Thanks to the many people who contacted me a fortnight ago, both on- and off-list - I followed up contacts where I could, and it hopefully has given some advance notice to "the good guys" and brought some pressure (or even assistance) to bear on the vendor.
> On 14 Mar 2019, at 14:05, Mike Reed <[email protected]> wrote: > You've given them many warnings.. the bad guys more likely than not already > know, why wouldn't you release the information? Several people who contacted me privately correctly guessed, and it's public knowledge now anyway. As has been published in the abstract on the UKNOF 43 programme, I can confirm that the vendor I will be talking about is MikroTik: > During some research which found CVE-2018-19298 (MikroTik IPv6 Neighbor > Discovery Protocol exhaustion), I uncovered a larger problem with MikroTik > RouterOS’s handling of IPv6 packets. This led to CVE-2018-19299, an > unpublished and as yet unfixed (despite almost one year elapsing since vendor > acknowledgement) vulnerability in RouterOS which allows for remote, > unauthenticated denial of service. Unpublished... until UKNOF 43! See you all in Manchester, Kind regards, Marek Isalski
