SoylentNews is people
SoylentNews
from the four-billion-addresses-should-be-enough-for-anyone dept.
A critical vulnerability in MikroTik’s RouterOS handling of IPv6 packets allows for “remote, unauthenticated denial of service,” according to security researcher Marek Isalski.
[...]The vulnerability to be disclosed is designated as CVE-2018-19299, and is a "larger problem with MikroTik RouterOS's handling of IPv6 packets" than the related CVE-2018-19298, which relates to IPv6 Neighbor Discovery Protocol exhaustion.
[...]According to a post on MikroTik’s user forum, the new vulnerability is “a memory exhaustion issue. You send a v6 packet formed in a certain way to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I assume until the watchdog reboots it. There is no way to firewall as whatever this characteristic is that causes the problem can be set with any v6 packet.”
Presently, the only mitigation is to completely disable IPv6 in RouterOS.
(Score: 3, Interesting) by isostatic on Friday March 29 2019, @10:01AM (4 children)
Thanks for this, I wouldn't have seen it otherwise. Mikrotik are notoriously bad at communicating security issues - they've only just started an email list for them after a decade of harassing.
This seems to stem from a linux kernel ipv6 memory bug, but mikrotik use a fixed kernel line in their code, and seem to have spent the last year not backporting the fix.
(Score: 2) by driverless on Friday March 29 2019, @12:40PM (3 children)
That's what surprises me as well, why are people so keen on them when there seems to be a neverending parade of vulns in their gear? They may be sort-of OK compared to low-end stuff like DLink, but if you're going to pay premium prices then there's lots of other good-quality gear you can get that's less flawed than Mikrotik.
(Score: 2) by isostatic on Friday March 29 2019, @02:22PM (2 children)
They're very flexible and very cheap. Try to find something that can route traffic into an encrypted 10gbit/second tunnel for under $1k. Try to find something to sit on your desktop that supports BGP and NAT for $50, or something that can do MPLS and wireless and runs over POE.
The main competition in this area is probably Ubiquiti, rather than juniper or arista.
(Score: 2) by driverless on Friday March 29 2019, @02:39PM
Yeah, true. For non-toy use I like Draytek, but then they're not $50 devices...
(Score: 2) by goodie on Friday March 29 2019, @05:31PM
Yup. I'm in the process of renewing my gear for a new home and was debating between ubiquiti and microtik. In the end, I let go of microtik simply because I could not find a reputable reseller around my location and their website was just fishy in my opinion. But the prices are pretty attractive... I did pick some ubiquiti APs and a router from them as well, but they are quite pricey. And the unifi stuff is, to me at least, somewhat problematic for small scale installs. I had to upgrade an AP before I could "adopt" it into my network and even configure it, which in my opinion, is pretty bad in terms of design. Switch, I was looking at ubiquiti but went with netgear. Cheaper and does the job since I am not running a large scale network where I need monitoring over same-brand equipment. Some of the firmware updates at ubiquiti are also pretty beta from what I have read recently...
I have actually experienced some issues to connect the router to my current cable modem (basically had to use a switch in between otherwise the router would consider that the link was down...). Crossing fingers that I won't have any when I switch to FTTH in a few days.