[Security] Attackers changed DNS servers

omersiar · May 24, 2018, 11:24am

Hello All,

I have CRS125-24G-1S routerboard with firmware 6.41.4. Last night attackers were able to change DNS settings on Mikrotik router via web interface, so the clients were directed to attacker’s servers, as you can no doubt of guess SSL secured services immediately warned about certificate issue on clients’ browsers. DNS was the only setting that was changed, so we did not have any other issue, changed to DNS servers and closed web service after that, just the winbox service is left for the only management protocol of the router.

192.200.110.106 > is set as DNS server by the attacker.

Router’s log revealed some information:

04:20:48 ipsec,info respond new phase 1 (Identity Protection): XX.XX.XX.XX[500]<=>216.218.206.122[32233] 
04:20:48 ipsec,error 216.218.206.122 failed to get valid proposal. 
04:20:48 ipsec,error 216.218.206.122 failed to pre-process ph1 packet (side: 1, status 1). 
04:20:48 ipsec,error 216.218.206.122 phase1 negotiation failed. 


04:51:46 ipsec,info respond new phase 1 (Identity Protection): XX.XX.XX.XX[500]<=>216.218.206.66[1503] 
04:51:46 ipsec,error 216.218.206.66 failed to get valid proposal. 
04:51:46 ipsec,error 216.218.206.66 failed to pre-process ph1 packet (side: 1, status 1). 
04:51:46 ipsec,error 216.218.206.66 phase1 negotiation failed. 

05:54:22 system,error,critical login failure for user admin from 42.177.206.6 via web 
05:54:27 system,info,account user admin logged in from 42.177.206.6 via web 
05:54:49 system,info,account user admin logged in from 42.177.206.6 via web 
05:54:51 system,info dns changed by admin 
05:54:56 system,info,account user admin logged in from 42.87.96.170 via web 
05:54:59 system,info dns changed by admin 
05:55:35 system,info,account user admin logged out from 42.177.206.6 via web 
05:56:05 system,info,account user admin logged out from 42.177.206.6 via web 
05:56:05 system,info,account user admin logged out from 42.87.96.170 via web 

05:59:26 system,error,critical login failure for user admin from 42.87.96.170 via web

I do not understand how they were able to guess password as it was a complex password.

Is there a known security issue? Can ipsec phase1 negotiation leak some information?

normis · May 24, 2018, 11:28am

Was your device protected by firewall? Web/Winbox should not be left unprotected on the public interface. Please follow this guide to protect your device:
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

There was a known issue where unprotected web/winbox port could be exploited, it was fixed already, please upgrade your device. You are not running a recent version.

omersiar · May 24, 2018, 12:03pm

Thank you @normis,

How to get security alerts from MikroTik? Is there a mailing list?

normis · May 24, 2018, 12:09pm

Follow updates in the forum announcement section:
https://forum.mikrotik.com/viewforum.php?f=21

And changelog:
https://mikrotik.com/download/changelogs

We are also working on a blog.

msatter · May 24, 2018, 12:54pm

That is excellent news and will make information easier accessible and questions/discussion can be done in the forum linked to from the blog.

hikky · May 24, 2018, 4:09pm

Please investigate this issue!
I have the same issue on many MT in my hand. This issue just happen in last 2 days.
The attacker can login to my MT by using any users in MT. Even I change my password, the attacker can still login just a few try.
I don’t understand why they can know (guess) my password.
Many Thanks!

R1CH · May 24, 2018, 4:41pm

Because you run old version of RouterOS. Update and change all passwords.

vmarkovsky · May 25, 2018, 3:42pm

I have the same issue. This issue happen in last 2 days.
What firmware versions are vulnerable?
In which version is the bug fixed?

k6ccc · May 25, 2018, 3:57pm

Simple answer - upgrade to the current release.

Took me about 3 seconds to find it in the Announcements section:
http://forum.mikrotik.com/t/advisory-vulnerability-exploiting-the-winbox-port-solved/118771/1