Mikrotik 6.48 TCP timestamps Vulnerability

amsteen · January 4, 2021, 6:05am

I have Mikrotik 6.48 VM Machine it works fine.
When I When I scan my network for Vulnerabilities I get this

TCP timestamps OID: 1.3.6.1.4.1.25623.1.0.80091

I google it but I can not find a solution to remove this Vulnerability.

Can Any one help Please ??

jprietove · January 4, 2021, 8:33am

If you are not using SNMP, disable it.
If you use it, Just change the SNMP community and don’t use “public”. And use v2 or v3 with authentication.

amsteen · January 5, 2021, 10:44am

Thanks for your response but SNMP is already disabled on my router

[attachment=0]Mik0.jpg[/attachment]

nescafe2002 · January 5, 2021, 10:57am

User Cha0s has answered this question earlier on SO:

https://serverfault.com/questions/884962/how-to-disable-tcp-timestamps-on-a-mikrotik-router

AFAIK you cannot disable this on MikroTik.

amsteen · January 6, 2021, 5:03am

The Problem is that Vulnerability Scanners consider TCP timestamps as Vulnerability
So Mikrotik should take this in consideration .

Znevna · January 6, 2021, 6:16am

What services is your MikroTik Router providing to the outside (wild wild internet) that you consider this a vulnerability?

amsteen · January 6, 2021, 8:23am

For me I do not have problems but for my manager he recommended to remove and vulnerability

Znevna · January 6, 2021, 8:56am

MikroTik can respond with timestamps only for the services running on it (winbox, www etc) services which should be accessible only from trusted zones (Management VLAN, allowed IP list etc.).
So fix your security issues first and there won’t be any “vulnerability”.
For the DSTNATed ports you have take care of the “issue” on the destination machines.

R1CH · January 6, 2021, 4:25pm

This is not a vulnerability. https://raxis.com/blog/2018/06/04/goodies-for-hoodies-tcp-timestamps

amsteen · January 17, 2021, 7:30am

Now I get another vulnerability

SSL/TLS: Report ‘Anonymous’ Cipher Suites OID: 1.3.6.1.4.1.25623.1.0.108147

Any Help

Znevna · January 17, 2021, 10:40am

yes, fix it like you’ve fixed the one above.

amsteen · January 17, 2021, 10:42am

I did not fix the first one

nescafe2002 · January 17, 2021, 12:14pm

This has been discussed before: https://www.reddit.com/r/mikrotik/comments/6kgln8/anonymous_and_weak_ssl_ciphers_on_mikrotik/

Disabling/firewalling www-ssl and api-ssl should fix the issue.

If you’re concerned about security, you should learn to properly and securely configure (e.g. firewall) the device.

Znevna · January 17, 2021, 12:52pm

Same advice I gave him above to fix his “tcp timestamps”. If he would’ve done that, both of these “vulnerabilities” wouldn’t be an “issue” – secure your devices or pay someone to do it for you.
But the nut didn’t stick to the wall.