Can anyone inform us if mikrotik is vulnerable to the following openssl bugs?
https://www.openssl.org/news/secadv_20140605.txt
if you are worried about this please upgrade to RouterOS 6.14 when released.
OpenSSL bug - SSL/TLS MITM (CVE-2014–0224) - type: “Man-in-the-middle”
http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
Which services / protocols on the RouterOS are vulnerable?
just use 6.14
With my routers running 6.x thats easy. But we’ve many 5.x still and a upgrade to 6.14 is not that fast done. So I would like to know which services/protocols are affected. If I don’t use them I don’t need to upgrade. Or will there be a 5.x security release.
v5.x will not receive security updates.
6.14 has this security update.
I think it’s only https (www-ssl) which is affected. But I don’t know for sure. Use good firewall settings and you would be fine.
ok only 6.x gets an security update. so switch services are vulnerable? I need this to compare the the security impact against the time and money the update from 5.x costs.
You should evaluate if there are any actual risks from the described vulnerability. “Could be” doesn’t mean anyone has, or ever will create an exploit. See how far are you willing to go to protect against the tiniest possibility. Upgrade doesn’t seem so expensive if you think this is important.
What I want to know is, if only the administration (HTTPS, Winbox) is vulnerable, which would be not big problem as we’re using dedicated management networks, or production service also external user can reach.
These vulnerabilities have nothing to do with Winbox or SSH, your router cannot be hacked with this.
Currently I can’t imagine any feature in RouterOS that could be affected with the issues in the first post.