Pierluigi Paganini April 06, 2019

A vulnerability could be exploited by attackers to trigger a denial-of-service (DoS) condition on devices running RouterOS.

MikroTik routers made the headlines again, the company disclosed this week technical details about a year-old vulnerability that exposes the device to remote attacks.

Attackers could exploit the vulnerability to trigger a denial-of-service (DoS) condition on devices running RouterOS.

“RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries.” reads a blog post published by MikroTik.

“The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded and stopped responding”

The Latvian vendor already released security updates for the RouterOS that addressed the flaw (CVE-2018-19299), but according to the experts, some of the affected devices continue to be vulnerable.

The CVE-2018-19299 vulnerability affects unpatched MikroTik devices that routes IPv6 packets. An attacker could exploit the issue by sending a specific sequence of IPv6 packets that saturate the RAM usage.

“After that reboot was fixed, another issue caused the memory to be filled, because IPv6 route cache size could be bigger than the available RAM. This also was fixed, by introducing automatic cache size calculation based on available memory.” continues the post.

MikroTik addressed the issues in RouterOS versions that were published April, 2019 (all release chains: RouterOSv6.44.2 RouterOS v6.45beta23 and RouterOSv6.43.14 . 

Experts discovered that the fix for the DoS flaw only works only devices with more than 64MB of RAM.

MikroTik trainer Javier Prieto tested the issue on a Cloud Hosted Router (CHR) with 256MB of RAM, he observed that the attack caused the additional usage of 20Mib.

“I have done several tests with GNS3 using CHR 6.44.2 (stable) and as long as the router has enough memory, it doesn’t crash. In my tests, the attack ‘steals’ around 180 MiB.” explained Prieto.

“Using a CHR with 256 MB, system resources shows a total memory of 224 MiB and free-memory of 197 MiB before attack. During the attack, only from one computer, the free memory decreases to around 20 MiB and sometimes to 13 MiB. Using two attackers, it seems the results are the same and not worst. With 200 MB the router reboots because OOM.”

The flaw was reported by several experts, including Isalski, back on April 16, 2018. The expert explained that the vendor acknowledged the flaw, but that it did not classify it as a security vulnerability.

In March Isalski reported the flaw to several emergency response team and disclosed evidence of the exploitation of the vulnerability in attacks in the wild.

Isalski confirmed that the CVE-2018-19299 flaw “affects almost any of MikroTik’s devices, even those used as ‘core’ or ‘backhaul’ routers.”

“More than 20 RouterOS versions have been released since MikroTik learned about the vulnerability.” reported Bleeping computer. “One reason for this, besides dismissing its security risk, is that flaw is at kernel level and it is very difficult to fix. A member of the company’s support team said that RouterOS v6 has an older kernel version and it cannot be changed.”

Experts believe that the vendor will introduce some optimizations in the next beta version of RouterOS for hardware with low RAM resource.

Pierluigi Paganini

(SecurityAffairs – CVE-2018-19299, MikroTik)

[adrotate banner=”5″]

[adrotate banner=”13″]