Hope you aren't running any wireless networks then, since Mikrotik products broadcast the board name, radio name and RouterOS version number in every beacon!It should not be THAT easy to get a ROS version ... without authentication
I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it*) make winbox self upgrade check .exe signature;
Dropping in input is fine, but I've seen several blacklists use raw table which would obviously affect forwarded traffic too.I know ... but it input chain is not the same as forward one. You can block access to router but not traffic forwarded to/from users.
You should be dropping such packets anyway. If you add them to a blacklist which blocks all communications from that IP, then you block legitimate services if someone spoofs them.Why blocking access to router is bad idea? Should "popular" addresses try to access our router?
Shifting of the blame onto users... what else are we supposed to use for remote management?!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
No, that's a different vulnerability in the SMB service.
I'm also curious about the technical details of this change.*) wireless - improved WPA2 key exchange reliability;
What specifically improved? Thanks
Is this a possibility before 2018? As someone about to buy my first CCR1036 I'd prefer to avoid the model that's about to be EOL, but I need it before the end of the year.We do plan to release a replacement 1036 in near future
/interface wireless access-list
add signal-range=-75..120
add authentication=no forwarding=no signal-range=-120..-76
After people have had time to upgrade, could you share some technical details of how the exploit work or what was vulnerable?v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.
RC and Bugfix builds coming a bit later.