Security
 

CVE-2018-19298 CVE-2018-19299 IPv6 resource exhaustion

Summary

RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries.

The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded and stopped responding. After that reboot was fixed, another issue caused the memory to be filled, because IPv6 route cache size could be bigger than the available RAM. This also was fixed, by introducing automatic cache size calculation based on available memory. Both fixes are released already in RouterOS versions that were published April, 2019 (all release chains: RouterOS v6.44.2, RouterOS v6.45beta23 and RouterOS v6.43.14).

Here are the relevant changelog entries:

  • ipv6 - fixed soft lockup when forwarding IPv6 packets
  • ipv6 - fixed soft lockup when processing large IPv6 Neighbor table
  • ipv6 - adjust IPv6 route cache max size based on total RAM memory

Who is affected

By default, the IPv6 functionality in RouterOS is disabled, these systems are not affected. Only people who have manually enabled and configured IPv6 can be affected if their IPv6 address is reachable from untrusted networks.

How to remedy

Upgrade to any RouterOS version released after April 1st, 2019.

Acknowledgements

  • CVE-2018-19298, CVE-2018-19299: Marek Isalski