I’m currently going through and updating hundreds of our Managed Routerboard 750GL’s to v6.40.7 (bugfix) as a result of the recently discovered exploit which utilizes the HTTP service on the devices.
During those upgrades, I’ve discovered that my usual method for updating the hardware does not appear to work when I’m starting with v6.34.6 or v.6.36.1.
My usual process is to drag the ‘routeros-mipsbe-6.40.7.npk’ file onto the device, and then reboot. Routerboards running older RouterOS versions then boot back up with the new RouterOS, and I move on to updating the firmware to v3.41 afterwards.
However, when using this method for a Routerboard already running v6.34.6 or v6.36.1, the .npk file is copied over successfully and the device reboots, but they always come back up on the original firmware.
If I go through ‘System → Packages’ and ‘Check for Updates’, that method appears to work. However, for consistency’s sake, I’m looking to have the same RouterOS version on all devices, and 6.40.7 (bugfix) is no longer available via that method. (Looks like it just got updated overnight, right in the middle of all of my updates.)
Is there some alternate method I can use for these upgrades which will allow me to manually select the desired RouterOS version and install it, regardless of what the current RouterOS happens to be?
We’re literally in the middle of mass upgrades across all of our managed devices and have only vetted 6.40.7 for our configurations at this time.
So while we’ll certainly be upgrading the devices to more recent versions in the future, that won’t be able to occur until we test/vet the new versions across our configurations, though I appreciate the suggestion. (We’ve had aspects of our configs stop working between upgrades in the past, so we don’t upgrade without verifying that our configs work on the new RouterOS versions beforehand.)
I’m hoping to get 6.40.7 rolled out to guard against the exploit we were informed about in a recent security advisory (http://forum.mikrotik.com/t/urgent-security-advisory/117944/1) ASAP, and then we can look at vetting the newer bugfix versions with our configs and rolling those out afterwards.
So is there some way to accomplish this when trying to upgrade from 6.34.6 or 6.36.1?
Also, what’s the best way to sign up for Routerboard security advisories? (I think the e-mail we got about the recent exploit may have just been a one-time/one-off message?)
You can also simply make sure your devices have no exposed Winbox port to the outside world (or untrusted networks), then you can stay with your vetted version.
We are working on some other way to release this kind of information. Suggestions are welcome.
We’re definitely covered on that front, as our Winbox/SSH access is locked down to a few management IPs.
My current challenge is trying to get 6.40.7 on devices running 6.34.6 / 6.36.1 though. I guess I could downgrade them first, and then upgrade them in the usual fashion, but I was hoping I might be missing something simple that would work without me needing to downgrade.
As to ways to release the info, Cisco/Juniper/Adtran all appear to have fairly standard ‘opt in’ e-mail messaging setups for their advisories, so something like that could work.