Security announcement blog

normis · July 26, 2018, 5:04am

We have made a blog, where we will publish the most important announcements regarding security and other topics.
Bookmark this link for Security related news:

https://blog.mikrotik.com/security/

Here is the RSS feed link:
https://blog.mikrotik.com/rss/?cat=security

jarda · July 26, 2018, 6:56am

Very good idea. Thank you for that.

pe1chl · July 26, 2018, 7:22am

Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.

normis · July 26, 2018, 8:16am

can you see if this works now?

pe1chl · July 26, 2018, 8:37am

Yes, now it works OK

R1CH · July 26, 2018, 10:21am

Is there a way to sign up for email announcements of new articles too?

amt · July 26, 2018, 12:40pm

+1

nichky · July 26, 2018, 8:48pm

That works

DummyPLUG · July 27, 2018, 11:35am

+1
RSS is good, but will be nice to have some mailing list for security announcement and firmware update

jarda · July 27, 2018, 12:00pm

It also depends on when new articles will be published there, if half of year after the security incident or when. In such case there is no need to send email notifications.

normis · July 27, 2018, 12:10pm

Did we publish forum posts half year after discovered issues? Jarda, what are you talking about.
Also, there are numerous IFTTT recipes to do things when RSS gets a new article: https://ifttt.com/applets/YnbGBZDy-send-email-rss?term=rss
You can even have your Hue lights flash red

vecernik87 · July 27, 2018, 12:23pm

I received email (urgent security advisory) for the web port vulnerability because I have a user account on mikrotik homepage. As far as I know, the winbox port vulnerability didn’t get similar warning email. However, I received email about newly released 6.42.1 and 6.40.8 which fixed this vulnerability (and it was clearly stated in changelog) so everyone who reads these emails should know about it instantly.

@normis: I am sure Jarda is refering to the web port issue. Despite the fact it was fixed during March 2017, there was not much coverage, so even year after, massive amount of devices was vulnerable. Due to that, It make sense to send email (despite the fact it is already too late) once the vulnerability gets misused extensively.
Personally, I perceive it as a Mikrotik failure that there was not “urgent security advisory” email about winbox port vulnerability. I am aware that everyone is responsible for their device and I know well that with correctly set up firewall, vulnerability would be protected. However spreading the word (even negative one) is important part of the business and crucial to build trust between manufacturer and customers. I believe many people would appreciate if Mikrotik PR department takes lesson from it and sends the email next time.
Meanwhile, I will hold fingers crossed that it will take loooong time until next vulnerability appears

jarda · July 27, 2018, 1:22pm

Normis, I am talking about the blog only. Of course I know that the info was published fastly on the forum. But the blog is new now and from this perspective the info already provided there is really old at the moment. Actually I am fine with the forum announcements for such cases, so even though I appreciate the blog, it moreless seems to me that it is a way to duplicate the source of information. Wiki manual page section would work the same too.
Don’t beat me for the opinion, maybe it was misunderstood because of its condensed form… My bad. Sorry for that.

mrz · July 27, 2018, 4:07pm

Blog didn’t exist at all when those vulnerabilities appeared.

pukkita · July 29, 2018, 9:27am

Great!!! Killer idea!

nz_monkey · July 31, 2018, 2:06pm

Thanks Mikrotik guys. This should reduce the amount of panicked calls I get from customers.

Ixo · July 31, 2018, 6:33pm

I am furious angry!
My router had admin disabled and most of the services such as SSH/Telnet etc. The username I used was a long name and the password had 16 chars. I had a proper configuration on firewall, lots of scripts etc. YET…
Today I went on Google and got the CAPTCHA. I knew right of the bat that something is not good.

Logged to Mikrotik. First I spotted that most of FW rules were gone, then SOCKS enabled! Scripts are gone except some mikrotik.php thing. First thing… plug out internet cable.

After panic was over, went on LTE Internet to see what is going on. In 2 minutes I find that Mikrotik got compromised. I mean seriously?!

OK I think… many systems have security bugs. In fact this is the first one I have ever had through a Mikrotik. But what made me super angry wasnt’t that there was a bug but Your replies to people saying “You should keep up to date” or “You should check our announcements” --EOT.

If the issue is there since April and you have my bloody email as I am registered on this forum, why I have not received an email saying “We have found a security vulnerability, so please update your Router OS immediately”? Seriously, why? I mean my IP worked as free SOCKS tunnel for god knows how long and god knows what went through it.

I just don’t login to a router OS every day to check if everything is fine. You should not expect people to do that, you should not expect people to keep the router OS up to date (for many reasons e.g. the RouterBoard sits on the mast high up in the mountains and you simply don’t do upgrade unless you are psychically there in case of something goes wrong), you should not expect people to look at your BLOG all of the time. It should be on your cards to let your customers know about such events.

EDIT: Please add newsletter widget to this “BLOG”. I don’t use RSS feeds.

jarda · July 31, 2018, 7:13pm

That’s effective idea. All registered users (anywhere in the mikrotik, not only on the forum…) should receive a notification in such emergency case! Otherwise the blog is nothing more than a post in the right section of the forum…

normis · August 1, 2018, 5:44am

I’m sorry you have not received that email, because we did send it on March 30, with specifically the content you asked for.

EDIT: Please add newsletter widget to this “BLOG”. I don’t use RSS feeds.

Please clarify what you mean by that.

pe1chl · August 1, 2018, 7:45am

People apparently like to get a mail message (a push mechanism) instead of using RSS (a pull mechanism), but of
course the disadvantage is that a database of mail addresses would have to be kept. Of course MikroTik already
have two databases: the valid users for login on the main webpage (where you can manage licenses etc, and also
used to send the newsletter) and the valid users logging in on the Forum.
Adding a third one just to send security announcements coud be a bit overkill when they are already sent to the
other two lists. However,

I think they are sent only to that webpage list, not to the Forum list
They should be sent much sooner than was done the first time.

Important security fixes should get the attention of the admins once they are available, not when an exploit is
seen in the wild. Anyway, you will find that now that MikroTIk is on the radar of the malvolents, those times
will be very close together anyway.
(there are people who examine security updates to see what exactly was fixed and quickly write exploits for them
to use the time window between release of the updates and installation by the majority of users)