On Fri, 29 Mar 2019 at 10:51, Rob Thomas <[email protected]> wrote: > > Quick summary of the problem: > > * From the description it appears to be a kernel-level issue - when a > MikroTik device receives a magic IPv6 packet, it will panic. > * MikroTik have known about it for almost a year, and have not fixed it. > * It is not fixed in the latest 6.44.1 image > * The discoverer has been trying to practice responsible disclosure, but has > given up > > Further things: > * MikroTik HAVE acknowledged it in a new thread a couple of hours ago > https://forum.mikrotik.com/viewtopic.php?f=2&t=147048#p723696 > * Twitter thread from the guy who discovered it: > https://twitter.com/maznu/status/1110910688623513601 > * There's a comment 'The fix is in v7' - theres a long running joke that v7 > will never emerge (it probably never will, they've lost most of their senior > engineers, and refuse to open source their code to leverage their developers > in the community) > > I guess the good thing for me is that Nexium still can't provide us IPv6 so > we're kinda safe up here 8) >
So there is a possibility that an IPv6 packet tunnelled over IPv4 towards one of these Microtiks could trigger the vulnerability, as the entry point for IPv6 packets into the IPv6 stack for both IPv6 over a link layer vs. IPv6 over IPv4 is the same (as IPv4 is effectively being used as a link layer.) I don't know anything about Microtik or have access to any, however it may be worth checking if they enable an IPv6 over IPv4 tunnel capability by default in some way. For example, a "stateless" tunnel technology like 6to4 (with "stateless" meaning that tunnel endpoints don't need to be explicitly configured), enabled by default, may make the device vulnerable. "Security Implications of IPv6 on IPv4 Networks" (https://tools.ietf.org/html/rfc7123) has quite a lot of discussion regarding security issues related to tunnelling of IPv6 over IPv4 and mitigations. It is dated 2014, so it may be a bit dated, however the advice on how to block the various IPv6 in IPv4 packets would still be correct. Regards, Mark. > --Rob > > > On Fri, 29 Mar 2019 at 09:25, Cameron Murray <[email protected]> wrote: >> >> Guys, >> >> This has just popped up on the Mikrotik forums that I am sure many on the >> list need to be aware of. >> >> If you run Mikrotik in your network and have IPv6 on a Public facing >> interface please check the following link: >> https://forum.mikrotik.com/viewtopic.php?t=147076 >> >> Cheers >> >> Cameron >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> http://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
