Urgent security advisory

It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit a vulnerability in the RouterOS www server that was patched more than a year ago (in RouterOS v6.38.5, march 2017).

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the “Check for updates” button, if you haven’t done so within the last year.

Your devices are safe if the port 80 is firewalled, or if you have upgraded to v6.38.5 or newer. If you are using our home access point devices with default configuration, they are firewalled from the factory, and you should also be safe, but please upgrade never the less.

The vulnerability in question was fixed in March 2017:

Current release chain:

What’s new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

And also Bugfix release chain:

What’s new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

Currently this botnet only spreads and scans. It doesn’t do anything else, but we still suggest to change your password and upgrade your firewall, just in case. Recommendations about securing your router: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

FAQ:

What is affected?

• Webfig with standard port 80 and no firewall rules
• Winbox has nothing to do with the vulnerability, Winbox port is only used by the scanners to identify MikroTik brand devices. Then it proceeds to exploit WEBFIG through port 80.

Am I safe?

• If you upgraded your router in the last ~12 months, you are safe

• If you had “ip service” “www” disabled: you are safe

• If you had firewall configured for port “80”: you are safe

• If you only had Hotspot in your LAN, but Webfig was not available: you are safe.

• If you only had User Manager in your LAN, but Webfig was not available: you are safe.

• If you had other Winbox port before this: you are safe from the scan, but not from the infection.

• If you had “winbox” disabled, you are safe from the scan, not from the infection.

• If you had “ip service” “allowed-from” set to specific network: you are safe if that network was not infected.

• If you had “Webfig” visible to LAN network, you could be infected by an infected device in your LAN.

How to detect and cure?

• Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.
• If you upgrade device and you still see attempts to access Telnet from your network - run Tool/Torch and find out a source of the traffic. It will not be router itself, but another device in local network which also is affected and requires an upgrade.

P.S: some details about the operation of the botnet can be found here

Thanks Normis, by the way suggest a small little toaster oven for your live-in red car. You can power it from the 12VDC receptacle for cigarette lighter.
(if you had a permanent address I would send a care package to include beard trimming kit and eyeglass wipes)

Being a new user, I thought that WINBOX was a proprietary encrypted connection method to be used really only from behind the Mikrotik. By the way can I add, winbox is one sweeeet concept for a person like me that easily self-destructs on access to routers due to rule changes. I just use the mac address of the interface and I can connect no matter what stupid move I made with rules
Safe mode is for kittens LOL (well its a lab environment for now, so no harm no foul)
Wouldn’t one want to connect via Https or SSL or something to the mikrotik from the outside and then access Winbox? (I mean a way besides the complication of setting up a VPN which I find at the moment a bridge to far (intimidating). I want to get to the point of a standard encrypted method to access WINBOX remoteley, as eventually want to buy and setup a mikrotik for a family member in Spain and I live in Canada.

Winbox has nothing to do with this. The tool only used it to identify that a device runs RouterOS.

I suggest to set up IPsec VPN to your device for remote management, close all other ports. Setting up IPsec is easy even for a new user, just click “VPN” in the QuickSet menu. It will enable everything that is needed. The link I posted above includes more suggestions to secure your router.

I’ve noticed some strange behavior of my several hotspots with public ip.
Found the following log entry:

mar/24 16:33:09 smb,info created new share: pub
mar/24 16:33:21 script,error script error: no such item (4)
mar/24 16:39:29 info fetch: file “.i” downloaded
mar/24 16:43:15 script,error script error: no such item (4)

Now the hotspots are making lots of connections to outside ips on telnet and winbox ports.
The question is: how do I fix them? Is upgrade and password change enough?
Firmware is 6.38

Yes, upgrade and for security reasons change password, too.

is there a known 8291 vulnerability or just 80?

Normis thanks for fix. But this fix is only for actual devices. There is nothing for MIPSLE. Your statement: all RouterOS devices is not true.

Hi,

Seems that we are having strange processes even after upgrade to version 6.41.3.

Could you please post the complete instructions what to check in config or filesystem if we had malicious processes before the upgrade and after upgrade to 6.41.3?

Are there any kind of startup scripts what should be checked?

What is the purpose of /ram/history.console file? I can see a lot of passwords stored in plain text.

Thanks.

Not sure if you are aware but there is a complete instruction - https://github.com/BigNerd95/Chimay-Red

Upgraded and changed passwords. No more telnet spam.

Routers with http port disabled and winbox port limited in “IP Service List” using the option “Available From” are protected? Or a additional firewall is necessary is this case?

Thanks.

Thanks for the security advisory and it much appreciated!

I confirm that this Chimay-Red Exploit is effective (tested on my own security lab), even though it is no easy to make it work (you need a lot of GNU/Linux/Programming Skills) to make it work, I am working on a security tool to update every Mikrotik Routerboard, for now I only have this code in Perl script, it basically extracts the Ip addresses from the CSV file then tries to connect to ftp with the credentials, upload the “activador.auto.rsc” you have to work on your own script to block or allow your Administration subnet, I know it is a rough script that need a lot of work, but it will work as a starting point(idea):

#MWIRELESS V01
#SCRIPT PARA ACTIVACION DE SNMP Y API PARA (CONFIDENTIAL)
#POR: ANDRES GENOVEZ (Bitfrost) para CONFIDENTIAL
#Script solo para uso autorizado sin responsabilidad - 03-2015
#Basado en Ejemplos de: http://perlenespanol.com/tutoriales/modulos/usando_el_modulo_netftp.html y harto v220

use Net::Netmask;
#use strict;
use Net::FTP;

my $username = "admin";
my $pwd = "mypasswd";

open (FILE, '27-05-2015.csv');
 while ($line = <FILE>) {
 chomp;

$ip = $line;
chomp $ip;
$ip =~ s/\s+//g;

if($ip ne "") {
if (my $ftp = Net::FTP->new($ip)) {
$ftp->login($username,$pwd);
#ACCIONES QUE QUEREMOS EJECUTAR EN EL MK
$ftp->put("activador.auto.rsc","activador.auto.rsc");
$ftp->quit or die("No se puedo desconectar del servidor: $!");

}else
{

print "Error: $ip\n";
}

}



}

That is correct - all RouterOS devices offer free upgrade until RouterBOARD platform is EOL. You should Netinstall your MIPSLE devices since Netinstall will put a fresh installation on your device and protect it by firewall right away, before putting router on public network.

If you upgrade device and you still see attempts to access Telnet from your network - run Tool/Torch and find out a source of the traffic. It will not be router itself, but another device in local network which also is affected and requires an upgrade.

Just to make it clear: only devices running a not up-to-date RouterOS version are affected, whose HTTP port (TCP/80) are open and provides the login facility and management GUI, right?

I never allow unencrypted connections and always disable the HTTP and HTTPS interfaces. Only SSH and Winbox is enabled. It would be really nice to state the accurate state of affairs instead of us playing guess game. I understand the importance of upgrading, but scripts work fast and we can’t update all affected devices in an instant.

Pardon me, but the statement was quite clear:
“to exploit a vulnerability in the RouterOS www server”
anyway, it might be a good idea to keep up with updates at least on the “bugfix” level,but ymmv.

regards
hk

Pardon me, but specifying “www server” is not clear, at all. A serious security vulnerability merits more than vague statements about services. Do the scripts only scan port 80? Are we safe behind HTTPS (which still fall under the “www server” category) or not? Etc. You’re obviously not very familiar with CVE notices and the like. Anyway I hope someone will link or create one. This error must be very severe to warrant a mass email from Mikrotik (that’s where I was notified of it in the first place) so some due diligence is in order.

I have 2 Questions :

1 - If the HTTP Port was OPEN (8880) but it was already configured with “Available From” and only allowing a some range of Public IPs and Private IPs, can be affected ?
2 - How we check if the Mikrotik is already been infected ?

Thanks

Hi again,

We have a bunch of Mikrotiks with OS version higher than vulnerable one but all of them are still infected.

Even after “update FW” → “reboot” → “change password”.

So even with the 6.41.3 all our devices are still infected.

Please respond ASAP and provide us instructions on how to remove all this shit from our Mikrotiks.

I can upload this /rw/info file if you need it, virustotal analysis shows nothing.

hi all,

We are running our main router on 6.37.1 (stable). This is a CCR1009. What happens if I upgrade to the current? I know master port will be disabled and A bridge will be created. And also P2P in firewall will no longer work.


Anything else?