Hummm… Looks like CVE-2024-54772 affects this version also…
Seems that it’s not 6.49.18 that will become next long-term.
I do not understand why this prevents it from become long term.
Who is so stupid that they do not limit Winbox access? Or even worse have Winbox open to the internet.
Default rules prevent internett from accessing Winbox.
CVE-2024-54772 is fixed by - *) user - improved authentication procedure when RADIUS is not used;
In any case, by default RouterOS does not have this “problem” which yes, can make it “easier” to find the username, but the password?
It’s always the users who configure things haphazardly.
That’s quite concerning. This CVE isn’t even listed in the MikroTik security notices: https://cdn.mikrotik.com/web-assets/supportsec/rss.xml. Nor is it mentioned here: https://mikrotik.com/supportsec.
It’s legitimate to quietly patch a vulnerability and include it as a regular changelog item - as long as the issue isn’t publicly known. However, the moment a CVE and an exploit are publicly documented, all relevant information must be transparently disclosed.
I’m running 6.49.13 [long-term], should I upgrade the firmware to 6.49.18 [stable] now or should I wait until 6.49.xx [long-term] becomes available?
You allow everyone on the world to try to connect to your RouterBOARD?
@infabo makes an excellent point.
Complete and diligent CVE follow through is critical for maintaining confidence in MikroTik security management process.
Sorry if it wasn’t clear - MikroTik forgot, not you.
No big issue, but accidentally introduced in a long-term release and now seems impossible to revert in many stable releases.
CVE-2024-54772 (MikroTik-RouterOS Username Enum)
This repo contains the exploit for CVE-2024-54772 which can enumerate valid usernames in Mikrotik routers running RouterOS v6.43 through v7.17.2. The patch is present in v6.49.18 and it will be available in branch v7.18 but it’s now still under testing (as v7.18beta2) and will be released in the near future.
https://github.com/deauther890/CVE-2024-54772
1 Like
Brute force dictionary attack is the correct term, not “Username Enume” which is totally wrong in this context. Also, access to port 8291 is required and additional dictionary attacks for the password, which will be very tricky if there’s a delay between attempts.
This is a stupid vulnerability, because surely whoever stupid leaves port 8291 open to the world, is the same one who continues to have “admin” as a username…
And it’s also a stupid vulnerability, because the intelligent administrator, if forced for extreme reasons to leave the winbox port open, after having randomly guessed the port knocking, at the third mistake blocks the service (not the attacker’s IP, but the service itself) for 10 minutes and warns via sms/mail/whatsapp, so between 3 users “tested in the dictionary” and 3 others months pass…
1 Like
I agree that it may seem like a "stupid vulnerability".
But it is still a vulnerability.
As far as I know, there are no rules like: "If the vulnerability is silly, it does not need to be fixed."
And, if they really fixed the vulnerability after being notified and did not mention it in the release notes, this shows extreme bad faith on MikroTik's part.
This is not the attitude of someone who takes security seriously.
1 Like
To make the product safer, just don’t give it to i–s.
So you need to get a certification and a gun router license.
Hope the CVE fix makes it to long term branch.
Have had the security team ping me multiple times during the last week asking when we are patching this.
Why, do you keep a door open with winbox to the rest of the world?
How could this possibly bother you or the security team?
Do you use the default user admin or some other trivial username???
In another topic it has already come out that if you put the user like “#7464.myXomRuser” it takes centuries of brute force to find it…
Your > password > username will be bruteforced with an average home computer in approximately…
10000+ centuries
You can find the Answer to the Ultimate Question of Life, the Universe, and Everything in that time.
You can even find supercomputers that are there just for you, but the response speed of the RouterBOARD is not infinite…
Some CVEs are just there to highlight stupid security practices that are being practiced(*), or even those that are not being practiced.
(*) user admin with open port without even changing the port number…
The question is deeper: How come they are able to brute-force the username?
And finally, then they have to find the password…
1 Like
RouterOS version 6.49.18 has been promoted to long-term.
Both the “stable” and “long-term” channels will display that a new version is available, it is the same version.
Should you upgrade if you are already using 6.49.18 “stable”? The 6.49.18 “long-term” does not include any updates apart for a new build time, and discovery packets now use the “long-term” label.
1 Like
Thanks for the clarification.
Thank you for the update.
After doing this upgrade, webfig login stopped working for me over https in Firefox ESR.The login form is still displayed but attempting to log in causes the error message “ERROR: Not Found” to show up below the login form.
The webfig login still works over regular http in Firefox ESR and it also works over https in Chrome. Before the upgrade, it worked over https from Firefox ESR too (that’s how I did the upgrade). It may also be worth mentioning that I use a non-standard port (i.e., not 443) for the https interface, in case the probem is related to that.