It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.
Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the “Check for updates” button, if you haven’t done so already.
Steps to be taken:
Upgrade RouterOS to the latest release
Change your password after upgrading
Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
@normis, hey can you get this on the blog? I’d like the see any complainers cut off at the pass that this announcement didn’t end up in the right spots.
what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).
I’m with @Samot. If it’s worth a forum post, it’s worth posting a similar update to the blog. As soon as the blog was announced I added it to my important RSS feeds so I get fast notifications.
Maybe not a lot of people are monitoring the blog posts yet, but I think to err on the side of a little extra communication is warranted.
On forum posts if the subject line doesn’t interest me, I would never read it.
I got a news article about this today through my Google feed. I immediately realized that this is a problem that has been fixed a while.
But I agree a short new blog post pointing to the earlier post would reduce confusion. People would be coming here looking for new information.
I hope it’s clear to people that ports on public facing networks should be blocked using the firewall… Personally I leave ssh open but that’s the only thing and I really hope that doesn’t get hacked…
lol. Nice try, but the analogy is weak. A song can be in the background and doesn’t consume any time.
This forum is very busy. I do not have time to read all the posts. I am notified of new/updated forum posts via email. A good subject line will get me spend the time to read the post.
Incidentally, I really wish the forum email notifications included the content of the post.
what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).
So, is 6.40.8 secured against this vulnerability or is it not?
On the first link WinboxExploit.py reveals that the admin password is stored in the clear in the device. It simply requests the userdb and prints stuff found at offset 55. Mind == blown.
Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
Hopefully, by using such zero day, somebody hacks, enters into MikroTik HQ, steals, borrows, forks, acquires by using magnets, liberates the source code and makes GNU/RouterOS, so no such zero day happens ever again.
Even that could get hacked. It is exposed to annoying dictionary attacks all the time. Now days, best practice is to simply work through carefully secured and encrypted VPNs and nothing else open to the public.
@Normis: Thank you for the email. I know I was pain in the a** by repeatedly pointing it out, but I believe it was simply missed. It is a bit shame it took so long but I really appreciate this step in order to help RouterOS users secure their devices.
Please be assured that I never wanted to show any hostility against Mikrotik. All my posts were in pursuit of safety for other users, which will in the end help Mikrotik by improving relationship and trust with customers.
From “now on”? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Normis …
It seems to be a fight with windmills … this is era when most people read JUST THE TOPIC and do not read more than one sentence of news and most of them do not even want to think what they are reading about. Topic is all information they want to know.
