[AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

Mike Everest mike at duxtel.com
Fri Mar 29 12:17:26 EST 2019 

On the point of “the fix is in v7”

 

That kind of statement is usually code for “it’s a kernel issue” since the major version number of RouterOS has (so far) related to linux kernel revision.  Therefore, if that is the official position on this problem, then there may be some logical conclusions that might be drawn:

 

1.       Maybe this can’t be fixed in current routerOS v6.xx

2.       Maybe other OS based on linux kernel may also be affected

 

Pure conjecture from me, of course – despite the relatively ‘close’ relationship that we have with MikroTik, we are not much better informed than everyone else when it comes to this sort of thing :-}

Cheers!

Mike.

 

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Rob Thomas
Sent: Friday, 29 March 2019 10:50 AM
To: Cameron Murray <cameron.murray at gmail.com>
Cc: <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

 

Quick summary of the problem:

 

* From the description it appears to be a kernel-level issue - when a MikroTik device receives a magic IPv6 packet, it will panic.

* MikroTik have known about it for almost a year, and have not fixed it.

* It is not fixed in the latest 6.44.1 image

* The discoverer has been trying to practice responsible disclosure, but has given up

 

Further things:

* MikroTik HAVE acknowledged it in a new thread a couple of hours ago

  https://forum.mikrotik.com/viewtopic.php?f=2 <https://forum.mikrotik.com/viewtopic.php?f=2&t=147048#p723696> &t=147048#p723696

* Twitter thread from the guy who discovered it:

  https://twitter.com/maznu/status/1110910688623513601

* There's a comment 'The fix is in v7' - theres a long running joke that v7 will never emerge (it probably never will, they've lost most of their senior engineers, and refuse to open source their code to leverage their developers in the community)

 

I guess the good thing for me is that Nexium still can't provide us IPv6 so we're kinda safe up here 8)

 

--Rob

 

 

On Fri, 29 Mar 2019 at 09:25, Cameron Murray <cameron.murray at gmail.com <mailto:cameron.murray at gmail.com> > wrote:

Guys,

 

This has just popped up on the Mikrotik forums that I am sure many on the list need to be aware of.

 

If you run Mikrotik in your network and have IPv6 on a Public facing interface please check the following link: https://forum.mikrotik.com/viewtopic.php?t=147076 

 

Cheers

 

Cameron

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net> 
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20190329/5315f119/attachment.html>

More information about the AusNOG mailing list