Hi!
Does anyone have some information about “MikroTik 6.41.4 - FTP daemon Denial of Service PoC” and CVE-2018-10070 vulnerability?
The PoC has appeared on this link: https://www.exploit-db.com/exploits/44450/.
Is it possible to have some security mailing list and dedicated “Security” subforum?
Security issues with MikroTik has emerged lately - it would bi nice to improve at least awareness about this things.
Regards,
Robo
Not again! I just upgraded a couple of clients due to the previous security vulnerability and explained to my customers that it is for security reasons.
If I tell them again the same thing, they are going to lose faith in Mikrotik product.
Mikrotik Support, can we please get some confirmation / clarification on the above post?
Guys. Any service can be overloaded when it is polled enough times. How is this a vulnerability? This is simple DoS. If you set a simple firewall rule to limit number of connections per IP, in your input chain, this will not work at all.
Why would anyone keep FTP open to the public, no firewall and no limitations set?
Possibly we need the rule to exist by default, that is another question.
Thank you
I sent the report to your company before I publish the vulnerability and you didn’t answer. I don’t know how did you comment here when you don’t know how the exploit works because I didn’t publish how I made the crafted request and what is that 
The 6 connections and less than 80KB crafted requests are enough for exhausting all the cpu and ram for rebooting the router.
Limiting the connection is a workaround, You should fix the problem(such as other company). If you want, you can give me an IP address and I show you how it works.
The PoC is clear:
https://vimeo.com/264461602
I still think that MikroTik should invest more effort regarding security.
My suggestions are:
Regards,
Robo
We answer all emails. Make sure you are not filtering ours, or post the ticket number, so I can check what was answered.
Don’t you have better things to do wirth your life? Spending all that time to find out how you can destroy other people’s property?
Maybe you can file a vulnerability report of bus shelters and claim that their windows cannot withstand the throwing of stones by local youth?
Nice example, pe1chl,
Nevertheless, we will fix it.
Good! But the point that those sore losers that claim to be “whitehat hackers” don’t seem to understand that everything in society is
built up to some reasonable standard of quality and security, as a trade-off between effort/cost and result.
Of course the bus shelter could be built with steel plate or bulletproof glass, but it appearance would not be so good or it would cost too much.
Normal people just use it as a shelter, only the mentally derailed people destroy it “because it can be destroyed”.
In internet security it is the same, but there the derailed people not only destroy other people’s property, they also blackmail the
producers with threats to publish details “if it is not fixed according to their set rules”. It is like the guys that ask you to pay protection
money to prevent your property from being damaged.
It is not as much that those guys should be tracked down and locked up (which would be good), but even more they need to be
taught normal forms of behaviour in a society. That includes not touching without permission what does not belong to you, and
not engaging in interactions as shown above. (“we told you about it and you did not react to our standards so now…”)
The Email is sent at Fri, Apr 13, 2018 to support@mikrotik.com
Unfortunately I think the security is not important for your company.
Hardening the kernel’s parameter and changing them according to your product’s resources before introducing them to the markets should be a priority for you.People are using your products without the simple default security.
The vulnerability is in the parsing function and it’s patched 5 years ago on the linux kernels. Just one packet can exhaust all available cpu for more than 20 minutes.
I didn’t publish anywhere how I made the crafted request because more than 590000 mikrotik devices are vulnerable(you can check this out on shodan), please fix the vulnerability and pay attention to the security.
Best Regards
That is only 1.5 work day ago!
In a company, such mails need to be categorized, the issue investigated, and a reply be made and verified.
You cannot expect that to happen within 1.5 working day.
Hardening the kernel’s parameter and changing them according to your product’s resources before introducing them to the markets should be a priority for you.
Priority for you should be to search psychological help!
I don’t know how readily available it is in your country, but maybe there is some other way for you to overcome the problems of your disorder.
I would not agree with you.
These people are called Security Researchers and they should be rewarded for their effort.
This is how security works these days, with various nation-state hackers, governments and black hats strugling to find “zero days” and vulnerabilities to exploit.
Why do you think some great companies organise Bug Bounties and Pwn2Own and similar contests?
People have different skill sets and mistakes happen in various places during development and manufacture process before the product is finished.
Do you really trust all of the manufacturers and vendors that their products are fully secure and that they don’t have any flaws?
Who do you think is better to find vulnerability in product - some nation-state hackers, government agencies, black hats or security researchers?
Security researchers are the only one who will report this issues to the manufacturer, the others will keep this for themselves and use them against people and networks.
I would only agree with the fact that there is some criminals between white hats and security researchers, but this is not the majority.
Vendors should definitely reward security researchers effort and thank them. Between them there are many young and bright minds which will be more motived to do the right thing after they get at least “thank you” from manufacturer or vendor.
Regards,
Robo
The problem is not real researchers who find a problem on the device they personally own, then report it in private
to the manufacturer, and know that not all problems they report will be solved in the manner they prefer.
The problem is the people like c0nstantine and many others, who set their own rules, send a mail on Friday and
start whining the next Tuesday about “still not resolved” (with the actual time available for processing maybe being
even less due to timezone difference), and go on with publishing details and other threatening.
This is not related to improving security, this is just boosting of own ego, and finding some thing to do in the
lack of any employer wanting them to work there. Some people call them “bright minds” but in reality they are
just socially inept.
Even worse, it is not true. Mailserver logs and even junk filters show no email of this kind. This is really unprofessional and irresponsible.
You can check this out:
https://ibb.co/bHcd47
Good luck
Thanks for the image. Zero emails in last 5 months.
Unfortunately, there are still no general rules about reporting vulnerabilities - some people were mad about the way the Israeli firm “CTS Labs” reported vulnerabilities to AMD, but they didn’t said: “OK, you have not reported vulnerability correctly - we don’t consider this as a vulnerability, nor we will fix it until you do so”.
That’s why some serious vendors create Bug Bounties and regulate reporting of vulnerabilities.
This was also unprofessional - you could at least have said “We will check this out”.
MikroTik, you have a keys to people homes and companies - security must be the first priority of yours.
Regards,
Robo
We did check it. Firewall stops it, like it was written above.
I didn’t talk about firewall, It’s about FTP service and it’s clear the firewalls can block any connection, as you know this service has a vulnerability on parsing function, you can fix that easily.
I will not continue this conversation, I reported the vulnerability to you and if you want, please let me know for sending the structure of crafted request to you.
Best regards