💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

CRITICAL: Never trust who provides scripts containing “/import” from “/tool fetch” from external sources.

NEVER TRUST, there is no guarantee that the remote site will not be modified on purpose to execute arbitrary commands on your router.

It’s one thing to download and import a list of addresses via script,
it’s another to download a list of commands to apply blindly, without any limits or controls, in the router.

In general, never trust files provided by external sources.

Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.

also, right!

We just need mikrotik to implement firewall list load feature, since now there is no easy and simple way…

Never trust, yes!
like ip dns adlist

You should mirror check everytime

Do you know what is sad? Docker images works exactly this way…you download something and run it. Also go programs uses this, includes sources directly from internet.

That’s why docker images needs to be downloaded from trusted repositories and even then it’s good to treat them as insecure network client by restricting connections to/from them only for provided service by container.
For downloaded application software at least you can use some antivirus/anti malware solution but also it is sane to know what you are installing and from which source.

Again…
http://forum.mikrotik.com/t/address-lists-downloader-dshield-spamhaus-drop-edrop-etc/133640/1

If HTTPS/SSL is available, you don’t have to be afraid of the man attack in the middle.

Do not make unnecessary comments. Unfortunately, people like you have time to discuss empty things that are really problematic because of the pushes like you.
Look: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc) - #299 by LAYERWEB

HTTP != HTTPS - That’s why I mentioned especially HTTP, if someone using http (unencrypted) protocol in fetch.

Regarding MITM attack on HTTPS, there are ways to also perform it, but it requires manual intervention from user to install CA certificate which MITM response uses to sign own certificate. User can be tricked by some social engineering technique like phishing, less chance than HTTP but possible.
Still, even if MITM is not performed concern is in aspect how much you trust the public source, if is for eg. Github source, repository owner account can be compromised and repo then can be updated with malicious script, if is some other site then you are not certain how well is protected, etc… I always follow the rule - better safe than sorry

@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script directly on your router or on a separate server. The use of HTTPS/SSL for the actual transfer does not change this risk.

Unless it’s a reliable source, yes, you’re right. It doesn’t make sense to use it. Here it depends on how much you trust the source. In addition, instead of automation, it can be achieved manually by allocating labor, as you said. Not every convenience is always completely safe.

I’m not sure the “CRITICAL” is necessary. Everything here can be relegated to security “best practices”. And applies equality to “cut-and-paste” scripts and containers. Or even the dude, which downloads the matching version. And winbox4 new’s “Update Winbox” risks MITM attacks, if one adopts the posture suggested here.

There is nothing magical about RouterOS scripting in this regard than an other OS. Some mainstream software use “curl … | sh” - whether that’s “safe” depends on the environment it’s used and threat profile.

+1 for the emoji’s

As I wrote in the other post:

Obviously, it is obvious that you do not know how to distinguish a list of IPs from a list of commands, there is little to add.

Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
“Your” link does not just refer to a ready-made list of IPs, but creates an “import” where you can safely put any command you want to execute in the router, maybe it’s a way to make money by selling machines on the darkweb.

If people “can check” it does not mean that they do not go and check when for others it is already too late.

If you can’t see the security problem, it is certainly not my fault.


And let me be clear, I never talked about HTTP or HTTPS issues, it’s the content that’s the problem, not the means of transport.
However the suggested script does NOT install the proper SSL certificate and does NOT check HTTPS, so no matter what happens a MITM attack is still possible…

Key word “environment”, which makes company environments much more sensitive than home users environment. If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it’s just me…

Yes, because most users can only copy & paste without knowing what they are doing, without distinguishing a list of commands from a list of IPs…

I see you get the point…

Well, this is pure fantasy, but if I somehow manage to find out what my ISP does (no matter what is actually done) it means that their security (be it the technical or “human” one) is a nice colander.