Advisory: Vulnerability exploiting the Winbox port [SOLVED]

Edit: 18.04.25
Please upgrade to MikroTik RouterOS 6.40.8 [bugfix] or 6.42.1 [current], the issue was addressed and fixed there,
https://mikrotik.com/download

We have discovered a new RouterOS vulnerability affecting all RouterOS versions since v6.29.

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.

Versions affected: 6.29 to 6.43rc3 (included). Updated versions in all release chains coming ASAP. Edit: v6.42.1 and v6.43rc4 have been released!

Am I affected? Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks, assume that you are affected and upgrade + change password + add firewall. Make sure that you change password after an upgrade. The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses.

What do do: 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the “IP → Services” menu to specify “Allowed From” addresses. Include your LAN, and the public IP that you will be accessing the device from. 2) Change your passwords.

What to expect in the coming hours/days: Updated RouterOS versions coming ASAP. RouterOS user database security will be hardened, and deciphering will no longer be possible in the same manner.

EXAMPLE how to protect yourself:

WOW. That is really scary.

Maybe having port-knocking needed for connection and then lifetime as long as established. Also implement this in Winbox and the Android APP.

Web interface is a no no from external.

A unique TCP/UDP port sequence printed on the router label is needed to reach that router from external. This sequence can be changed by the admin but can be not disabled.

Once logged in, with Winbox, the admin can regenerate a new sequence in the router for the Winbox profile for that specific account. This new sequence is visible in the router and in the profile in Winbox. This can also be forced totally hidden so that a reset of the router is needed to go back to the sequence on the router label.
A new sequence is enforced from the next time connecting.

A problem with sequence portknocking is, that ports also can be used by the router. One way is not to use different ports but different times in the sequence for the packets.

Maybe easier is to have port 8291 as attention port for knocking and any knock on a port from the same source IP is not for normal firewall processing but for gaining access.

Example: TCP-8291 UDP-1234 TCP-8291 TCP-2341…

Change the service port can resolve the problem?
The problem with allow from is that not always we have static ip address
Suggestions could be that field accept dns names, or allow to read from addressing list

Sent from my XT1580 using Tapatalk

I use firewall rules which will kick an IP address if login fails after three attempts. Will this method be sufficient to be protected from this vulnerability?

By the way, thank you for letting us know about it.

Does not appear so looking at the other posts. One failed attempt was in the logs…

This is really scary. Can you explain how this happened in a more technical manner? Why is authentication not the first thing that is required before downloading files etc is possible? Why is the user database even made available over the winbox port prior to establishment of an authenticated connection?

All these security bugs appearing lately in Mikrotik daemons are really shaking my trust in RouterOS. It’s clear that a lot of Mikrotik code is not hardened against exploit attempts. What steps are Mikrotik taking to ensure this doesn’t continue to happen? Have you considered hiring an external company to do a security audit of your code? This really can’t keep happening.

EDIT: Please don’t tell me this is related to the old 2012 exploit that lets you request files before login…

So is this it https://www.securityweek.com/remotely-exploitable-vulnerability-discovered-mikrotiks-routeros ?

As its over month old post..

They gain access on a file within the router, right? What kind of information is stored in there?

No, that’s a different vulnerability in the SMB service.

Is this vulnerability exploitable if the Winbox service is not running?

@raffav If you are not using static IP’s, use something like DYNDNS to set up aliases. Then, resolve the aliases in a script which will give you the IP addresses of the remote stations which are permitted access. Add these to the list of allowed IP’s (Available From field in picture) and you have solved the problem.

Normis, it seems this not help.
On Czech forum is user which have winbox in IP services allowed only for his private range and is hacked
https://ispforum.cz/viewtopic.php?p=228863#p228863

You don’t know what is stored in the system user database file ???

No, do you? I f so let me know

The security issues are happening too frequent on MikroTik recently…

the file contains RouterOS system usernames and passwords.

well, if I had to do some thinking, the system user database file contains the database with users and their password…

That is a completely different vulnerability that relates only to the SMB service, which by default is not even enabled (hence why you didn’t hear much about this vulnerability).

This new one is a far scarier one. Somehow an attacker is not only able to remotely download the user database file, which bypasses all normal user authentication methods, but on top of that are trivially - within a couple of seconds - able to use the strongest of passwords to then log into the router using the Winbox port.

This implies at minimum that the user database file not only contains actual passwords (instead of hashes) but keeps those passwords in the clear or very close to it. Both practices are almost unheard of in modern security practices!

This means no matter what version of RouterOS, you are uncommonly at risk for the above reason.

While we await the vulnerability fix and basic RouterOS hardening, it is recommended to allow no direct public access to any external services on a RouterOS device, unless it is either IP-filtered or uses port knocking.

After the hardened RouterOS, all passwords should be changed as a basic security precaution, since any past compromise of the router (known or unknown) and by anyone, including insiders, means they may have access to all of the passwords.

It’s possible the attack came from his LAN

It is just that with Mikrotik’s increasing popularity, hackers are now targeting RouterOS. Exploits exist on all equipment, just look at Cisco and Fortinet if you want an example…