RouterOS 6.42.7 [current]が公開になりました。

2018-08-21 13:19Blog

前回のバージョンアップから約40日ぶりのアップデートになります。

更新内容は多いように見えますが、その多くはW60GとWinboxの表示上の問題などが多く占めています。とはいえ性能改善も含まれていることや、セキュリティ問題などの改善もあるため、適用は検討してください。

What's new in 6.42.7 (2018-Aug-17 09:48):
MAJOR CHANGES IN v6.42.7:
----------------------
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
----------------------
*) bridge - improved bridge port state changing process;
*) crs326/crs328 - fixed untagged packet forwarding through tagged ports when pvid=1;
*) crs3xx - added command that forces fan detection on fan-equipped devices;
*) crs3xx - fixed port disable on CRS326 and CRS328 devices;
*) crs3xx - fixed tagged packet forwarding without VLAN filtering (introduced in 6.42.6);
*) crs3xx - fixed VLAN filtering when there is no tagged interface specified;
*) dhcpv4-relay - fixed false invalid flag presence;
*) dhcpv6-client - allow to set "default-route-distance";
*) dhcpv6 - improved reliability on IPv6 DHCP services;
*) dhcpv6-server - properly update interface for dynamic DHCPv6 servers;
*) ethernet - improved large packet handling on ARM devices with wireless;
*) ethernet - removed obsolete slave flag from "/interface vlan" menu;
*) ipsec - fixed "sa-src-address" deduction from "src-address" in tunnel mode;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) ldp - properly load LDP configuration;
*) led - fixed default LED configuration for RBLHGG-5acD-XL devices;
*) lte - added signal readings under "/interface lte scan" for 3G and GSM modes;
*) lte - fixed memory leak on USB disconnect;
*) lte - fixed SMS send feature when not in LTE network;
*) package - do not allow to install out of bundle package if it already exists within bundle;
*) ppp - fixed interface enabling after a while if none of them where active;
*) sfp - hide "sfp-wavelength" parameter for RJ45 transceivers;
*) upgrade - fixed RouterOS upgrade process from RouterOS v5;
*) userman - fixed compatibility with PayPal TLS 1.2;
*) vrrp - fixed VRRP packet processing on VirtualBox and VMWare hypervisors;
*) w60g - added distance measurement feature;
*) w60g - fixed random disconnects;
*) w60g - general stability and performance improvements;
*) w60g - improved MCS rate detection process;
*) w60g - improved MTU change handling;
*) w60g - properly close connection with station on disconnect;
*) w60g - stop doing distance measurements after first successful measurement;
*) winbox - added "secondary-channel" setting to wireless interface if 80 MHz mode is selected;
*) winbox - fixed "sfp-connector-type" value presence under "Interface/Ethernet";
*) winbox - fixed warning presence for "IP/IPsec/Peers" menu;
*) winbox - properly display all flags for bridge host entries;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;
*) wireless - added option to disable PMKID for WPA2;
*) wireless - fixed memory leak when performing wireless scan on ARM;
*) wireless - fixed packet processing after removing wireless interface from CAP settings;
*) wireless - updated "united-states" regulatory domain information;
To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download
If you experience version related issues, then please send supout file from your router to [email protected] File must be generated while router is not working as suspected or after some problem has appeared on device
Please keep this forum topic strictly related to this concrete RouterOS release.
If you router has a storage issue (not enough space due to RouterOS, not by other files stored on the device), use package from this link:

- upload package to your router; - run /system reboot Other affected installations will be fixed automatically, if there is enough space left for an upgrade by this fix: "package - free up used storage space consumed by old RouterOS upgrades"

bridgeインターフェースのステータス変更の際のプロセス周りの変更や、CRS3xxシリーズでのVLAN周りの動作修正が入っています。
また、DHCP周りもdistance値が変更できるようになるなどの修正が入っています。

あとは以前からあった、空き容量の認識がおかしくなりPackageのアップデートができなくなる問題ですが、改善用のパッケージが別途公開になっています。この問題が発生している方は適用してみてください。

If you router has a storage issue (not enough space due to RouterOS, not by other files stored on the device), use package from this link:
https://www.mikrotik.com/download/share/fix_space.npk
upload package to your router;
run /system reboot

https://forum.mikrotik.com/viewtopic.php?f=21&t=138228

筆者の環境でのmipsbeの機器への適用を行いましたが、問題は発生していません。

なお、別件で発生している、WPA2 Keyへのブルートフォースアタックをすることでパスフレーズの取得ができる問題ですが、以下のスレッドで説明が行われています。

testingリリースとなりますが、RouterOS 6.43rc56で以下のように更新が行われています。

What’s new in 6.43rc56 (2018-Aug-13 11:13):

*) wireless – added option to disable PMKID for WPA2 (CLI only);

https://forum.mikrotik.com/viewtopic.php?f=21&t=137838#p679904

以下のように設定を行うことで、今回の原因となっているPMKIDを無効にできるようです。

/interface wireless security-profiles add disable-pmkid=yes 
# または、
/interface wireless security-profiles set disable-pmkid=yes [find]

ただし適用すると、他にどのような影響があるのか筆者は確認していません。適用する際は実際にテストを行い、以前まで接続を行っていた機器の接続に問題がないか確認するようにしてください。

追記:2018年8月26日

MAJOR CHANGES IN v6.42.7:
----------------------
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
----------------------

脆弱性の対応が含まれているという情報が追加されました。

  • CVE-2018-1156: An authenticated user can trigger a stack buffer overflow.
  • CVE-2018-1157: File upload memory exhaustion. An authenticated user can cause the www binary to consume all memory.
  • CVE-2018-1158: Recursive JSON parsing stack exhaustion, which could allow an authenticated user to cause crash of the www service.
  • CVE-2018-1159: www memory corruption, if connections are initiated and not properly cleaned up then a heap corruption occurs in www.

All of the above issues are fixed in the following RouterOS releases: 6.42.7, 6.40.9, 6.43