For those with popcorn, here's the running update (and, after typing all this, I realise it may not be of interest to everyone on the list - but it's a REALLY GOOD EXAMPLE of what not to do, so if you're involved in security at YOUR org, please take notes. Specifically - ALWAYS HAVE A 'security@' email address that gets read by AT LEAST THREE PEOPLE who can go 'wait, hang on, that's ACTUALLY a really big issue). If you're not interested, please feel free to skip over it. But it's entertaining from a nerd perspective - https://twitter.com/xrobau/status/1111780395954003969
* It seems like my original summary was pretty much spot on. * The original thread has exploded - Linky: https://forum.mikrotik.com/viewtopic.php?f=2&t=147048 * 'Normis' appears to be being the public face for MikroTik in this, and has been chatting with Maznu (OP) and I on twitter. * ANNOUNCEMENT BY MIKROTIK: This is fixed in 6.45b22! Maznu: No it's not. https://twitter.com/maznu/status/1111910399182626816 * Mikrotik: We only heard about this last week! Maznu: No. Here's screenshots of my emails to you, a year ago, where you say it's not to be kept secret. https://twitter.com/maznu/status/1112442619244802048 * MikroTik: IRRESPONSIBLE DISCLOSURE! You should have given us more warning! Me: WTF, is 360 days NOT ENOUGH? * Also Me: Guys, c'mon. You messed up. Everyone does it. Use it as a learning experience on how to NOT handle security issues! Since the titles of the CVEs have been mentioned a few time (Yes, the title alone is enough to figure out the problems), the vulnerabilities have been confirmed or re-implemented by other third parties. CVE-2018-19298 = NDP exhaustion CVE-2018-19299 = IPv6 routing exhaustion https://forum.mikrotik.com/viewtopic.php?f=2&t=147048&start=100#p724283 * MikroTik: OK, we can fix 19298 by limiting new IPv6 connection to 2.5 per second - https://forum.mikrotik.com/viewtopic.php?f=2&t=147048&start=50#p724018 The world: Um. This is not 1995. We have web browsers that establish 6 concurrent connections (To quote Michael Wheeler, our resident Ham and entertaining presenter at LCA2019 - "ipv6 / ndp exhaustion still happening in 2019. ffs." - https://twitter.com/theskorm/status/1111791284585324544) On the UPSIDE, There has been some interest directed at my favourite open source router, VyOS (based on Vyatta, which was purchased and borg'ed by Brocade), and some discussions have been had about getting XDP and/or DPDK into it. People seem to be leaning towards XDP, because it allows things to be scripted by BPF, and is almost as fast as DPDK anyway, without all the downsides of having to faff around with moving things in and out of userspace. (For those that haven't heard of them, they're super-optimized ways of moving network traffic around inside/outside of the Linux/BSD Kernel - letting standard machines run 20+ Million PPS routing/switching, with all the advantages of commodity hardware - feel free to chat to me off list, or on twitter where I can tag people who know more about it and pretend I'm an expert!) I won't do any more summaries, unless something amazing happens (eg, MikroTik tableflip and open sources everything like they should have 10 years ago). Thanks to Cameron for the original heads up. This has been great fun. --Rob _______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
