RouterOS v7 limited beta

I did an overall video of the New Mikrotik RouterOS v7.

From Mikrotik forum: https://forum.mikrotik.com/viewtopic.php?f=1&t=152003

We have released a very limited test variant of RouterOS v7. Currently only available for ARM systems with a slightly limited feature set.

What is currently unlocked / available:

– Only available for ARM architecture
– Based on Kernel 4.14.131, which is currently the latest and most supported LTS version
– New CLI style, but compatible with the old one for compatibility
– New routing features, but see below
– OpenVPN UDP protocol support
– NTP client and server now in one, rewritten application
– removed individual packages, only bundle and extra packages will remain

Other features not yet public.

What is not available:

– BGP / MPLS disabled
– Extra packages
– Winbox does not show all features, use CLI for most functionality

DO NOT USE IT FOR ANYTHING IMPORTANT, THIS RELEASE IS STRICTLY FOR TESTING AND DOES CONTAIN BUGS

Download link: https://mt.lv/v7

Mikrotik 6.46 beta34 noteable things

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at "Patrons Only" or higher tier

Mikrotik 6.45.2 is out

What’s new in 6.45.2 (2019-Jul-17 10:04):

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
Old API authentication method will also no longer work, see documentation for new login procedure:
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

*) bonding – fixed bonding running status after reboot when using other bonds as slave interfaces (introduced in v6.45);
*) cloud – properly stop “time-zone-autodetect” after disable;
*) interface – fixed missing PWR-LINE section on PL7411-2nD and PL6411-2nD (introduced v6.44);
*) ipsec – added “connection-mark” parameter for mode-config initiator;
*) ipsec – allow peer argument only for “encrypt” policies (introduced in v6.45);
*) ipsec – fixed peer configuration migration from versions older than v6.43 (introduced in v6.45);
*) ipsec – improved stability for peer initialization (introduced in v6.45);
*) ipsec – show warning for policies with “unknown” peer;
*) ospf – fixed possible busy loop condition when accessing OSPF LSAs;
*) profile – added “internet-detect” process classificator;
*) radius – fixed “User-Password” encoding (introduced in v6.45);
*) ssh – do not enable “none-crypto” if “strong-crypto” is enabled on upgrade (introduced in v6.45);
*) ssh – fixed executed command output printing (introduced in v6.45);
*) supout – fixed supout file generation outside of internal storage with insufficient space;
*) upgrade – fixed “auto-upgrade” to use new style authentication (introduced in v6.45);
*) vlan – fixed “slave” flag for non-running interfaces (introduced in v6.45);
*) wireless – improved 802.11ac stability for all ARM devices with wireless;
*) wireless – improved range selection when distance set to “dynamic”;

RouterOS 6.45.1 Out – Security Fixes

Mikrotik has released RouterOS 6.45.1 with some security vulnerability fixes.  Some of these have been known and fixed before, while others are new fixes

MAJOR CHANGES IN v6.45.1:
———————-
!) dot1x – added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 – added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) security – fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security – fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security – fixed vulnerability CVE-2019-13074;
!) user – removed insecure password storage;

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.

Some notes on the security Fixes
CVE-2018-1157
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request.

CVE-2018-1158
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server via recursive parsing of JSON.

CVE-2019-11477/11478
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

CVE-2019-11479
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

CVE-2019-13074
This has been reserved and not been made widely public yet. Although a CVE ID may have been assigned by either CVE or a CAN, it will not be available in the NVD if it has a status of RESERVED by CVE.  This is traditionally done to give the vendor, in this case, Mikrotik and possibly others, a chance to fix this before the exploit is released to the general public.

Rest of the Changelog available at https://www.mikrotik.com/download

Mikrotik RouterOS 6.43 and older notes

For those of you running newer routerOS versions you should be aware of this.

Downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.

I am not sure when this actually started as it shows up in the changelog of 6.45beta62. I am going to assume this starts at 6.45 once it’s released.

MikroTik Router as a Vultr host

Recently I spun up a Mikrotik instance under Vultr for the purpose of doing some v6 testing. I was running into some problems with getting IPV6 to route properly. Vultr has IPV6 setup on their side to auto configure a gateway, etc. when it comes to IPV6. They are expecting a host, not a router. Why is his a problem?

The RFC states that nodes that act as routers are NOT to use SLAAC for IPv6 address configuration. In other words, routers that derived their interface IPv6 address from SLAAC cannot act as routers on that segment. This is a pretty hard set in stone thing when it comes to the RFC.

So how do we get around this in this instance? Go to IPV6…settings and turn off IPV6 forward.

IPv6 will start working at this point. The catch is, you won’t see neither address nor default route anywhere. It’s there, but it’s hidden. If you try to ping some external address, it will work.