As alredy reported multiple times, in April 2018 MikroTik fixed a vulnerability in the Winbox server component, which allowed an attacker to gain access to your RouterOS device, if the Winbox port was opened to untrusted networks. Most MikroTik devices include a default firewall that prevents this, but for different reasons, the firewall is sometimes turned off by the user.
The issue was already fixed, but a new method of exploitation has recently been revealed, so we urge all MikroTik users to upgrade their RouterOS versions.
Note: THIS IS THE SAME ISSUE THAT WAS ALREADY FIXED IN APRIL. Only a new way to use the same vulnerability was revealed now.
I’ve updated my RB750G yesterday from 6.42.7 to 6.43.2 and after the update it was stuck at boot (posted about it here http://forum.mikrotik.com/t/radius-server-not-working-in-2-8-11/127/1). What would a noob using auto update do in this case? He wouldn’t even know why his router stopped working. Auto updates are a bad idea if they are not thoroughly tested (one of the reasons I don’t use Windows 10).
As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?
Okay, so only people that have username and password can exploit the vulnerability? Or all people can access with vulnerability root even if you have not username and password for the routerboard?
About the answer “If you have updated RouterOS, nobody can exploit this vulnerability.”:
What is the versions that don’t have this vulnerability?
From which version does not show vulnerability, from 6.40.8 or 6.40.9 or 6.42.0?
We have several RouterBoard in 6.40.8 and we want to know if there is an urgency in updating them
hi if i have opend winbox service but i have changed port for it, is it dangerous? ofcouse ill update os as soon as it will be posible, but its interesting if changed port is dangerous
Always think of security as the first step before plugging cable into the wall and use the concept defense in layers.
Assume somewhere along the line a user will make an error and bad guys will be on the inside of your network as well.
Was ~275K a few days ago. A forum post is nice but do you have a mail campaign to warn customers of these vulns? I seem to only get emails regarding conferences/training sessions and seldom get emails for software upgrades and the like. August 5th was last advisory I received (filters not the issue) related to this.
It was already discussed. Who do call customers? End users or admins?
End users? … most of them do not even know that they have Mikrotik device installed as gateway to Internet. Forget them.
Admins? … real admins reading Mikrotik’s site or forum should be/are aware of these problems but the main question is: Do they not want to “loose” time to upgrade their devices?
No e-mail campaign change this situation.
I try to update as many routers as i possible can, but lots of them are out of my reach, and some are mission critical, i can’t risk to do a remote update on this ones, if something goes wrong, i’ll be in trouble
I updated about 150 so far, still have around 200 to go, so it is a slow process, so far none of them bricked, or do some weird thing, except one RB951UI-2hnd that after the upgrade, disconnects my winbox client every 2 minutes, not something terrible.
anyway all of my routers have port knocking, and weird port numbers, so far none of them where infected afaik.
I don’t agree with “automatic update” we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don’t want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.
Top story at HN at the moment: Some Russian guy claims he secured 100k MT devices which were vulnerable and openly accessible via the internet. He added some firewall rules and left an informational message for the device owners, some of which recently reported here in the forums that their router apparently got hacked.
Normally, Im someone who updates all my Mikrotik devices religiously.
However theres always that one router that you forget to upgrade. I manage hundreds of these things, many of them connected to public IP Addresses.
Saw that one of them got pwned today (I disabled the entries below), Also found web proxy enabled as well as dns server entries added and a whole bunch of very interesting things: