[AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik
Rob Thomas
xrobau at gmail.com
Mon Apr 1 07:59:04 EST 2019
For those with popcorn, here's the running update (and, after typing
all this, I realise it may not be of interest to everyone on the list
- but it's a REALLY GOOD EXAMPLE of what not to do, so if you're
involved in security at YOUR org, please take notes. Specifically -
ALWAYS HAVE A 'security@' email address that gets read by AT LEAST
THREE PEOPLE who can go 'wait, hang on, that's ACTUALLY a really big
issue). If you're not interested, please feel free to skip over it.
But it's entertaining from a nerd perspective -
https://twitter.com/xrobau/status/1111780395954003969
* It seems like my original summary was pretty much spot on.
* The original thread has exploded - Linky:
https://forum.mikrotik.com/viewtopic.php?f=2&t=147048
* 'Normis' appears to be being the public face for MikroTik in this,
and has been chatting with Maznu (OP) and I on twitter.
* ANNOUNCEMENT BY MIKROTIK: This is fixed in 6.45b22!
Maznu: No it's not. https://twitter.com/maznu/status/1111910399182626816
* Mikrotik: We only heard about this last week!
Maznu: No. Here's screenshots of my emails to you, a year ago,
where you say it's not to be kept secret.
https://twitter.com/maznu/status/1112442619244802048
* MikroTik: IRRESPONSIBLE DISCLOSURE! You should have given us more warning!
Me: WTF, is 360 days NOT ENOUGH?
* Also Me: Guys, c'mon. You messed up. Everyone does it. Use it as a
learning experience on how to NOT handle security issues!
Since the titles of the CVEs have been mentioned a few time (Yes, the
title alone is enough to figure out the problems), the vulnerabilities
have been confirmed or re-implemented by other third parties.
CVE-2018-19298 = NDP exhaustion
CVE-2018-19299 = IPv6 routing exhaustion
https://forum.mikrotik.com/viewtopic.php?f=2&t=147048&start=100#p724283
* MikroTik: OK, we can fix 19298 by limiting new IPv6 connection to
2.5 per second -
https://forum.mikrotik.com/viewtopic.php?f=2&t=147048&start=50#p724018
The world: Um. This is not 1995. We have web browsers that
establish 6 concurrent connections
(To quote Michael Wheeler, our resident Ham and entertaining presenter
at LCA2019 - "ipv6 / ndp exhaustion still happening in 2019. ffs." -
https://twitter.com/theskorm/status/1111791284585324544)
On the UPSIDE, There has been some interest directed at my favourite
open source router, VyOS (based on Vyatta, which was purchased and
borg'ed by Brocade), and some discussions have been had about getting
XDP and/or DPDK into it. People seem to be leaning towards XDP,
because it allows things to be scripted by BPF, and is almost as fast
as DPDK anyway, without all the downsides of having to faff around
with moving things in and out of userspace.
(For those that haven't heard of them, they're super-optimized ways of
moving network traffic around inside/outside of the Linux/BSD Kernel -
letting standard machines run 20+ Million PPS routing/switching, with
all the advantages of commodity hardware - feel free to chat to me off
list, or on twitter where I can tag people who know more about it and
pretend I'm an expert!)
I won't do any more summaries, unless something amazing happens (eg,
MikroTik tableflip and open sources everything like they should have
10 years ago). Thanks to Cameron for the original heads up. This has
been great fun.
--Rob
More information about the AusNOG
mailing list