[AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

Cameron Murray cameron.murray at gmail.com
Fri Mar 29 12:19:10 EST 2019


There was meant to be an announcement on v7 at the recent MUM but that did
not occur. I've dropped our IPv6 just in case - Wasn't in use yet anyway
luckily.

On Fri, Mar 29, 2019 at 11:17 AM Mike Everest <mike at duxtel.com> wrote:

> On the point of “the fix is in v7”
>
>
>
> That kind of statement is usually code for “it’s a kernel issue” since the
> major version number of RouterOS has (so far) related to linux kernel
> revision.  Therefore, if that is the official position on this problem,
> then there may be some logical conclusions that might be drawn:
>
>
>
> 1.       Maybe this can’t be fixed in current routerOS v6.xx
>
> 2.       Maybe other OS based on linux kernel may also be affected
>
>
>
> Pure conjecture from me, of course – despite the relatively ‘close’
> relationship that we have with MikroTik, we are not much better informed
> than everyone else when it comes to this sort of thing :-}
>
> Cheers!
>
> Mike.
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of *Rob
> Thomas
> *Sent:* Friday, 29 March 2019 10:50 AM
> *To:* Cameron Murray <cameron.murray at gmail.com>
> *Cc:* <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
> *Subject:* Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you
> have Public IPv6 Facing Mikrotik
>
>
>
> Quick summary of the problem:
>
>
>
> * From the description it appears to be a kernel-level issue - when a
> MikroTik device receives a magic IPv6 packet, it will panic.
>
> * MikroTik have known about it for almost a year, and have not fixed it.
>
> * It is not fixed in the latest 6.44.1 image
>
> * The discoverer has been trying to practice responsible disclosure, but
> has given up
>
>
>
> Further things:
>
> * MikroTik HAVE acknowledged it in a new thread a couple of hours ago
>
>   https://forum.mikrotik.com/viewtopic.php?f=2&t=147048#p723696
>
> * Twitter thread from the guy who discovered it:
>
>   https://twitter.com/maznu/status/1110910688623513601
>
> * There's a comment 'The fix is in v7' - theres a long running joke that
> v7 will never emerge (it probably never will, they've lost most of their
> senior engineers, and refuse to open source their code to leverage their
> developers in the community)
>
>
>
> I guess the good thing for me is that Nexium still can't provide us IPv6
> so we're kinda safe up here 8)
>
>
>
> --Rob
>
>
>
>
>
> On Fri, 29 Mar 2019 at 09:25, Cameron Murray <cameron.murray at gmail.com>
> wrote:
>
> Guys,
>
>
>
> This has just popped up on the Mikrotik forums that I am sure many on the
> list need to be aware of.
>
>
>
> If you run Mikrotik in your network and have IPv6 on a Public facing
> interface please check the following link:
> https://forum.mikrotik.com/viewtopic.php?t=147076
>
>
>
> Cheers
>
>
>
> Cameron
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20190329/5e6de10d/attachment.html>


More information about the AusNOG mailing list