaz
it can not be considered as a bug or vulnerability
That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.

Re: v6.45beta [testing] is released!

Posted: Sun Mar 31, 2019 3:45 pm
by maznu
Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
I agree with the technical assessment above: if someone else tries to reach 1 million hosts in your network and you have less than 500Mb of free RAM, then your router will crash.

I believe MikroTik produces five devices which are not vulnerable in the configuration as shipped by MikroTik if those devices are used as transit routers (i.e. with full BGP IPv4 and IPv6 tables loaded).

Re: v6.45beta [testing] is released!

Posted: Sun Mar 31, 2019 3:48 pm
by maznu
Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
As a side note, now that MikroTik has publicly released full details about the vulnerability, I hope nobody is going to be worried about what I am presenting on April 9th. The content of the talk will not increase the risk to your networks.

Re: v6.45beta [testing] is released!

Posted: Sun Mar 31, 2019 3:50 pm
by jrpaz
It's not on the security blog. I'm assuming it will be there sooner rather than later.

Re: v6.45beta [testing] is released!

Posted: Sun Mar 31, 2019 5:31 pm
by Samot
it can not be considered as a bug or vulnerability
That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.
Actually there is at least one person in that thread that confirmed when taking their CHR from 300MB RAM to 3GB RAM the issue goes away. That does sound like a memory resource problem there. Let's just not assume that because they are running CHR they must have all the resources in the world. The youtube videos that were posted about this issue and showing the CHR crashing was a CHR with 256MB RAM. If people are saying their CCR's are crashing over this I would then ask, which model of the CCR? Because if it's the 1009 series, I could see it having an issue since it has 1GB RAM and this issue can eat up over 500MB on its own it could cause the CCR1009's to have issues.

Was anyone able to reproduce this on a CCR's that have 2-4GBRAM? Did this eat them up too?

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 12:37 am
by marlow
Also, if Mikrotik RouterOS allows the cache to eat up more memory than what is available on the device, then that is a bug. Simply because the device knows what amount of ram it has to begin with. It should not be able to allow the device to allocate more ram than what it has or has available.

Not having that sort of limitation in there in the first place begs to be exploited. Shortsighted development.

/M

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 3:56 am
by kiler129
The atmosphere here is becoming slightly toxic...

Like freaking really, how many of you worked with software as a developer? It’s very easy to say when you have very little clue how hard such problems are. I understand the frustration at the end effect, but it seems like MT is doing what they can to mitigate. Even though the device may know it’s memory its growth may not be as easy to predict as you think.

These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 4:08 am
by marlow
These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.

The issue here is, that the memory usage of the cache can't be limited by configuration .. (unless you switch ipv6 off) and that it basically can arbitrarily triggered by an external attacker which results in a DoS scenario as the router even stops forwarding traffic or constantly reboots triggered by watchdog while under attack (as far as I understand).

The other issue is, that Mikrotik has known and acknowledged, that this is an issue since March 2018 and has not done anything about it until now, where they've been told, that the exploit is to be known public.

/M

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 9:52 am
by emils
Version 6.45beta23 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta23 (2019-Apr-01 05:51):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.45:
----------------------
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------

Changes in this release:

*) ipsec - properly drop already established tunnel when address change detected;
*) ipv6 - adjust IPv6 route cache max size based on total RAM memory;
*) smb - fixed possible buffer overflow;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 9:59 am
by nkourtzis
There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

As a matter of fact, silently allowing any data structure to grow beyond the available system resources without any safegard or alternative mechanism in place, is a bug. Even more so, since the default is inappropriate for most of the devices in your product lineup.

-- EDIT: I just saw the new beta changelog. Thank you for fixing for IPv6! Does it also apply to the IPv4 route cache?

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 10:30 am
by rkj
There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
Actually, it's. In networking cache-based forwarding has been considered harmful for reasons such as this problem, and replaced by topology-based forwarding. So it at least one the bugs shouldn't even exist. But even topology-based systems require neighbour tables, so this one needs to be managed both in size and in rate, while also managing rate of packets targeted at in progress neighbours.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 11:17 am
by jprietove
Version 6.45beta23 has been released.
What's new in 6.45beta23 (2019-Apr-01 05:51):
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------
Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 12:08 pm
by maznu
Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.
I concur.

I look forward to everyone being able to push this live, given that MikroTik has disclosed the nature of the vulnerability before making the fix available in the "bugfix" and "current" versions of RouterOS.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 1:48 pm
by Jotne
Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 2:16 pm
by Erayd
You need someone targeting you with an attack.
Or targeting somebody else, but transiting your routers on the way. But you make good points. It's still a serious issue though.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 2:24 pm
by ste
Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.
Quite simple. Do a traceroute to a customer. Identify the BGP-Gateway. Start Attack. Any WISP doing not IPV6 now ?
You will find humans doing this just for fun.

We need the fix in the Long-Term Release ASAP.

Re: v6.45beta [testing] is released!

Posted: Mon Apr 01, 2019 3:06 pm
by Jotne
You will find humans doing this just for fun.
That is true.
I installed Cowrie on port 22/23 (SSH and Telnet honeypot). Looking trough the logs 99.99% is automatic scripts that tries to install various stuff automatically, so lots of bots end little fun :)

80-90% of the SSH conections tries this:
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Just to test if they can use SSH as proxy i guess. (99% uses ya.ru as a test server)
Some of the log:
New connection: 5.188.86.165:64944 (10.10.10.50:2222) [session: 42d69d743f2c]
Remote SSH version: 'SSH-2.0-Go'
login attempt [root/admin] succeeded
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Connection lost after 0 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds

Re: v6.45beta [testing] is released!

Posted: Thu Apr 04, 2019 12:31 pm
by emils
Version 6.45beta27 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta27 (2019-Apr-03 13:53):

Changes in this release:

*) dhcpv4-server - fixed commenting option for alerts;
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) discovery - limit max neighbour count per interface based on total RAM memory;
*) discovery - improved neighbour's MAC address detection;
*) fetch - added SFTP support;
*) ipsec - fixed possible configuration corruption after import;
*) ipv6 - improved IPv6 neighbor table updating process;
*) rb2011 - removed "sfp-led" from "System/LEDs" menu;
*) ssh - added new "ssh-exec" command for non-interactive command execution;
*) ssh - fixed multiline non-interactive command execution;
*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Fri Apr 05, 2019 12:27 am
by osc86
igmp-snooping is killing ipv6 connectivity, by not forwarding neighbor solicitation messages.
FF02:1:XXXX:XXXX isn't listed in MDB table, so no NS messages are exchanged between hosts.
This happens at least since beta22.

Re: v6.45beta [testing] is released!

Posted: Fri Apr 05, 2019 2:27 am
by davidzodelin
*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

Please add support US FCC UNII-2 for RBSXT5nDr2 (SXT Lite 5)