Is routerOS vulnerable?
http://news.cnet.com/8301-1009_3-57566366-83/upnp-networking-flaw-puts-millions-of-pcs-at-risk/
I haven’t turned on the service / scanned it to see if the security vulnerabilities exist in the implementation.
However according to the Wiki:
http://wiki.mikrotik.com/wiki/Manual:IP/UPnP
UPnP is off by default and is not assigned to any interfaces.
Therefore to have the service exposed it would need to be manually turned on, and then assigned to interfaces facing the outside world.
Unlike many consumer devices that turn it on by default and can easily be connected incorrectly providing external access to the interface.
I would say therefore that the exposure surface is rather small even if the software is vulnerable to the hacks.
Regards
Alexander
Ok, thanks. So if I have it turned on I should be ok, provided I don’t have it pointing outside. Thanks.
I have it turned on.
I ran the scan tool and it clams there are “Exploitable 0”
So I guess Mikrotik is nor vulnerable to these bugs???
To test the exploitability of mikrotik in a “misconfigured” test like in the article above you would turn UPnP on on your gateway port and label it an internal port. Then it will tell you if the implementation is vulnerable.
but I am glad its not exploitable when configured properly.
Regards
Alexander