MikroTik Releases a Belated, Half-Working Patch to Fix an Old Vulnerability

Latvian router software and hardware manufacturer MikroTik have fixed a bug that had been lying dormant in their Router OS devices since April 2018. The vulnerability related to a memory exhaustion problem which occurred when handling IPv6 packets and practically allowed outsiders to carry out DDoS attacks against MikroTik's routers by deploying a relatively small number of IPv6 packets.

Although MikroTik's specialists have been aware of that problem for the last twelve months, it was not until last week that they finally patched this issue. The delay may be due to two main reasons. First, the problem only affected users who have manually activated the IPv6 functionality in their RouterOS-based devices. That functionality is disabled by default, which means that the memory exhaustion bug known as CVE-2018-19299 could only have had a limited impact. Second, the memory leakage reportedly occurred on a kernel level, making it virtually impossible to solve unless MikroTik developed a brand-new OS.

Luckily, the patch is now a fact, and MikroTik's customers are advised to upgrade their Router OS to the new 6.43.14 long-term version as soon as possible. That is undoubtedly good news for all network operators relying on Mikrotik's devices. Yet, Faelix's CTO Marek Isalski has found out the patch only proves useful on those MikroTik routers sporting 128MB of RAM or more. In other words, if you have a MikroTik RouterOS device with 64 MB of RAM or less, it still runs the risk of falling prey to a DDoS attack. The Latvian vendor has already committed to optimizing its low-RAM hardware in the future RouterOS beta version. When this beta version arrives, however, remains unclear at the moment. Until that time comes, disabling the IPv6 functionality remains the best line of defense.

Interestingly enough, it was Isalski who first discovered MikroTik's IPv6 vulnerability almost one year to the day.