Secrets in supout.rif

TTT · February 7, 2025, 1:19am

I recently needed to file a support ticket with Mikrotik and thought nothing of including the supout.rif, because according to the Mikrotik Wiki, the supout.rif:

does not contain sensitive information or router passwords.

Nonetheless, I was curious and found a supout.rif viewer, which revealed that the supout.rif does in fact contain the following secrets:

Wireguard pre-shared keys
Wireguard private keys
Dynamic DNS secret token

I’m disappointed that Mikrotik does not disclose this. What reason would they have for needing this information?

eider · February 7, 2025, 1:23am

Can you share what part of configuration these were found with? In most likelihood this should be reported to MikroTik via official support channel noting that these values should be considered secret (and so hidden unless show-sensitive is specified in export). This will also directly fix them being visible in supout export section.

Also I advise against using third party viewer, as you might be effectively sharing these files with someone else (irrespective of what above site claims; i have not performed detailed analysis and can’t guarantee no data leaves your device). MikroTik has their own viewer in customer portal that you can and should use.

TTT · February 7, 2025, 1:43am

In

/interface wireguard peers

I first ran the tool with a lab config and monitored what it was sending back over the network (nothing).
I believe it’s based on https://gitlab.com/DerEnderKeks/mikrotik-rif-viewer

eider · February 7, 2025, 1:57am

Can confirm

[admin@neptune] /interface/wireguard/peers> export         
/interface wireguard peers
add allowed-address=::/0 interface=wireguard1 name=peer1 preshared-key="EEg9/f1CG/c6Gi8arqWHYFnaMevjj6TIfQ1umTcA6W8=" private-key="+FepQW0iQu2Al9Eyf6P8ub9O5W2dwuQfQlJasAjz0lc=" public-key="XMQkimpJohGJthghdML/n1B9jQNUAnXMQay1o8JGuAE="

[admin@neptune] /interface/wireguard/peers> print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS, PRESHARED-KEY
# INTERFACE   PUBLIC-KEY                                    ENDPOINT-PORT  ALLOWED-ADDRESS  PRESHARED-KEY                               
0 wireguard1  XMQkimpJohGJthghdML/n1B9jQNUAnXMQay1o8JGuAE=              0  ::/0             EEg9/f1CG/c6Gi8arqWHYFnaMevjj6TIfQ1umTcA6W8=

You should report this to MikroTik via support portal. These values should be hidden unless

show-sensitive

is specified, just like all other passwords.

CGGXANNX · February 7, 2025, 8:54am

Yes, supout.rif contains too many sensitive information. Not only the keys and scripts (with login and token) mentioned, or the public IP addresses and MAC addresses. The certificate list is also listed, including private certificates with CA, CRL-host, fingerprint etc… For me the included comments are also a privacy issue. My comments on entries like DHCP static leases or firewall rules disclose a lot of things that I don’t want MikroTik to learn about.

Up until now, I’ve always stopped pursuing my support tickets whenever MikroTik mentioned the requirement for a supout.rif upload

teslasystems · February 11, 2025, 12:27pm

I have also checked a test supout file with both viewers mentioned in this topic, and confirm that private key for peers is included. But for interface it’s not included.
And also checked if these viewers are sending something to the servers when you choose a file. Nothing is sent, so they say truth about processing the data locally in your browser.
To be fair, official MT viewer is also honestly showing this key.
I think, the reason is because this field is not marked as “sensitive”. WinBox also shows it when 'Hide passwords" is active.

But I’m curious, why do you need to set a private key for peer? Personally, I copy a public key from another WG endpoint and paste it to a peer in RouterOS. And vice versa, copy a public key from WG interface in RouterOS and paste it in config on another endpoint.

Same for me. I was already complaining about this together with script sources and was said that comments “help for better understanding of configuration”.

As to me, there should be some control on what to include in supout and what to not.

mkx · February 11, 2025, 12:49pm

Judging from forum posts, people in need for help are rarely qualified to decide what part of configuration/device state is relevant to the problem and what not. So I guess that if users could decide which part of information to include in supout.rif file, support would get many files missing some part of relevant info.

My take: if you don’t trust your equipment vendor, then at least you don’t contact their support with problems tightly related to actual application … or you simply don’t use their equipment (some device might be continuously sending all the sensitive data directly into vendor’s public cloud).
Likewise you don’t ask for help on public forum, you hire authorized consultant and have him sign NDA before starting the consultation/work.

teslasystems · February 11, 2025, 12:56pm

It’s not about trust, it’s more about privacy. And comments could be a private thing sometimes.
You don’t show people what’s in your pants even if you trust them

holvoetn · February 11, 2025, 1:14pm

Keep your pants closed then … or don’t let them look into your pants.
Simple. No ?

teslasystems · February 11, 2025, 1:21pm

Not as simple as it might seem. Anyway, I wasn’t talking about full control on supout creation, just some thoughts about comments and scripts.

mkx · February 11, 2025, 8:22pm

Well … if you’re asking urologist for help with your condition, then you’ll have to show him what’s in your pants. Photograph of left testicle might be enough but might not be as well. And if you’re asking urologist for help, it’s quite highly possible you’re not urologist and your idea about whether photograph of left testicle is enough or not doesn’t count much … Of course, if you’ll be wandering in a public park, showing what’s in your pants, then your urologist will likely send you to see a shrink.

So it’s up to your decision where you want to ask for help, but be prepared for (full if necessary) disclosure. If disclosure is a problem for you, then don’t ask for help, rather prepare to mitigate the consequences.

ConradPino · February 11, 2025, 11:50pm

Recommended procedure for posting configuration includes:

Remove serial number comment
Remove software license comment
Replace sensitive comments language
Replace usernames with unique generic names
Replace passwords and secret keys with generic descriptions
Replace IP address with generic numbers keeping subnet distinctions intact.
Leave device model number comment unchanged

jaclaz · February 12, 2025, 9:36am

@ConradPino
Yep , but this is (good) advice for when you need to post (on the forum) your configuration.
But the doubts are about the contents of the supout.rif, which cannot (and should not) be modified before sending it to Mikrotik support.

@mkx
Don’t forget the lesson we learned form Doctor House :

It’s a basic truth of the human condition that everybody lies. The only variable is about what.

(but the symptoms never lie).

abbio90 · February 19, 2025, 1:09pm

now there is the viewer directly on the mikrotik site
https://mikrotik.com/client/supout

mkx · February 19, 2025, 1:13pm

But using it means that supout.rif file is already uploaded to MT’s site … which I believe @teslasystems has his doubts about …

teslasystems · February 19, 2025, 1:34pm

It exists for many years already.

No, I don’t have any doubts that it’s uploaded.
I was only talking that comments and scripts are kind of private information. Like passwords. Even more private, because passwords can be changed.

mkx · February 19, 2025, 5:02pm

What I meant was that you had doubts about uploading supout.rif anywhere in complete form.