MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Training Centre, Toronto, Canada MikroTik Value Added Distributor

T (647) 477-0163
Email: support@wirelessnetware.ca

Wireless Netware Technology LTD.
550 Alden Road, Unti# 210A, Markham, Ontario L3R6A8

Open in Google Maps
  • Home
  • Solutions
  • Services
  • Become a Canadian ISP
    • Business Internet
  • Partners
  • Hardware
  • Training
  • Blog
  • About
  • Contacts
MikroTikSupport
  • Home
  • Blog
  • Blog
  • Netflix has identified vulnerabilities in RouterOS.
Tuesday, 02 July 2019 / Published in Blog, RouterBOARDs, RouterOS

Netflix has identified vulnerabilities in RouterOS.

Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS.

 

-Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels

-MAJOR CHANGES IN v6.45.1

-Essential Changes in this release

-Upcoming Training courses

==========================================

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels

The vulnerabilities can trigger a DoS “denial of service” if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue. Fix included in RouterOS 6.45.1, which is available on our webpage.

Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS. The vulnerabilities can trigger a denial of service if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue.MikroTik has already applied the necessary patches, and RouterOS versions containing them will be released in a few days. We will update this article with dates and version numbers, as they become available.Update: fix included in RouterOS 6.45.1, which is available on our webpage. Course of action

Make sure your device is not accessible from untrusted networks, protect it using our suggestions and when upgrade files become available, upgrade to latest RouterOS release.

More details

The original article.

 

 

==========================================

MAJOR CHANGES IN v6.45.1

Dot1x is the implementation of IEEE 802.1X standard in RouterOS. The main purpose is to provide port-based network access control using EAP over LAN also known as EAPOL. 802.1X consists of a supplicant, an authenticator and an authentication server (RADIUS server). Currently, both authenticator and supplicant sides are supported in RouterOS. Supported EAP methods for supplicant are EAP-TLS, EAP-TTLS, EAP-MSCHAPv2 and PEAPv0/EAP-MSCHAPv2.

!) dot1x – added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 – added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) security – fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security – fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security – fixed vulnerability CVE-2019-13074;
!) user – removed insecure password storage;
==========================================

Essential Changes in this release

Not only the security issue but if you are using one of “RB3011, RB4011, RB911, CRS317, CRS3xx series” or using one of these RouterOS features “IPsec, CAPsMAN, Bridge, VLAN, Certificate, DHCP v4 or v6, GPS, ike, LTE, OSPF, SNMP, SSH, USERMANAGER, Radius” you should upgrade the RouterOS and DO NOT forget to upgrade the Firmware.

 

-www – improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

-wireless – improved installation mode selection for wireless outdoor equipment;

-wireless – improved DFS radar detection when using non-ETSI regulated country;

-wireless – improved 160MHz channel width stability on rb4011;

-sstp – improved stability when received traffic hits tarpit firewall;

-m33g – added support for additional Serial Console port on GPIO headers;

-ospf – added support for link scope opaque LSAs (Type 9) for OSPFv2;

-ospf – fixed opaque LSA type checking in OSPFv2;

-ospf – improved “unknown” LSA handling in OSPFv3;

-proxy – increased minimal free RAM that can not be used for proxy services;

-rb3011 – improved system stability when receiving bogus packets;

-rb4011 – fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);

-crs317 – fixed known multicast flooding to the CPU;

-crs3xx – added ethernet tx-drop counter;-

-crs3xx – correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate;

– crs3xx – fixed auto-negotiation when a 2-pair twisted cable is used (downshift feature);

-crs3xx – fixed “tx-drop” counter;

-crs3xx – improved switch-chip resource allocation on CRS326, CRS328, CRS305;

-capsman – fixed CAP system upgrading process for MMIPS;

-capsman – fixed interface-list usage in access list;

=============================================================

-Upcoming Training courses

In our training courses, you will learn more about RouterOS features and our goal is to improve your troubleshooting skills.

We can also include:
— The-Dude workshop in both the MTCRE and MTCINE, which it will help the students a lot better understanding of each scenario we will work on LABs. Building a network diagram, document, enable notification, Syslog, monitoring and learn on how to centralized network management.

— RouterBOARDs introduction in MTCNA, help students to offer the best products to customers and the best solution on using the right equipment in different networks with a different design.

— CAPsMAN, MikroTik wireless controller and how to manage thousands of wireless access points.
— Wireless link calculator, how to calculate PTP, PtMP wireless link for short and long distance wireless link.

— Packet flow version6, overview and examples. Lots of MikroTik feature changes since changing the RouterOS kernel from V5 to V6. Help students to improve their troubleshooting skills when VoIP packet drops of NAT cause issues on traffic flow.

 

Start date End date Course type Location Organizer Language
2019-07-08 2019-07-12 Introduction, MTCNA, MTCRE, The Dude Canada, Toronto Hani Rahrouh- wirelessnetware.ca English
2019-07-15 2019-07-18 Introduction, MTCTCE, MTCWE, The Dude Canada, Toronto Hani Rahrouh- wirelessnetware.ca English
2019-09-09 2019-09-13 Introduction, MTCNA, MTCRE, The Dude Canada, Markham Hani Rahrouh- wirelessnetware.ca English
2019-09-16 2019-09-20 CAPsMAN, MTCTCE, MTCWE, The Dude Canada, Markham Hani Rahrouh- wirelessnetware.ca English
2019-09-25 2019-09-28 CAPsMAN, MTCUME, MTCWE, The Dude Canada, Markham Hani Rahrouh- wirelessnetware.ca English

 

What you can read next

MikroTik Training: Now 30% off for CANwisp attendees!
Mikrotik MUM event products
April MUM event: New product launch
MikroTik User Meeting, CANADA ON SEPTEMBER 24, 2019

Recent Posts

  • Load-balance using PCC in MikroTik RouterOS v 6.xx

    Introduction PCC “Per Connection Classifi...
  • Audience – a router for those who value both beauty and functionality

    Audience is a tri-band (2.4 GHz & high + lo...
  • DO NOT let the cables limit you, More Throughput over Power!

    PWR-LINE PRO PWR-LINE PRO (PL7510Gi) is a smart...
  • The First MikroTik product with 10G RJ45 Ethernet ports, CRS312-4C+8XG-RM

    CRS312-4C+8XG-RM Switch of the future: the firs...
  • MikroTik User Meeting, CANADA ON SEPTEMBER 24, 2019

    General Information MikroTik is happy to announ...

RSS MikroTik Blog

  • CVE-2024-54772
    Issue Summary A vulnerability has been identified in the WinBox service, where a discrepancy in response size between connection attempts with valid and invalid usernames allows attackers to confirm if user accounts exists via brute forcing the login process. In other words, when attacker tries to log into the device, by examining the response, the […]
  • CVE-2023-30799
    A new CVE has been published, which describes a policy elevation issue, where a logged in administrator with “policy” permissions (able to grant additional permissions to any user on the router), is also able to send crafted configuration commands, that are exchanged internally by the router software components and normally are rejected when sent by […]
  • CVE-2023-32154
    On 10/05/2023 (May 10th, 2023) MikroTik received information about a new vulnerability, which is assigned the ID CVE-2023-32154. The report stated, that vendor (MikroTik) was contacted in December, but we did not find record of such communication. The original report also says, that vendor was informed in person in an event in Toronto, where MikroTik […]
  • Mēris botnet
    In early September 2021 QRATOR labs published an article about a new wave of DDoS attacks, which are originating from a botnet involving MikroTik devices. As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched. There is no […]
  • Fragattacks
    In beginning of May 2021, a security research group from Belgium published a set of vulnerabilities they call “Frag Attacks” (from Fragmentation Attack), which affect all modern security protocols of Wi-Fi. Not all the published issues affect MikroTik products, but those that were found to be potentially affecting RouterOS, have been fixed in all currently released […]
  • Upgraded package signatures
    The RouterOS package signing procedure has been upgraded, to use new algorithms and utilize state of the art security hardware. It will also add a possibility to verify the integrity of existing installations. The new updated package signing procedure provides additional security to prevent installation of malicious software. Best security practices: Keep RouterOS updated to the […]
  • CVE-2019-3981
    Summary Tenable has published a potential vulnerability in older RouterOS versions where an attacker can retrieve the password hash of a RouterOS username via a complex man-in-the-middle attack over port 8291. The attacker must be able to intercept a valid RouterOS user login attempt, so he must be located in the same network as the […]
  • DNS cache poisoning vulnerability
    Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled. One possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks. The resolver can be […]
  • Package validation and upgrade vulnerability
    Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router’s installed RouterOS version, possibly lock the user out of the system, […]
  • CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
    Summary Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS. The vulnerabilities can trigger denial of service if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue. MikroTik has already applied the necessary patches: fix included in RouterOS 6.45.1 and […]

General information

MikroTik Training Schedules
My Certificate Validation
Who is my local MikroTik Consultant
How to become a MikroTik Consultant
How to become a MikroTik Certified Trainer

Useful URLs

MikroTik Distributor
MikroTik WiKi "Documentation"
MikroTik useful Articles and Examples
The Dude "Monitoring, Notification, Syslog"
User Manager "Free Radius Server"

Legal

  • Privacy Policy
  • General Term
  • Training terms
  • Managed Services Terms
  • Partner term
  • GET SOCIAL
MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

Copyright © 2015 WirelessNetware. All rights reserved.

TOP