A critical vulnerability in MikroTik’s RouterOS handling of IPv6 packets allows for “remote, unauthenticated denial of service,” according to security researcher Marek Isalski. Full details of the vulnerability will be presented at at UNKOF 43 in Manchester on April 9, though some preliminary information is presently available.
This is not the first time an issue with MikroTik routers has surfaced, as MikroTik’s support for IPv6 has been fraught with vulnerabilities. The vulnerability to be disclosed is designated as CVE-2018-19299, and is a “larger problem with MikroTik RouterOS’s handling of IPv6 packets” than the related CVE-2018-19298, which relates to IPv6 Neighbor Discovery Protocol exhaustion.
SEE: Hiring kit: Network administrator (Tech Pro Research)
According to a post on MikroTik’s user forum, the new vulnerability is “a memory exhaustion issue. You send a v6 packet formed in a certain way to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I assume until the watchdog reboots it. There is no way to firewall as whatever this characteristic is that causes the problem can be set with any v6 packet.”
Presently, the only mitigation is to completely disable IPv6 in RouterOS.
MikroTik’s handling of the issue, likewise, appears to be a problem, as Isalski noted on Twitter that “twenty-something” releases of RouterOS have occurred since MikroTik acknowledged the vulnerability, but had “stonewall[ed],” claiming it to be a “‘bug’ not a ‘security vulnerability’,” adding that this “is probably why they haven’t prioritised it for the last 50 weeks.”
Vulnerabilities in MikroTik routers have been leveraged in the Slingshot malware family discovered last year, though is suspected to have first been deployed in 2012. MikroTik RouterOS was also leveraged in the Chimay Red exploit published by WikiLeaks as part of the Vault 7 releases of vulnerabilities claimed to originate from the CIA, as well as the related Chimay Blue, discovered by security researcher Lorenzo Santina.
TechRepublic contacted MikroTik for comment, though have yet to receive a response. Marek Isalski told TechRepublic “MikroTik’s stance is that this is a ‘bug’ and not a ‘vulnerability’–multiple staff there have repeatedly and consistently told me the same thing in spite of my pleas for it to be treated as a security issue.”
MikroTik is not the only router manufacturer facing issues, as a recent patch to Cisco routers failed to actually address a vulnerability.
Update: MikroTik claims to have patched the issue in RouterOS 6.45 Beta 22, though Isalski posted a video demonstrating that the vulnerability can still be exploited. In comments to TechRepublic, Isalski expressed confidence that this vulnerability can be patched properly before public disclosure.
Update 2: On April 4, MikroTik released official patches for the issues, in RouterOS v6.44.2, RouterOS v6.45beta23 and RouterOS v6.43.14. In a statement to TechRepublic, Isalski noted that “I confirm both look like they’ve resolved the problem. Now the hard bit begins: all us network operators using MikroTik equipment have to test these releases in our pre-production labs, then deploy to production, and monitor the situation to ensure the update doesn’t cause any other issues.”