Ważna aktualizacja RouterOs (6.42.7, 6.40.9 ) – poprawki bezpieczeństwa

Zachęcamy do aktualizacji swoich Mikrotików do najnowszej wersji tj. 6.42.7, 6.40.9 ze względu na załatanie luk w bezpieczeństwie. Luki określone numerami: CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159. Geneza jak i zakres zagrożenia nie jest jeszcze znany. Wskazuje to na lukę zgłoszoną do vendora lecz nie opublikowaną.

Luki załatane są zarówno w gałęzi RouterOS current, jak i bugfix.

 

 

 

Poniżej pełny changelog:

What’s new in 6.40.9 (2018-Aug-20 07:46):

MAJOR CHANGES IN v6.40.9:


!) security – fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;


*) certificate – fixed “add-scep” template existence check when signing certificate;

*) defconf – fixed wAP LTE kit default configuration;

*) ethernet – improved large packet handling on ARM devices with wireless;

*) ethernet – removed obsolete slave flag from “/interface vlan” menu;

*) filesystem – fixed NAND memory going into read-only mode;

*) hotspot – fixed user authentication when queue from old session is not removed yet;

*) interface – fixed interface configuration responsiveness;

*) ipsec – fixed policies becoming invalid if added after a disabled policy;

*) ldp – properly load LDP configuration;

*) ppp – fixed “hunged up” grammar to “hung up” within PPP log messages;

*) sfp – hide “sfp-wavelength” parameter for RJ45 transceivers;

*) snmp – added remote CAP count OID for CAPsMAN;

*) supout – added “partitions” section to supout file;

*) tile – fixed Ethernet interfaces becoming unresponsive;

*) tr069-client – fixed unresponsive tr069 service when blackhole route is present;

*) userman – fixed compatibility with PayPal TLS 1.2;

*) userman – improved unique username generation process when adding batch of users;

*) winbox – added missing “dscp” and “clamp-tcp-mss” settings to IPv6 tunnels;

*) winbox – allow to specify full URL in SCEP certificate signing process;

*) winbox – by default specify keepalive timeout value for tunnel type interfaces;

*) winbox – show firmware upgrade message at the bottom of “System/RouterBOARD” menu;

*) winbox – show “scep-url” for certificates;

*) winbox – show “sector-writes” on ARM devices that have such counters;

*) winbox – show “sector-writes” on devices that have such counters;

*) winbox – show “System/Health” only on boards that have health monitoring;

*) wireless – added option to disable PMKID for WPA2;

*) wireless – enable all chains by default on devices without external antennas after configuration reset;

*) wireless – fixed packet processing after removing wireless interface from CAP settings;

*) wireless – improved client “channel-width” detection;

*) wireless – improved Nv2 PtMP performance;

*) wireless – increased stability on hAP ac^2 and cAP ac with legacy data rates;

*) wireless – updated “united-states” regulatory domain information;