Despite having nearly a year to address the vulnerability, no patch is available for a critical vulnerability, leaving network admins no alternative to disabling IPv6 support.
A critical vulnerability in MikroTik’s RouterOS handling of IPv6 packets allows for “remote, unauthenticated denial of service,” according to security researcher Marek Isalski. Full details of the vulnerability will be presented at at UNKOF 43 in Manchester on April 9, though some preliminary information is presently available.
This is not the first time an issue with MikroTik routers has surfaced, as MikroTik’s support for IPv6 has been fraught with vulnerabilities. The vulnerability to be disclosed is designated as CVE-2018-19299, and is a “larger problem with MikroTik RouterOS’s handling of IPv6 packets” than the related CVE-2018-19298, which relates to IPv6 Neighbor Discovery Protocol exhaustion.
SEE: Hiring kit: Network administrator (Tech Pro Research)
According to a post on MikroTik’s user forum, the new vulnerability is “a memory exhaustion issue. You send a v6 packet formed in a certain way to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I assume until the watchdog reboots it. There is no way to firewall as whatever this characteristic is that causes the problem can be set with any v6 packet.”
Presently, the only mitigation is to completely disable IPv6 in RouterOS.
MikroTik’s handling of the issue, likewise, appears to be a problem, as Isalski noted on Twitter that “twenty-something” releases of RouterOS have occurred since MikroTik acknowledged the vulnerability, but had “stonewall[ed],” claiming it to be a “‘bug’ not a ‘security vulnerability’,” adding that this “is probably why they haven’t prioritised it for the last 50 weeks.”
Vulnerabilities in MikroTik routers have been leveraged in the Slingshot malware family discovered last year, though is suspected to have first been deployed in 2012. MikroTik RouterOS was also leveraged in the Chimay Red exploit published by WikiLeaks as part of the Vault 7 releases of vulnerabilities claimed to originate from the CIA, as well as the related Chimay Blue, discovered by security researcher Lorenzo Santina.
TechRepublic directly contacted Marek Isalski and MikroTik for comment, though did not receive a response by press time.
MikroTik is not the only router manufacturer facing issues, as a recent patch to Cisco routers failed to actually address a vulnerability.