[AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

Mark Smith markzzzsmith at gmail.com
Fri Mar 29 11:52:13 EST 2019


On Fri, 29 Mar 2019 at 10:51, Rob Thomas <xrobau at gmail.com> wrote:
>
> Quick summary of the problem:
>
> * From the description it appears to be a kernel-level issue - when a MikroTik device receives a magic IPv6 packet, it will panic.
> * MikroTik have known about it for almost a year, and have not fixed it.
> * It is not fixed in the latest 6.44.1 image
> * The discoverer has been trying to practice responsible disclosure, but has given up
>
> Further things:
> * MikroTik HAVE acknowledged it in a new thread a couple of hours ago
>   https://forum.mikrotik.com/viewtopic.php?f=2&t=147048#p723696
> * Twitter thread from the guy who discovered it:
>   https://twitter.com/maznu/status/1110910688623513601
> * There's a comment 'The fix is in v7' - theres a long running joke that v7 will never emerge (it probably never will, they've lost most of their senior engineers, and refuse to open source their code to leverage their developers in the community)
>
> I guess the good thing for me is that Nexium still can't provide us IPv6 so we're kinda safe up here 8)
>

So there is a possibility that an IPv6 packet tunnelled over IPv4
towards one of these Microtiks could trigger the vulnerability, as the
entry point for IPv6 packets into the IPv6 stack for both IPv6 over a
link layer vs. IPv6 over IPv4 is the same (as IPv4 is effectively
being used as a link layer.)

I don't know anything about Microtik or have access to any, however it
may be worth checking if they enable an IPv6 over IPv4 tunnel
capability by default in some way. For example, a "stateless" tunnel
technology like 6to4 (with "stateless" meaning that tunnel endpoints
don't need to be explicitly configured), enabled by default, may make
the device vulnerable.

"Security Implications of IPv6 on IPv4 Networks"
(https://tools.ietf.org/html/rfc7123) has quite a lot of discussion
regarding security issues related to tunnelling of IPv6 over IPv4 and
mitigations. It is dated 2014, so it may be a bit dated, however the
advice on how to block the various IPv6 in IPv4 packets would still be
correct.

Regards,
Mark.


> --Rob
>
>
> On Fri, 29 Mar 2019 at 09:25, Cameron Murray <cameron.murray at gmail.com> wrote:
>>
>> Guys,
>>
>> This has just popped up on the Mikrotik forums that I am sure many on the list need to be aware of.
>>
>> If you run Mikrotik in your network and have IPv6 on a Public facing interface please check the following link: https://forum.mikrotik.com/viewtopic.php?t=147076
>>
>> Cheers
>>
>> Cameron
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list