Important Cambium Upgrade by July 1, 2021

UPDATE: Cambium has extended this to January, 31 2022.

Updated Bulletin
https://www.cambiumnetworks.com/support/field-service-bulletins/fsb9083/?fbclid=IwAR0rhizW7jkovSvBFQnUTWyqEKL41nMEceEyfGaeFMAIOIiWNGZTVU0HmTE

On July 1, 2021 Cambium will update the certificate for https://cloud.cambiumnetworks.com 14 to use a new Certificate Authority. All cnMaestro managed devices without the updated Root CA certificate will fail to connect to the cnMaestro Cloud service. Please see the following Field Service Bulletin (FSB) for ePMP upgrade instructions.
https://www.cambiumnetworks.com/support/field-service-bulletins/fsb9083/

https://community.cambiumnetworks.com/t/notice-need-for-epmp-upgrade/74457

As of the bulletin the minimum softwar versions to support the new certificate are:

Family Model Version
cnMatrix cnMatrix EX2K 2.1-r5

cnPilot
cnPilot R200, R200P 4.6-R16
cnPilot R201, R201P 4.6-R16
cnPilot R190V, R190W 4.6-R16
cnPilot e400/e500 3.11.4.1-r3
cnPilot e410/e430w/e600 3.11.4.1-r3
cnPilot R195P 4.7-R6
cnPilot R195W 4.6-R16
cnPilot e501S/e502S 3.11.4.1-r3
cnPilot e700 3.11.4.1-r3
cnPilot e425/e505 4.1-r3
cnPilot e510 3.11.4.1-r3

cnRanger
Sierra 800 1.1-r3
Tyndall 101 1.1-r3

cnReach N500 5.2.18h

Enterprise WiFi 6
XV3-8 6.1-r5
XV2-2 6.1-r5

ePMP 1000
Hotspot ePMP 1000 Hotspot 3.3.1.2-r1

ePMP
ePMP 1000, Force 180/200 4.5.0
ePMP 2000 4.5.0
ePMP Elevate XM/XW 4.5.0
ePMP Force 190 4.5.0
ePMP Force 300 4.5.0
ePMP PTP 550 4.5.0
ePMP MP 3000 4.5.0
ePMP PTP 550 E 4.5.0
ePMP Elevate SXGLITE5 4.5.0
ePMP Elevate LHG5 4.5.0
ePMP 3000 4.5.0

PMP
PMP 450i, PMP 450, PMP
450m, PMP 430 SM 20.0 Beta-6
PTP 450, PTP 450i, PMP 450
Retro 20.0 Beta-6
Micro-pop Omni/Sector 20.0 Beta-6

PTP
PTP 650 650-01-50
PTP 670 (650 Emulation) 670-01-50,
670-03-12
PTP 670, PTP 700 700-03-11

RouterOS 6.45.1 Out – Security Fixes

Mikrotik has released RouterOS 6.45.1 with some security vulnerability fixes.  Some of these have been known and fixed before, while others are new fixes

MAJOR CHANGES IN v6.45.1:
———————-
!) dot1x – added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 – added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) security – fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security – fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security – fixed vulnerability CVE-2019-13074;
!) user – removed insecure password storage;

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.

Some notes on the security Fixes
CVE-2018-1157
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request.

CVE-2018-1158
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server via recursive parsing of JSON.

CVE-2019-11477/11478
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

CVE-2019-11479
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

CVE-2019-13074
This has been reserved and not been made widely public yet. Although a CVE ID may have been assigned by either CVE or a CAN, it will not be available in the NVD if it has a status of RESERVED by CVE.  This is traditionally done to give the vendor, in this case, Mikrotik and possibly others, a chance to fix this before the exploit is released to the general public.

Rest of the Changelog available at https://www.mikrotik.com/download