So why would they post this again if it was fixed in April?
To not be blamed that they do nothing !!!
Have you read carefully all recent posts on forum about this “problem”?
Mikrotik is almost blamed for not upgraded 70k+ routers in Brazil, that people are not informed and so on …
PS.
Windmills +1
In our country we have a lot of windmills and we don’t fight them, we use them. However we have a “Bierkaai” and yes that has to do with beer…and not weed despite it arrives in the same city.
De Bierkaai was the quay in Amsterdam where the barrels of beer arrived and the porters worked who loaded and unloaded the heavy barrels with beer.
The residents of this part of Amsterdam were known as invincible fighters and seeking a fight with them, was one you absolutely would loose.
So whenever you come to Amsterdam to smoke, illegally produced weed then, ask about the “Bierkaai”. It was a part of the “Oudezijds Voorburgwal”, located near the “Oude Kerk”.
I wrote on many occasions that security has improved in last time. And this security ‘problem’ was more than a wakeup call and it will have carry a lot of fallout and we are only at the beginning of that. I wrote about what cloud have/should have done in the past months to inform and warn owners of Mikrotik devices.
Others and I have written a lot of suggestions in the past in different topics and please do something with those suggestions and make a plan so that this will not happen again.
It might take drastic measures which are not seen before but having these kinds of problems can even kill a company, if trust in that company collapses.
As Oude Kirk is about 5 min. walking from Central Station then most people start and end visiting Amsterdam do not crossing Damstraat and they are missing eg. Rembrandt’s Museum. Not even trying to visit or just find any windmill Nederlands are famous for 
I received an e-mail this morning from one of our Mikrotik distributors here in South Africa, and note this is not the first one I have received from them re Mikrotik Notice.
So to me, it looks like Mikrotik has done all it could to notify the users, well done Mikrotik, very proud to be a Mikrotik Evangelist
Yes, from “now on”. Figuratively speaking - a few months is almost nothing when you have hundreds of thousands of devices out in the wild. As others already mentioned, do not expect people to promptly install your 0-day fix (as I recon, there were some communication glitches along the way, too). I still see neighborhood MT devices on way old versions in DCs around the globe. That aside, your quick reaction and fix is exemplary, so we should thank you for that. But please allow some of us to be a little skeptical after the fact that in 2018 you still stored (past tense) something as sensitive in the device as a password, in clear text. Anyway, hoping for the best and life goes on.
Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them.
Should Mikrotik call/inform each user/owner and “persude” to upgrade? What if user says NO? What if admins in DC ignore such info?
I’m not “advocatus diaboli” of Mikrotik but you should apply right measure to the problem.
If car company makes mistake in a car it calls people to service point but someone ignoring this call will be using bad car forever.
If food company needs to collect some “bad” food from market, in spite of problems in production process, it is imposible to persudae anyone to return it. All owners could be asked to return but nothing more.
It all depends on users/owners will !!!
The email was released AFTER the news about botnet. It again happened after negative publicity hit the media, despite the fact I was many times asking to send the email earlier.
It was same mistake as previous email, which was sent on March 2018 after whole world was floded with news about “vpnfilter” malware (which was using March 2017 webserver vulnerability)
I really want Mikrotik to succeed and I promote them around my business as I can, and if would be much easier, if emails come as preemptive actions instead of reaction to negative publicity in news.
I know they don’t have to, but imagine how much positive publicity Mikrotik can get, if they proactively warn users after the vulnerability is found and fixed and before it gets massively misused. My personal opinion - it would be like a dream! And cost of mass email is not that high…
I definitely disagree with idea from this topic about home-calling routers, pushing users to update etc.. That is not necessary and create more issues than it solves.
AVM (Fritz!box) does it because they are in the SOHO area in which Mikrotik also more and more operative.
You can switch of automatic updates and be warned and even tell not to check. TR069 can also be disabled so you are the boss.
AVM sells routers in Germany, Poland, Netherlands, Belgium, Austria and Italy and many other countries. The premium ISP Xs4all in the Netherlands use Fritz!boxes as their customer device.
I replaced my Fritz!box because AVM is not anymore what it was in the past. I replaced it by Mikrotik but the Fritz!box is still doing WiFi, DECT, house automation.
I can pick up my phone and press a few butons to check if there is a update. If an update is waiting to be installed I get beep and a red light blinking on the DECT phone. I can upgrade by selecting the update and it will update the Fritz!box.
And yes, I have forbid the Fritz!box to check through the DNS server. No firewall rules needed.
No arguments against the importance of applying updates in time by owners whatsoever. But you’re aware that car makers get sued for dysfunctional parts or functional parts having design mistakes, right? That’s because they didn’t do everything in their power and ability to prevent problems leading to (fatal) accidents. It’s exactly because you can’t tell users what to do why you need to do everything you can to prevent disasters such as this. If the passwords were stored as (strong) hashes, the security hole didn’t exist to begin with. Well, being able to get the user db is still a problem, but by far not as serious. The only thing I’m pissed about is the pw storage which has been allegedly fixed along with the Winbox sechole (and very quickly, at that). And don’t get me wrong, I will continue to use and advocate MT devices, they’re great but these small mishaps are the ones that usually ruin the reputation of any thriving company.
Once again:
I’m not “advocatus diaboli” of Mikrotik but you should apply right measure to the problem.
OK. There was a problem spotted and repaired … a lot of programs/devices had, have and will have them … period.
The problem is/was resolved … time to apply cure. IF YOU WANT. If not … stop blaming Mikrotik again and again for the past.
Agree, and to mention it again, security will always be a “Reactive” problem
@CZFan, last you wrote that also but that thread was closed before I could read it.
Security is for 95% reacting to a attack the remaining 5% can cause more damage than the 95%.
I mentioned AVM, they had not long ago big hole in their VOIP system. It was patched and rolled out within a few weeks to all AVM routers. Mikrotik had months time.
https://www.cvedetails.com/cve/CVE-2015-7242/
What sorts of changes are being made?
Are there particular modifications that might be indicative in a config?
Can we see some examples?
Many thanks.
A start can be found here: http://forum.mikrotik.com/t/winbox-exploit/121845/1
Also check the blog for more information.
What potentially of interest is:
- change/activation of the socks service
- disabling “drop” rules in the fw (seen myself) or ones added allowing unconditional access (seen reported by others)
- unneeded/bogus/suspicious/deleted fw entries (reported by others)
- added suspicious scripts to system/scripts and associated scheduler entries
- deleted existing scripts (reported by others)
There might be others, too, do a search in the forums. I have regular backups using compact export .rsc files so I was able to do a diff and see all changes which I mentioned above, on a particular device.
So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?
Have you read the first post of this thread?
EDIT: hmm, now that you asked, and reading the blog post again, it’s really not very apparent which version pertains to which release branch at a single glance. Both bugfix and recent stable releases are linear without additional marking. Although if you’re fixated your updates on either of them you should be able to determine. 6.40.8 is the latest bugfix one, so it should be OK.
From https://wiki.mikrotik.com/wiki/Manual:IP/Services it said MAC winbox using 20561/udp, is that it is better to block this port too?
The MAC addressing is used inside the network (L2) and sometimes on the first hop to your ISP router/switch. MAC can’t be blocked as discussed in other threads.
http://forum.mikrotik.com/t/rb192-died-when-upgrading-to-ros3rc13/17997/1