OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

webformix · Mon Oct 31, 2022 10:16 pm

I've just checked to confirm that all of my production servers are using OpenSSL 1.x, which is not affected.
I do not know of RouterOS uses OpenSSL, or LibreSSL or something else as their crypto library though so checking in here sounded like a good idea.

https://twitter.com/iamamoose/status/15 ... 4855628800
https://www.zdnet.com/article/openssl-w ... ing-patch/

stoogie · Wed Nov 02, 2022 10:09 am

I too would be interested to understand this, as there is previous mention in this forum of OpenSSL being used within RouterOS.

jaymac · Wed Nov 02, 2022 6:01 pm

When can we expect a formal response from Mikrotik regarding these vulnerabilities?

At this time CISA and the NCSC-NL are maintaining a list of all affected/unaffected products at the following site and Mikrotik products are not listed:

https://github.com/NCSC-NL/OpenSSL-2022 ... /README.md

stam · Thu Nov 03, 2022 11:39 am

Based on mikrotik support response SUP-96821, "MikroTik is not affected by these vulnerabilities."

Well done Mikrotik!

stoogie · Thu Nov 03, 2022 5:10 pm

Based on mikrotik support response SUP-96821, "MikroTik is not affected by these vulnerabilities."

Thank you, but is there a link to this support response?

mkx · Thu Nov 03, 2022 5:36 pm

It would be interesting to get some info from Mikrotik.

However: many contemporary major software projects, such as apache httpd or haproxy, are based on OpenSSL version 1.1. Some, including nginx, support both 1.1 and 3.0.
I wouldn't be surprised if Mikrotik is as well (and might remain at openssl v1.1 for a long time). And in this case it's no wonder if it's not impacted by openssl 3.0 vulnerability.

rextended · Thu Nov 03, 2022 5:42 pm

Based on mikrotik support response SUP-96821, "MikroTik is not affected by these vulnerabilities."
Thank you, but is there a link to this support response?

Write yourself to support, so you have your "link", if you doubt what other users write.

anav · Thu Nov 03, 2022 6:03 pm

I don't think anyone wearing a calabash fruit for a hat is going to listen to reason.

Znevna · Thu Nov 03, 2022 8:39 pm

Except the openssl license file present in the firmware, I see no sign of openssl anywhere.
From where did anyone got the ideea that RouterOS is even using OpenSSL?
@webformix ?

Fri Nov 04, 2022 9:09 am

RouterOS is not affected.
v7 is using our own TLS implementation.
v6 is using OpenSSL 1.0.2u.

anav · Fri Nov 04, 2022 2:36 pm

Thank you Guntis for putting the trolls and clickbaiters to bed.
I am going to have to add you to my NOTE (that annoyingly pops up everytime I log into my hex LOL)

...

note.JPG

OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Re: OpenSSL 3.x Crit vuln. Any info on whether RouterOS is impacted?

Who is online