A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of TCP RST packets, preventing the affected router from accepting new TCP connections.
More info:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7285
https://cxsecurity.com/issue/WLB-2017030242
https://www.exploit-db.com/exploits/41752/
Just implement good firewall rules and all will work well.
Sigh… some people seem to be only on the planet to destroy other people’s work and fun.
How pathetic.
Maybe, but in the end it’s good, because once a problem is found and fixed, whole product gets better.
Or change winbox port and waiting for security update.
I think not the product must be fixed, but those people must be fixed.
I agree when there is a security problem something has to be done, but those idiots that just destroy other people’s work and fun
deserve no place on this planet.
Even worse. It could be their job…
For personal use as home router is not problem. But if you have big network? Temporaily shoul use firewall rules
ip firewall filter add chain=input action=accept protocol=tcp src-address=[allowed IP] dst-port=8291 comment=Winbox
where need to change “allowed IP”
Any device should have a firewall from the ports where unauthenticated users have access.
We tested several devices (751, hEX lite, CHR - 8x Xeon) and found that they were 100% CPU and down any services on devices (and transit traffic) with this vulnerability. And it does not matter which destination port is specified and what rules are in the firewall. The result is one - device full down.
We waiting update …
This wouldn’t help. Such attack on my ROS sill consume all available CPU. Checked on RB951, 2011, hAp Lite and CCR1036.
RST packets didn’t create connection, so firewall rules will just help attackers consume CPU.
Have you enabled “SYN COOKIE” option in the RouterOS settings? You should. This will help.
Even with syn cookies, the attack is still successfull: we have not yet connection with attacker and suddenly receive RST package from him.
Just try to test this exploit on some devices.
Is this 6.38.5 and above only? Or does this also work on 6.37.5?
We just tested it. Simple firewall rule reduces load by at least 90%. Maybe there is something wrong with your rules? Please post them, so we can check.
The problem is that a firewall rule will knock our CCRs out of fastpath forwarding, thereby severely reducing throughput. Please fix this in software, and preferably offer an update for the current bugfix branch (6.37.x) as well.
Disable these services in “ip services” menu, change ports and use access-from setting. No firewall then. Only the enabled services in “ip services” menu suffer from this load issue.
So using the access-from lists mitigates the problem? That would be awesome because we’re already using that in lieu of firewall rules to keep the devices in fastpath.
Access list does not help much, we tested it.
Basically you have these choices:
A) disable these services and change ports, configure some OOBM access from a special port that has no access to the public networks
B) use firewall
C) Get a more powerful router
If there is an open service, the router will take requests and send answers. There is no way around that. If you have ideas how to “eat the cake and have it” at the same time, let us know 