Wikileaks just released some CIA documents, and there appears to be a working exploit against Mikrotik HTTPD, allowing full device compromise.

https://wikileaks.org/ciav7p1/cms/page_16384604.html

https://wikileaks.org/ciav7p1/cms/page_16384512.html

https://wikileaks.org/ciav7p1/cms/page_28049422.html

Looks like a POST exploit:

Saw this today, ugh.

Mikrotik would be wise to reach out to WikiLeaks and try to get a copy of the exploit before they make the source public.

I suppose the smartest thing to do is to block HTTP/HTTPS in the meantime.

General information about the "operation", https://wikileaks.org/ciav7p1/index.html
"CIA malware targets Windows, OSx, Linux, routers"

Well, nothing digital is secure when have access to internet.

For the record, this is exactly why I brought up weak keys and future crypto in 2014. APTs are targeting this platform and if you're valuable enough, they'll expend the neccessary resources.

This is also why the minimum amount of services should be enabled in your network. As a precaution I always remove unnecessary packages and disable all services except SSH and winbox, firewalled to authorized IPs. Winbox does scare me a bit due to the proprietary protocol and I wouldn't be surprised if an exploit were found there too.

HTTPD of all things being the exploit entry point is quite surprising, did Mikrotik write their own webserver implementation or is it a bug in one of the modules it accesses (of which there should be very few without authentication!)

HTTPD of all things being the exploit entry point is quite surprising

Not to me. It is actually quite common for http servers, both generic and custom-made, to be full of bugs.
This is also usually the exploit against other routers, cameras, etc.

I'm sure something well-tested like lighttpd could be used as the HTTPD. The problem most likely lies in external CGI scripts etc called by the HTTPD as is usually the case with HTTP based exploits.

This might be interesting reading:

• https://wikileaks.org/ciav7p1/cms/files/UsersGuide.pdf
• https://wikileaks.org/ciav7p1/cms/files ... sGuide.pdf

yeah - scary

they use port 8291 and 80 to implant payload --

Often the bugs are also in authentication, parameter parsing, maximal length of parameters, small integers
that are used as index in an array, etc. Routers often use a simple http server that does not perform
very rigid checking before using values.

We are looking into this and will post a more detailed response in a few hours. We will do everything we can to close any weaknesses if there are any. As always, please try to keep the default firewall on, change or close ports and employ secondary security measures such as port knocking to make sure your device is only accessible by yourself. Currently it seems that no tools have been released and the default firewall prevents any unauthorised access. Will update as soon as I know more.

https://www.wired.com/2017/03/wikileaks-cia-hacks-dump/
http://www.independent.co.uk/life-style ... 16826.html

Thanks Normis.
Look forward to the detailed response..
Cheers

After reviewing a number of the documents since being made aware of them this morning, this leads me to believe at this time the exploits listed are only possible with access to services on the router.. IE: you *should* not be vulnerable if you keep your administration services firewalled.

Operator Notes
ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed.

From: https://wikileaks.org/ciav7p1/cms/page_20250869.html

Normis, we all look forward to Mikrotik's response.

With well over 200 routers in our customers' possession, this is concerning to us to say the least.

Question; Is there a www package upgrade we could lay on top along with normal /ip service changes to lock down our routers ?

Thanks for your efforts in mitigating this problem.

As others have said, there's probably no reason to panic if access to the admin interface is itself properly restricted.

But this is definitely a serious problem that needs to be dealt with, especially since it looks like info on this vulnerability have been in circulation outside the US government:

The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

https://wikileaks.org/ciav7p1/

The good news is twofold: the CIA considered Mikrotik to be enough of a challenge that they put a bunch of MT devices in their lab to hack on; and they apparently only came up with just this one exploit. Mikrotik's employees should be proud, seriously.

Yup. Keep administrative functions OFF the Internet, and you'll be fine...

With well over 200 routers in our customers' possession, this is concerning to us to say the least.
Question; Is there a www package upgrade we could lay on top along with normal /ip service changes to lock down our routers ?

You should make sure that the management services on these routers (ftp, telnet, ssh, www, winbox) are only accessible to
the persons that require this access. Depending on your company policy, this may be the customer,
your network management personnel, or both. But certainly not "the entire internet".

You can do this by defining firewall rules and/or by specifying authorized networks in the settings of the services.

Of course these best-practice measures only help against bugs in the services, not against bugs in the kernel or firewall code.
It is always best to apply as many countermeasures as possible/available:
- disable unneeded services (you might not need www or winbox)
- restrict services to authorized networks in the config
- firewall access from internet to management services (drop new traffic from internet)
- keep firmware reasonably uptodate, there may be security bug fixes (but this is no holy grail, new firmware may also introduce new vulnerabilities)
- monitor

When you are fully managing your client's routers, you could, for example, set logging to some syslog server inside your network so you have an event log, and you could run a syslog server with some monitoring for unexpected messages.

Even though a regular firewall (the default config, in fact) will protect you against the CIA malware, this is an excellent guide to follow for any public RouterOS device: https://www.manitonetworks.com/mikrotik ... -hardening

Official statement: viewtopic.php?f=21&t=119308&p=587512#p587512

I'm sure you probably have seen this page as well. I'm a glass half empty kind of guy, so to me, basically this implies that the CIA more than likely have already figured out ways to exploit the Linux kernel/RouterOS on the CCR platform and have built tools for it. Whether or not the exploits have been discovered or published, time will tell I guess. Clearly they were actively researching it pretty hard if you look at their page with all the Virtual Machines on it.
https://wikileaks.org/ciav7p1/cms/page_22642706.html

Guys, i would relax about your RouterOS devices, at this point it looks like you need to leave your "key in ignition" so your car "got stolen" and start worry about other devices, just look at size of this directory:
https://wikileaks.org/ciav7p1/cms/index.html
Especially those of you who are using Cisco:
http://blogs.cisco.com/security/the-wik ... now-so-far
and:
https://www.linkedin.com/pulse/cia-hack ... craig-dods
"Due to unforeseen circumstances, the technical details of this article have been removed" appeared really, really fast!!
and don't forget this
https://arstechnica.com/tech-policy/201 ... g-implant/
also, am i only one who starts to suspect manufactures that are not on the list Maybe there was no need to try to "penetrate" them. Just saying

As i mentioned in post about statement, other vendors released documents, how to check integrity of systems. I will wait reasonable time any statement from mikrotik, if they plan to release reliable tools for checking integrity, otherwise, if no answer or negative answer - it will play very negative role in future deployment of mikrotik in networks where security required. But i'm sure Mikrotik can do much better than "old school" vendors, if they want.
About integrity i am talking about multiple tools that has "raw" access to media/storage hardware, not just one more gui option that will say "all ok" and can be easily targeted and fooled by malware such as mentioned in this leak.
Here is for example VERY lengthy article what it is possible to do on cisco: http://www.cisco.com/c/en/us/about/secu ... rance.html , and it is quite sophisticated, as they even provide debugging tools to check call stack boundaries. Thats a minimum how responsible vendor handle malware threats this days.

web servers usually are most vulnerable to attacks. personally i dont use web interface and i lock winbox port of remote equipment via port triggering to avoid ip scanners. but wait a minute... could the hotspot web login interface be compromised too??

The reason for such tools are inability to release properly patched versions in time. Cisco release cycle and bug fixing cycle takes years. MT just updated all their versions with a fix.

Also nobody knows how compromised router actually looks like, so how can you create tool for that?

Normis replied to hotspot question in another topic. - Hotspot are supposedly safe.

The reason for such tools are inability to release properly patched versions in time. Cisco release cycle and bug fixing cycle takes years. MT just updated all their versions with a fix.

Also nobody knows how compromised router actually looks like, so how can you create tool for that?

Normis replied to hotspot question in another topic. - Hotspot are supposedly safe.

Issuing a fix is not enough, any security engineer after such event will definitely need to check if any his systems breached, and what is possible impact on network security - if yes. Blindly rolling software updates with crossing fingers that it will make you miraculously secure (especially because your particular malware persistence mechanism might be different than vendor might fix) - very wrong.
Other vendors doing fine on security threats, especially on such nasty ones, as gaining full access on system by feature that is wide open and enabled by default. For example CVE-2016-6366(which is not so critical, because attacker should know SNMP community string, and "default" systems are safe), first published August 15 on shadow brokers group, CVE created aug 17 and cisco issued workarounds recommendation, patched version of ios created aug 24.
It is described how "implant" are installed in system, and i believe it is trivial to detect such malware within system (unauthorized directories, executables).

Sure, but you still need to wait for Wikileaks to release all information and tools, to know for sure . I'm not sitting and waiting on that to happen . Tonight is an update night - hardest decision is to 6.37.5 or 6.38.5...

Sure, but you still need to wait for Wikileaks to release all information and tools, to know for sure . I'm not sitting and waiting on that to happen . Tonight is an update night - hardest decision is to 6.37.5 or 6.38.5...

It is already lot of info there. Take a look:
https://wikileaks.org/ciav7p1/cms/page_16384512.html
Mikrotik can make tool to detect such malware "signatures" and if detected - ask user to supply supout file with big red warning, and request to cooperate with mikrotik to study such "rigged" unit more.
Microsoft did this way, when they supply with each windows update trivial tool to detect known malware signatures.

The reason for such tools are inability to release properly patched versions in time. Cisco release cycle and bug fixing cycle takes years. MT just updated all their versions with a fix.

Not only the inability to release, also the inability to install them.
MikroTik updates are publicly available on their website and can be downloaded by the router at the press of a button or even automatically.
Cisco updates are only available to customers with a support contract, or in grave situations to all customers but only after jumping through hoops.

The reason for such tools are inability to release properly patched versions in time. Cisco release cycle and bug fixing cycle takes years. MT just updated all their versions with a fix.

Also nobody knows how compromised router actually looks like, so how can you create tool for that?

Normis replied to hotspot question in another topic. - Hotspot are supposedly safe.

well... i hope that mikrotik developers leave at least one or two of each product they make public access on the internet hopping that if and when something goes hacked will do memory dump and find the exploit. also we are talking about routers with 32mb and 128mb ram. you cant avoid buffer overflow and compromise at the end. smaller ram and little busybox kernel means easier exploit and protection bypass whatever you do. no patch gonna save you. at least mikrotik products are the most secure among other brands.

https://www.linkedin.com/pulse/cia-hack ... craig-dods
"Due to unforeseen circumstances, the technical details of this article have been removed" appeared really, really fast!!

Well, in these cases archiving service is your best friend: http://archive.is/ecWw0

Mikrotiks Rapid Reaction to the exploits discussed on this thread are to be very much welcomed, however, I have a strong belief that more could be done and should be done to
ensure the protection of our routers and firewalls, after all our customers trust us to provide a service and to protect their interests.

I have suggested the adoption of the following techniques privately to MikroTik,
But I wanted to open up the question to my colleagues in the User Community to get their perspective on
security methodologies that would mitigate against buffer overflows and successful exploit injection and execution on MikroTik RouterOS,
It would be wise to look at other people who seem to be having good success in mitigating security threats and use
-the methodologies,
-the approach
-the processes and
-the actual programming techniques that are required to deliver the outcomes that security users of firewall and internet routing appliances demand of their Software Vendors.
-validation that the techniques are delivering the outcomes we want.
This effort would not be Trivial however neither is the Threat that we are being confronted with. I would like to ask any one else with ideas and knowledge in security / programming securely
to respond with ideas and suggestions. and hopefully Together with MikroTik we can take advantage of the urgency of this crises to further improve the security and stability of Router OS software.

1) Address Space Layout Randomization
2) ProPolice Stack Protection /Malloc Guard pages on Router OS (using Canary to detect and mitigate buffer overflows (stack Protection))
3) using individual restricted unprivileged service accounts per service / process in Mikrotik Router OS (Least privilege /Damage Limitation)
4) W^X Write or Execute page protection /NX /DEP
5) Chrooting services ( Mikrotik are doing this to some extent already can it be improved? )

for members of the community who are interested I have included some links to OPenBSD talks,
Some good talks from OpenBSD guys about Exploit Mitigation Strategies.
Ted Unangst Talking about Developing software in a Hostile OS environment
https://www.youtube.com/watch?v=YYf1U0xcHmk

Pro Police Guard Pages and Address Policies
https://www.youtube.com/watch?v=NJ9Jml0GBPk&t=2s
W^X write or Exectute
https://www.youtube.com/watch?v=A7vtAAeW6zo

Theo de Raat on Privilege separation and pledge
https://www.youtube.com/watch?v=a_EYdzGyNWs&t=11s

The software is free and bsd licensed so it could be harnessed by MikroTik for the benefit of the User base.

the other advantage of the security features is that buggy software will crash much more quickly (flushing out bugs) which would lead to improvements in the reliability of MikroTik services / software running on router OS .
this is a double edged sword... and it would take some time before it could come into full production.
so if in testing we can identify bugs / issues in software then the overall quality of the software would be improved. and that is a win win ...

One of my concerns, and what I certainly don't want to continue, is that we all treat this as a single vulnerability and and that 6.37.5 / 6.38.5 solves it... cause it doesn't,

one of the docs refers to "the many ways" in which to get in to a MikroTik Box, that is of particular concern, I think the apparent reference "may ways to" get into a MikroTik shows us that MikroTik need to improve the processes around security and secure coding, full disclosure and notifying users of pertinent facts relating to the software that we are running in the wild.

of particular concern is the devel login and its purpose and the process around its design and implementation and the duration of its proliferation in the Mikrotik Install base.

Ouch! I didnt noticed this statement, and it is raising big questions.

There has never been any backdoor.

"devel" user is created by installing a special debug package by mikrotik staff, which would appear in the packages menu, and allow a new user "devel" to access the device. The user "devel" uses the admin password, so there is no way to access the device without asking the password from the administrator of the router. This package gives mikrotik staff access to some additional debugging utilities.

This only happened when a user voluntarily provided mikrotik support staff with remote access.

One of my concerns, and what I certainly don't want to continue, is that we all treat this as a single vulnerability and and that 6.37.5 / 6.38.5 solves it... cause it doesn't.....of particular concern is the devel login and its purpose and the process around its design and implementation and the duration of its proliferation in the Mikrotik Install base.

Aren't you starting kind of storm in a teapot ? You have quoted part of news and "forgot" to copy other part I DO NOT SAY "Mikrotik is safe" but if you have router "open from WAN" you are asking yourself for troubles despite the ROS problems.

Yes, this is because all these documents are describing how these "hackers" are configuring their own systems for testing. This explains why they remove firewall and talk about "devel" login. This is because the documents do not describe penetration of remote systems. It describes their test networks, their own routers.

There has never been any backdoor.

"devel" user is created by installing a special debug package by mikrotik staff, which would appear in the packages menu, and allow a new user "devel" to access the device. The user "devel" uses the admin password, so there is no way to access the device without asking the password from the administrator of the router. This package gives mikrotik staff access to some additional debugging utilities.

This only happened when a user voluntarily provided mikrotik support staff with remote access.

Thanks the Clarification Normis, that reduces the risk to the user base quite a bit ..
was there any security controls around the debug package who could install it ?..
it would appear that one of these packages got out in the wild...
was the debug package version (minor version specific) or was it one package for all releases in a particular major version on a particular architecture ?

One of my concerns, and what I certainly don't want to continue, is that we all treat this as a single vulnerability and and that 6.37.5 / 6.38.5 solves it... cause it doesn't,

Welcome back to the forum Tom!! I see you continue where you left off, when you last time were active on forum. Conspiracy theories and stuff !
Really nice time for comeback! i personally think you are way overreacting (again) and i can't see any of your suggestions to be implemented, because they are rather off the topic and hardly can help - too much effort, not enough gains.

for example
Address Space Layout Randomization - is too specific and almost useless on 32-bit systems
is the NX-bit even available in MIPS CPUs?

There has never been any backdoor.

"devel" user is created by installing a special debug package by mikrotik staff, which would appear in the packages menu, and allow a new user "devel" to access the device. The user "devel" uses the admin password, so there is no way to access the device without asking the password from the administrator of the router. This package gives mikrotik staff access to some additional debugging utilities.

This only happened when a user voluntarily provided mikrotik support staff with remote access.

Thanks for clarification!
Also i believe before(in old versions) there was a way to craft malicious npk file, probably they was using that to make devel account and their own debug package.

One of my concerns, and what I certainly don't want to continue, is that we all treat this as a single vulnerability and and that 6.37.5 / 6.38.5 solves it... cause it doesn't.....of particular concern is the devel login and its purpose and the process around its design and implementation and the duration of its proliferation in the Mikrotik Install base.

Aren't you starting kind of storm in a teapot ? You have quoted part of news and "forgot" to copy other part
drop.PNG

I DO NOT SAY "Mikrotik is safe" but if you have router "open from WAN" you are asking yourself for troubles despite the ROS problems.

Hello Bartoz
No I dont think im over reacting or creating a storm in a tea cup or tea pot and im not creating any thing ... im responding to a situation that was created by others.
you are pointing out one line also in vault 7 ... you also are forgetting that if you had cpes with a version prior to 6.22 and they were upgraded to a version between 6.22 and 6.37.1 the accept New and established rules were automajically re-written to accept all traffic regardless of state... so no im not creating storm in a tea cup im concerned that devices with public ips with serivces running on them be it reverse proxies, VPNS etc are open to being compromised... and I think my concerns are more than justified... and that a defence in depth strategy (and best practices ) would dictate that we should be scrutinizing in a holistic manner the entirety or ROS and eradicate any potential entry points...with VPN services sometimes firewalling is not an option and this is of particular concern

One of my concerns, and what I certainly don't want to continue, is that we all treat this as a single vulnerability and and that 6.37.5 / 6.38.5 solves it... cause it doesn't,

Welcome back to the forum Tom!! I see you continue where you left off, when you last time were active on forum. Conspiracy theories and stuff !
Really nice time for comeback! i personally think you are way overreacting (again) and i can't see any of your suggestions to be implemented, because they are rather off the topic and hardly can help - too much effort, not enough gains.

for example
Address Space Layout Randomization - is too specific and almost useless on 32-bit systems
is the NX-bit even available in MIPS CPUs?

Hello mac gaiver,
Thanks for the Welcome back ... (I dont recall the conspiracy theories) i was probably discussing some risks that were possible to exploit and it would appear that somepeople took advantage of these risks )
Im not way over reacting ... in fact I think alot of people are under reacting,
regarding NX etc... alot of mitigations that OpenBSD were implemented across multiple architectures... and NX while not available in i386 was available on later chips.. .each architecture has its own nuances... and these are referrred to in the talks that i linked to..
to say aslr or pro police ...or something that would stop process that have buffer overflows is irrelevant in this context does not make sence to me...
different architectures have different levels of protection in them granted.. but openbsd has shown what can be achieved if security is prioritised and I think it is worth looking at the mitigation techniques that they have developed and demonstrated and that they use in production... I dont get why you think this is not relevant.

OpenBSD did implement work around on i386 to get around the lack of NX .. and they actually use multiple architectures to help show up bugs in software that runs across multiple platforms... so a bug that would appear in one platform easily would not appear in another platform that easily, but the bug still existed and was irradicated across all platforms.. . so with MTs Many different architectures they can actually turn what I thought was a serious dis advantage (having to support loads of different architectures) into a serious advantage interms of bug identification and eradication ..

Yes, this is because all these documents are describing how these "hackers" are configuring their own systems for testing. This explains why they remove firewall and talk about "devel" login. This is because the documents do not describe penetration of remote systems. It describes their test networks, their own routers.

Normis, it would appear they were testing payloads that would be injected later on to a vulnerable system... it would appear to be standard practice for attackers... use soft local systems to create set piece attack tools to use on a target on the internet. this is still a concern that I have that there are other vulnerabilities and exploits to target them somewhere in the wild.

Hello Bartoz
No I dont think im over reacting or creating a storm in a tea cup or tea pot and im not creating any thing ... im responding to a situation that was created by others.
you are pointing out one line also in vault 7 ... you also are forgetting that if you had cpes with a version prior to 6.22 and they were upgraded to a version between 6.22 and 6.37.1 the accept New and established rules were automajically re-written to accept all traffic regardless of state... so no im not creating storm in a tea cup im concerned that devices with public ips with serivces running on them be it reverse proxies, VPNS etc are open to being compromised... and I think my concerns are more than justified... and that a defence in depth strategy (and best practices ) would dictate that we should be scrutinizing in a holistic manner the entirety or ROS and eradicate any potential entry points...with VPN services sometimes firewalling is not an option and this is of particular concern

Too many words to describe situation when the admin simply does not care about firewall rules.

Yes, this is because all these documents are describing how these "hackers" are configuring their own systems for testing. This explains why they remove firewall and talk about "devel" login. This is because the documents do not describe penetration of remote systems. It describes their test networks, their own routers.

Normis, it would appear they were testing payloads that would be injected later on to a vulnerable system... it would appear to be standard practice for attackers... use soft local systems to create set piece attack tools to use on a target on the internet. this is still a concern that I have that there are other vulnerabilities and exploits to target them somewhere in the wild.

Yes, and that was fixed. You can't expect that MikroTik will officially state that all bugs of the future are also now fixed. There are never 100% guarantees.

Don't get me wrong, Tom, I understand that you are worried and are trying to help.
RouterOS does have a lot of safeguards in place and our programmers are always looking into making RouterOS more secure.
Your suggestions are always forwarded to the right people and if there is something interesting, we will look into it.

Yes, this is because all these documents are describing how these "hackers" are configuring their own systems for testing. This explains why they remove firewall and talk about "devel" login. This is because the documents do not describe penetration of remote systems. It describes their test networks, their own routers.

Normis, it would appear they were testing payloads that would be injected later on to a vulnerable system... it would appear to be standard practice for attackers... use soft local systems to create set piece attack tools to use on a target on the internet. this is still a concern that I have that there are other vulnerabilities and exploits to target them somewhere in the wild.

Yes, and that was fixed. You can't expect that MikroTik will officially state that all bugs of the future are also now fixed. There are never 100% guarantees.

Thanks Normis and to be fair to MikroTik I remember askign for BGP diagnositcs assistance which required a Debug package ... I asked for the debug package so I could reload the router out of hours... MikroTik Did Refuse Me that Request without any reason... In light of Normises Clarifications re devel login ... the refusal to give me the devel understandable now given what risks MT were trying to mitigate... perhaps a Licence Key protection on the Debug package would reduce the risk of unauthorized proliferation thanks unique devel package per install based on licence key...

There is actually no security risk in people having this package. It only installs a shell and some basic tools that mikrotik support staff can use to view some more logs and such. It does not open access or create any other weaknesses. You still need the administrator password and open ports etc. There are no dangerous tools included in there.

The CIA hacker is just saying that he lost the convenience of having direct shell access this way. He had to find other ways to test his programs.

Too many words to describe situation when the admin simply does not care about firewall rules.

Im not sure what you mean by that

I Certainly care about Firewall rules and Im saying there are times you cant firewall a service off from the outside world, VPN services are just an example of that that I gave...
if you have mobile clients they can enter from any IP so you cant firewall them.
The point im trying to make (regardless of firewall configuration) Router OS services should be robust enough to prevent unauthorized infiltration of the operating system.
in other words it is not good enough to say Oh firewall the vulnerable services and everything will be ok ...

or if the firewall itself has the vulnerability.

I know it's illegal, but i've reverse enigineered Mikrotik
And I can confirm, all this Nova stuff - they do care about security, most of intermediate libs/sw is writted by them in C++, and finding exploits surely is possible, but TAKES TIME AND MONEY, unlikely open-sourced UBNT products, as we saw in the past

But fact is, everything is exploitable, question is how much money will be paid. Seems CIA have enough budget to employ skilled guys.
Even if they will cross the point after not much things will be left for exploitation, they still can exploit PERSONS. As we saw before - algorithms weaknesses left by-design, security cards CPU hw bugs left by design, leaks of GSM KI keys by Schlumberger and Gemalto... No coincidence here.

+ don't forget Russia have own CIA... and russian guys are skilled too.
I think need to launch honeypot

in other words it is not good enough to say Oh firewall the vulnerable services and everything will be ok ...

Who said that? MikroTik has found the vulnerability and released a patch. This was done by carefully parsing all the discussions in the leaked documents. There are enough hints as to how it works. The vulnerability was found and there is nothing in the currently leaked documents to hint that there is another one. Surely there could be, but no company can give you a 100% guarantee, that they do not have an unknown bug somewhere.

Surely there could be, but no company can give you a 100% guarantee, that they do not have an unknown bug somewhere.

What normally worries me more (not specifically for MikroTik equipment) is that there is some bug or designed-in backdoor in the netfilter (iptables) itself.
Such a bug could offer a generic entry into the many Linux systems on the net.

Well of course, but as you can see in this situation, many of the big router manufacturers are facing the same issues or even much bigger ones.
I guess this type of risk has always existed and in theory - always will.

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news.

Agreed! It's called due dilligence, or doing one"s job.

Sent from my phone through Tapatalk. Sorry for the errors and the short responses.

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news.

Still it is nice, also, if manufacturer(Mikrotik) provide some inspection tools, that makes job of implant authors much harder, and customer will be able to detect trivial implants by himself, and report early to Mikrotik such incidents.

Too many words to describe situation when the admin simply does not care about firewall rules.

Im not sure what you mean by that ....[ciach-ciach] ....in other words it is not good enough to say Oh firewall the vulnerable services and everything will be ok ...

Easy questions:
Do you left access to WWW services of your routers open from WAN side ?
Do you need WWW services to manage VPNs ?
If you really need WWW access to your router, do you limit acceptable IPs where you can connect from ?

Exploit uses WWW services so you just need to disable them. There are two ways to do it: disable them or firewall them.

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news.

Still it is nice, also, if manufacturer(Mikrotik) provide some inspection tools, that makes job of implant authors much harder, and customer will be able to detect trivial implants by himself, and report early to Mikrotik such incidents.

It seems that already there is such tool. It could be just extended for some more checks if they are needed

It seems that already there is such tool. It could be just extended for some more checks if they are needed
checkinstallation.PNG

It is very basic, just to verify possible filesystem/files corruption, too easy to fool it, and wont cover even known implants.

in other words it is not good enough to say Oh firewall the vulnerable services and everything will be ok ...

Who said that? MikroTik has found the vulnerability and released a patch. This was done by carefully parsing all the discussions in the leaked documents. There are enough hints as to how it works. The vulnerability was found and there is nothing in the currently leaked documents to hint that there is another one. Surely there could be, but no company can give you a 100% guarantee, that they do not have an unknown bug somewhere.

other public members on the forum...have commented on the thread pretty much saying if users dont firewall that it is their fault... my point is that when there is a vulnerability in a service the primary party that is responsible for fixing it is MikroTik.

Im saying I have a higher expectation of Security than MikroTik than some users, and of course I believe that my higher expectation of security from MikroTik is justified I want the best ...

Im saying
1) I would like to see a formal security policy from MikroTik and that there are formal software security review methodologies and practices in MikroTik.
2) I would like to see a bug bounty program from MikroTik and crowd source expertise and reward responsible security issue disclosure to MikroTik,
3) I would when MikroTik become aware of an Issue that they publicly disclose it as a security issue (once they have a patch in a timely manner)
4) I would like to see preventative measures in the OS that would reduce the possibility of a successful exploit (as mentioned in detail earlier)
5) I would like to see evidence of or the fruits of a duly considered approach to adding features to MikroTik Router OS,
-5a) More of the way Romon is disabled by default
-5b) less of the fact that various services that are enabled by default and located in different menu items Bandwidth Test tool is enabled by default and in a different location to IP services
-5c) More of security / attack surface reduction aids by listing the services your router is listening on eg netstat -an ie list all ports or services that your router is listening on.
-5d) less of Cloud ... enabled stuff by default or at least allow us to purge that stuff and disable it as a package
-5e) less of integrating services such as dude agents with the core os ... why couldt this be a package.
-5f ) more of a wizard that hardens the default free for all defaults to a more sensible security centric defaults
-5g) more of control on the the encryption algorithms / cipher suites available for ssl services...
-5h) more of Wibox with server signature check and improved control over the cipher used to encrypt or enforce it to current best practices
-5i) less of Winbox dropping back to clear text mode if Security package is disabled on a router but the security mode has been enabled ( or requested) on the winbox loader
-5k) more of the Winbox encrypted password store (thanks for implementing this )

6) when someone is suggesting security enhancements be more positive and engaged in the discussion (I have had less then optimal exchanges with you guys privately in the distance past (that could also be partly my fault too )

7) when adding a feature cast a cynical devils advocate eye on the feature...
--ask your self could this feature be abused ?
--is there a way we can implement this that reduces risk to the user ?
--can it be secure by default ?
sometimes less is more

Too many words to describe situation when the admin simply does not care about firewall rules.

Im not sure what you mean by that ....[ciach-ciach] ....in other words it is not good enough to say Oh firewall the vulnerable services and everything will be ok ...

Easy questions:
Do you left access to WWW services of your routers open from WAN side ?
Do you need WWW services to manage VPNs ?
If you really need WWW access to your router, do you limit acceptable IPs where you can connect from ?

Exploit uses WWW services so you just need to disable them. There are two ways to do it: disable them or firewall them.

BartoszP we are talking across purposes here,
Im saying you cant firewall all services (and these services could be vulnerable (past proven ) ( current and future vulnerabilities unknown) ( and as a result more preventative measures should be deployed )
you are saying WWW Services can be firewalled and that one entry point is solved ...that is agreed but you are missing the point that i was trying to make that, Any service that allows a remote connection is a potential entry point... a defense depth strategy is needed by all parties... and when a service cant be firewalled the onus falls on the software manufacturer.

Well of course, but as you can see in this situation, many of the big router manufacturers are facing the same issues or even much bigger ones.
I guess this type of risk has always existed and in theory - always will.

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news.

Normis, but if the software vendor (you change a version of a library you are using due to a potential security issue... notify users that there could be security improvements in that release, there are examples of this in the past Heartbleed etc... we want to see more of it ...for the less publicized security issues in libraries that you use in MikroTik Router OS

as regards the other manufactures, but as a user of mikrotik and someone who has for a long time advocated the use of MikroTik, I think MikroTik could do a better job of communicating issues with their software to their user base... be more open about issues... look at other manufactures disclosures of issues and security advisories. Im not saying MikroTik is Bad at security, Im saying that they can and should improve at security, and learn from this painful experience , increase resources for securing your OS and adopt and lead the charge in implementing best practices in your OS.
we have all been clearly shown that the risk is real and it has to be mitigated.. and that it wont be mitigated with out a change of approach and the allocation of resources to tackle the issue.

we will all win if that happens..

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news.

Still it is nice, also, if manufacturer(Mikrotik) provide some inspection tools, that makes job of implant authors much harder, and customer will be able to detect trivial implants by himself, and report early to Mikrotik such incidents.

an excellent Idea Nuclearcat ... ... a cryptographic filesystem checker signed executables ( and signature check before running ) are an option also... Cool idea Nuclearcat +1

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news.

Still it is nice, also, if manufacturer(Mikrotik) provide some inspection tools, that makes job of implant authors much harder, and customer will be able to detect trivial implants by himself, and report early to Mikrotik such incidents.

It seems that already there is such tool. It could be just extended for some more checks if they are needed
checkinstallation.PNG

... more cryptographic checks ... file hashes ... and a published list of hashes for manual verification for the paranoid... +1

2) I would like to see a bug bounty program from MikroTik and crowd source expertise and reward responsible security issue disclosure to MikroTik,

How much are you willing to pay for that?
Did you notice Mikrotik is really cheap compared to competitors?
You can't ask a company to be low-priced and have the full package.

[ciach-ciach]Easy questions:
Do you left access to WWW services of your routers open from WAN side ?
Do you need WWW services to manage VPNs ?
If you really need WWW access to your router, do you limit acceptable IPs where you can connect from ?

Exploit uses WWW services so you just need to disable them. There are two ways to do it: disable them or firewall them.

BartoszP we are talking across purposes here,
Im saying you cant firewall all services (and these services could be vulnerable (past proven ) ( current and future vulnerabilities unknown) ( and as a result more preventative measures should be deployed )
you are saying WWW Services can be firewalled and that one entry point is solved ...that is agreed but you are missing the point that i was trying to make that, Any service that allows a remote connection is a potential entry point... a defense depth strategy is needed by all parties... and when a service cant be firewalled the onus falls on the software manufacturer.

You have not answered my questions. You are saying that security is important. Yes, it is.
You are trying to persuade us that construction company, lock makers, window and glass makers shoud harden their products as you want to be safe in your home. They ought to list all security problems which their products are volunerable to. They should improve their products. Yes, they should.
However you do not want to accept simple fact: You should lock your home yourself and do not left doors and windows open.
You should at least practise standard securitu rules before implementing higher ones.

and these services could be vulnerable (past proven )

Could you show proven examples of these ?

1) I would like to see a formal security policy from MikroTik and that there are formal software security review methodologies and practices in MikroTik.
......
-5f ) more of a wizard that hardens the default free for all defaults to a more sensible security centric defaults

Don't be ridiculous. Wizard for hardening router ? Next step is formal explanation from Mikrotik, that this wizzard makes good magic and does not change prince into the frog as a side effect ?

Could you please reset any Mikrotik router to "no configuration" and show all of us all security volunerabities. Just fix them and export such configuration as a gift "pro publico bono". Do not ask someone to do it as it seems that you know all "holes" in the ROS.

2) I would like to see a bug bounty program from MikroTik and crowd source expertise and reward responsible security issue disclosure to MikroTik,

How much are you willing to pay for that?
Did you notice Mikrotik is really cheap compared to competitors?
You can't ask a company to be low-priced and have the full package.

Hi Dynek,
Thanks for your input, however, au Contraire, I think bug bounties are a very cost effective way of identifying and resolving issues in MikroTik, I think that paying out a few thousand for a vulnerability that is proven, and responsibly disclosed, based on MikroTik financial annual results I dont think it is out of their reach for them ... and look at the cost benefit,.. having a more secure os deployed along the entire userbase.

2) I would like to see a bug bounty program from MikroTik and crowd source expertise and reward responsible security issue disclosure to MikroTik,

How much are you willing to pay for that?
Did you notice Mikrotik is really cheap compared to competitors?
You can't ask a company to be low-priced and have the full package.

Hi Dynek,
Thanks for your input, however, au Contraire, I think bug bounties are a very cost effective way of identifying and resolving issues in MikroTik, I think that paying out a few thousand for a vulnerability that is proven, and responsibly disclosed, based on MikroTik financial annual results I dont think it is out of their reach for them ... and look at the cost benefit,.. having a more secure os deployed along the entire userbase.

You are saying this because you assume the hacker finding an exploit will not try to get the most he/she can out of it.
What if Mikrotik offers 3k for such an exploit while "someone" else offers 10k?

You have not answered my questions. You are saying that security is important. Yes, it is.
You are trying to persuade us that construction company, lock makers, window and glass makers shoud harden their products as you want to be safe in your home. They ought to list all security problems which their products are volunerable to. They should improve their products. Yes, they should.

ok we are in agreement

However you do not want to accept simple fact: You should lock your home yourself and do not left doors and windows open.
.

I never said that

You should at least practise standard securitu rules before implementing higher ones.

yes... I agree with most of your sentiments, but if you buy a product like a door lock and you use it, a user is entitled to expect that the lock will function.

and these services could be vulnerable (past proven )

Could you show proven examples of these ? .

Here you go ..
What's new in 6.24 (2014-Dec-23 13:38):

*) ntp - fixed vulnerabilities;
I had reported ssh remote exploit
http://seclists.org/fulldisclosure/2015/Mar/49

.

1) I would like to see a formal security policy from MikroTik and that there are formal software security review methodologies and practices in MikroTik.
......
-5f ) more of a wizard that hardens the default free for all defaults to a more sensible security centric defaults

Don't be ridiculous. Wizard for hardening router ? Next step is formal explanation from Mikrotik, that this wizzard makes good magic and does not change prince into the frog as a side effect ?

Try to keep your comments professional, ill let that one slide, so you think that is a bad idea...that is ok you are entitled to your opinion,maybe I didnt explain the type of wizard.. I think that a simple questionnaire and rollback script is a reasonable approach, Im certainly not talking about a Quick set function...
but it would be useful to have a security-centric menu /wizard that allows one answer anumber of questions.. such as
do you use webbox?... NO ? ok would you like me to disable them for you ? ..
do you use the api?... NO ? ok would you like me to disable them for you ? ..
do you like sending stuff over cleartext over ftp telnet and api? ... NO ? ok would you like me to disable them for you ? ...
there are many examples of this approach in other industry... imagine that ... other people didnt think that particular idea is bad

1) secure-mysql.sh Script (I dont think that is ridiculous )
2) security configuration wizard in windows
3) group policy mss templates in Windows

Im not looking for Magic, im looking for a reasoned approach to helping users reduce the attack surface of their router rather than having controls of services that listen for conenctions distributed across the entire menu system...
may I take your silence on all the other points I had raised as an implicit endorsement of those ideas ?

.
Could you please reset any Mikrotik router to "no configuration" and show all of us all security volunerabities. Just fix them and export such configuration as a gift "pro publico bono". Do not ask someone to do it as it seems that you know all "holes" in the ROS.

BartoszP I disagree with your stance on this ...the onus is not on me to prove a point that the CIA have apparently proven already, or what the historic changelog does show... I simply want MikroTik and other software vendors to plan for the worst and hope for the best... (adopt security practices assuming their software is buggy and insecure) , not plan for the best and respond to the worst. (after the fact)
the reality for the user base is that is MT becomes more popular, the number of people and the motivation for hacking the software becomes even greater...
we have seen with other operating systems also.

2) I would like to see a bug bounty program from MikroTik and crowd source expertise and reward responsible security issue disclosure to MikroTik,

How much are you willing to pay for that?
Did you notice Mikrotik is really cheap compared to competitors?
You can't ask a company to be low-priced and have the full package.

Hi Dynek,
Thanks for your input, however, au Contraire, I think bug bounties are a very cost effective way of identifying and resolving issues in MikroTik, I think that paying out a few thousand for a vulnerability that is proven, and responsibly disclosed, based on MikroTik financial annual results I dont think it is out of their reach for them ... and look at the cost benefit,.. having a more secure os deployed along the entire userbase.

You are saying this because you assume the hacker finding an exploit will not try to get the most he/she can out of it.
What if Mikrotik offers 3k for such an exploit while "someone" else offers 10k?

Hi Dynek thanks for your reply ... fair point... but turn the question on its head ... today
MT offer how much at the minute 0 ? vs someone offering as you say 10k (and professional hacking tools are offering competing bounties (understood)
the point is that there are white hats out there would have a go ... and these could be harnessed ... by a bug bounty program and if nothing else it provides a path that rewards someones time and effort in discovering the vuln and the responsible disclosure of the vuln

5 posts in a row is some kind of record in this forum smytht.

Don't get me wrong, am all about getting rid of "bugs", but sometimes all that is needed is just "step on that bug", not to start "MIT project to introduce high frequency sonic bug defense for whole building".

i also had a bet with several high ranking developers i know, to came up with way to hack older RouterOS with open WWW service, they can use all information Vault#7 provided - and from what i am hearing in 3 days i'm winning the bet.

My bottom line is I do not see this issue as cause to start global revolution and i don't remember any other issues to do so. From business point of view and Time/Effort vs benefits wise your suggestion is close to "waste of time". Sorry!

That time should be used in New Linux Kernel integration (yes, ROuterOS v7) (autosolves LOTs of vulnerabilities) , new hardware (especially more powerful Wireless products) and better manuals.

You have not answered my questions.

ok we are in agreement

No one says you are wrong.

However you do not want to accept simple fact: You should lock your home yourself and do not left doors and windows open.
.

I never said that

It is obvious that you have not said that as it is my statement. However you have not answered my questions.

You should at least practise standard securitu rules before implementing higher ones.

yes... I agree with most of your sentiments, but if you buy a product like a door lock and you use it, a user is entitled to expect that the lock will function.

You are entitled to expect that Mikrotik routers work same as these locks. Are you sure that all locks are safe ?

Here you go ..
What's new in 6.24 (2014-Dec-23 13:38):

*) ntp - fixed vulnerabilities;
I had reported ssh remote exploit
http://seclists.org/fulldisclosure/2015/Mar/49

OMG ... ROS version less than 5.0 ... have you watched the video ? Cracker have logged into ROS via WWW with known password and then issued prepared http string .... do anyone use ROS < 5.0 ?

Try to keep your comments professional, ill let that one slide, so you think that is a bad idea...that is ok you are entitled to your opinion,maybe I didnt explain the type of wizard.. I think that a simple questionnaire and rollback script is a reasonable approach, Im certainly not talking about a Quick set function...
but it would be useful to have a security-centric menu /wizard that allows one answer anumber of questions.. such as
do you use webbox?... NO ? ok would you like me to disable them for you ? ..
do you use the api?... NO ? ok would you like me to disable them for you ? ..
do you like sending stuff over cleartext over ftp telnet and api? ... NO ? ok would you like me to disable them for you ? ...

I am very professional. You are fan of "wizzards". Do you realy need to "click and click and click". Are you sure that this wizzard covers all problems ? Real admins use real keyboard ... it is a little quip ... or maybe not.

...
Im not looking for Magic, im looking for a reasoned approach to helping users reduce the attack surface of their router rather than having controls of services that listen for conenctions distributed across the entire menu system...
may I take your silence on all the other points I had raised as an implicit endorsement of those ideas ? ...

.
Could you please reset any Mikrotik router to "no configuration" and show all of us all security volunerabities. Just fix them and export such configuration as a gift "pro publico bono". Do not ask someone to do it as it seems that you know all "holes" in the ROS.

BartoszP I disagree with your stance on this ...the onus is not on me to prove a point that the CIA have apparently proven already, or what the historic changelog does show... I simply want MikroTik and other software vendors to plan for the worst and hope for the best... (adopt security practices assuming their software is buggy and insecure) , not plan for the best and respond to the worst. (after the fact)
the reality for the user base is that is MT becomes more popular, the number of people and the motivation for hacking the software becomes even greater...
we have seen with other operating systems also.

Instead wasting time for pompous writing just prepare script which closes all volunerable settings. Help save the World from CIA and NSA

On my opinion, at least for the beginning:
1)Securing rommon. This is holy grail in any security. I dont know if all units has similar architecture, but rommon on some SXT i guess is in MX25L512C, maybe even keeping WP# low by separate IC (some attiny?) and requiring secure key to unlock write.
attiny85($1 on digikey) has AES-CMAC implementation, plus you can add some features, using it, to routerboard, for example as power supervisor, for controlled poweroff on low battery voltage, to prevent battery damage, and automatic poweron when charging detected.
Maybe on cheap wireless units it's hard, but a must on "router" units, such as CCR, RB1100 and etc.
2)Something similar to secure boot (but can be disabled, similar to mobile phone vendors by automated release to user unlock key, with losing warranty). At least to verify signature of loaded kernel + small initrd. It is trivial to hide in this initrd some integrity checker.
3)netboot loadable routeros-checker that will verify integrity of system. Even if some implant loaded (if not in rommon), such system loaded over netboot can verify and repair integrity of system on flash.

But what is important, when breach detected - system should be capable to report to Mikrotik and only then - to user, about this breach, maybe over OPTIONAL(!!!) covert channel over dns, as antiviruses do, e.g. small public key base64 encoded string sending status message(so user can't see if it is normal status message or breach detected), and maybe it will be necessary to require cloud services to be enabled for such feature, because after while i thought, if you leave it "user warning only", criminals might study in lab when malware detected or not, to do best possible ways to make it undetectable. And if it is cloud, definitely someone breaching system will have to decide - stay blind or he might alert mikrotik by multiple breaches.
This way Mikrotik can become step ahead of all vendors, and set new standards and make innovations for security of hardware.

You guys should carefully rethink the definition of an exploit. RouterOS already has these checks! It does check also on upgrade. The definition of an exploit is that somebody has found a bug how to overcome or fool these checks.

So MikroTik makes new checks and more security wizards. This does not guarantee that another bug won't be made, opening a new exploit.

You are assuming that RouterOS has zero checks in place, which simply is not true.

have you watched the video ? Cracker have logged into ROS via WWW with known password and then issued prepared http string ....

Erm, yes. This is what is called a CSRF. What must be assumed here is that the call to change the password is issued by the very same user (the one that logs into the admin) without actually knowing the action that is being executed.

You guys should carefully rethink the definition of an exploit. RouterOS already has these checks! It does check also on upgrade. The definition of an exploit is that somebody has found a bug how to overcome or fool these checks.

So MikroTik makes new checks and more security wizards. This does not guarantee that another bug won't be made, opening a new exploit.

You are assuming that RouterOS has zero checks in place, which simply is not true.

Yes, i agree exploit might help to get inside system, but proper integrity checks will make impossible to obtain persistence.
As they stated in leaks, they was able to get it by trivially adding entries to boot scripts and placing binaries in special places.

5 posts in a row is some kind of record in this forum smytht.

what can I say I care.. and I hate forums... the fact im posting on it tells you how seriously I view the issue

My bottom line is I do not see this issue as cause to start global revolution and i don't remember any other issues to do so. From business point of view and Time/Effort vs benefits wise your suggestion is close to "waste of time". Sorry!

That time should be used in New Linux Kernel integration (yes, ROuterOS v7) (autosolves LOTs of vulnerabilities) , new hardware (especially more powerful Wireless products) and better manuals.

I see your point Macgaiver I appreciate your feedback... and i suppose ultimately we have different priorities... I think it doesnt have to be a zero sum game... resources into security rather than much needed improvements in ROS... however.. .I do think MikroTIk should invest more in security.. .plough back more profit for the sake of security... a more secure platform that users have more confidence in ...would be a more valuable platform... Mikrotik and its user base can win... long term

You guys should carefully rethink the definition of an exploit. RouterOS already has these checks! It does check also on upgrade. The definition of an exploit is that somebody has found a bug how to overcome or fool these checks.

So MikroTik makes new checks and more security wizards. This does not guarantee that another bug won't be made, opening a new exploit.

You are assuming that RouterOS has zero checks in place, which simply is not true.

Normis, Im not saying zero checks for a second.. Id like to think im fairer than that... .. but I have raised issues in the past...

on exploits vs other security issues .. fair point... point taken there are different severities of security issues ... ok

my point all along is just that more effort could and should be made... and im hoping other users chime in and support this suggestion...

Thanks for interacting and engaging on this which i believe is an important topic...

have you watched the video ? Cracker have logged into ROS via WWW with known password and then issued prepared http string ....

Erm, yes. This is what is called a CSRF. What must be assumed here is that the call to change the password is issued by the very same user (the one that logs into the admin) without actually knowing the action that is being executed.

Yes ... but it is for RouterOS earlier than 5.0.
5.0 have been released almost 6 years ago "What’s new in 5.0 (2011-Mar-31 11:33):".
Arguing that we need more security today as 6 years ago there was a bug in the system ... please, please ... do not make me smile ...

EDIT: I do not say that we do not need more security.

Instead wasting time for pompous writing just prepare script which closes all volunerable settings. Help save the World from CIA and NSA

Cant we all just get along...
I have no issue with the NSA or CIA ... they are spies and they do spy stuff... my efforts here are to improve MT security cause I actually care about security... personally I'm more afraid of what other organizations or People would do to our networks / our routers if they are vulnerable...
I want to save our routers from black hats ... I dont do pompous
the spirit in which im asking questions and suggesting security ideas is purely positive, many of them utilized by other vendors or organizations... can we frame the conversation interms of Ideas for improving mikrotik security ? are there things that crossed your mind from a security perspective that you would like Mikrotik to implement ? , Is there anything I suggested that reduces security, I would, I dont want to argue about the need for enhanced security as I think vault 7 proves the need.
or is there other issues that Mikrotik need to address that is more important to you at the moment ? (just like macgaiver mentioned ) ...
I accept that there are scripts that users could implement that would help security no doubt about it ... but one has to be mindful of less technical users, and making their lives easier and more secure should be a priority for us .(and MikroTik)..
the wizard could be a command line questionaire... if you dont like winbox.. / GUI... but I think a security console showing network attack surface would be useful.
No one is Perfect I dont have all the answers, (I dont claim to either!) but I think if users get to gether with Mikrotik we can help eachother make RouterOS Better ...

Peace Out !

You are using big word, big ideas which we all have to agree with as they are true.
No one or almost no one, including me, do not say "It is totally wrong idea" to you but you expect all to say "YES, YES it is great idea, let implement it. Now".
If anyone is not fully with you, he/she is suspected to be against you and your idea. You make then following conclusions based on this.

You want me to "frame the conversation interms of Ideas for improving mikrotik security ?" ... I am framing all the time.
I am asking you to show us where do you see security holes. It is not matter if I like Winbox, CLI or WWW. It is matter of "what we need to secure ?"/
Could you be so kind and help Mikrotik and us to secure our routers ?
You all the time use phrases: "it should be secured ... tools ought to be prepared ... checks have to be hardened ... ". It is easy to say so. It is not your time which have to be spend on it. Who will pay for it ? I know ... raise prices of hardware to make HardenedROS.
Can you imagine that I (as I do not want say We, however IMHO many people could share my opinion) could live with current security level of ROS ? Maybe I do not want to pay more ?
Once more ... instead of writing such long posts PLEASE help to find holes in the default configuration of ROS and PLEASE prepare ROS hardening script for us. Do you know exploits which we should be aware of ? Do you know tools which could help us ? As these steps should be taken PLEASE start them.

Remember that this post it is not "fight" with you but with your "binary view" of security of ROS and the "it should be done ...." way of thinking.

P.S.

Cant we all just get along...

Really ? I see that you have changed discussion from "writing" to "negating". You are not even valiant to rate particular post negatively but you are doing it behind the scene where not too many people will ever glance at.

You are using big word, big ideas which we all have to agree with as they are true.
No one or almost no one, including me, do not say "It is totally wrong idea" to you but you expect all to say "YES, YES it is great idea, let implement it. Now".
If anyone is not fully with you, he/she is suspected to be against you and your idea. You make then following conclusions based on this.

Im discussing Ideas in practical sence giving examples where I can, and hoping for a positive discourse around these ideas, if you some how have misinterpreted my comments that is unfortunate,
but it is you have been negative towards some of the ideas throughout the thread that is unfortunate..I have tried to engage with you but you are using language like ridiculous or pompous and missrepresenting what im saying.

Could you be so kind and help Mikrotik and us to secure our routers ?

OK... so none of my points I have been raising help Mikrotik or you secure your routers ? it is unfortunate, that you dont consider alternative approaches or views help full to securing MikroTik

You all the time use phrases: "it should be secured ... tools ought to be prepared ... checks have to be hardened ... ".
It is easy to say so. It is not your time which have to be spend on it. Who will pay for it ? I know ... raise prices of hardware to make HardenedROS.

I doesnt necessarily mean an increase in prices, Mikrotik can certainly absorb some of the costs,

Can you imagine that I (as I do not want say We, however IMHO many people could share my opinion) could live with current security level of ROS ? Maybe I do not want to pay more ?
Once more ... instead of writing such long posts PLEASE help to find holes in the default configuration of ROS and PLEASE prepare ROS hardening script for us. Do you know exploits which we should be aware of ? Do you know tools which could help us ? As these steps should be taken PLEASE start them.

over the past 11 years I have spent a lot of my time trying to help mikrotik and help users on security, I have suggested lots of security enhancements some have been implemented some have not. I have started... maybe try to engage positively suggest improvements or reasons some of my suggestions wont work... free market of Ideas...

Remember that this post it is not "fight" with you but with your "binary view" of security of ROS and the "it should be done ...." way of thinking.

The amount of Time the Ideas I have presented certainly are not a binary view...
Dont Take it Personally Im Not ... your tone says other wise I think you can conduct yourself better...
You sitll continue to attack my opinion rather than engage in proper discussion -3

Dont Take it Personally Im Not ... your tone says other wise I think you can conduct yourself better...
You sitll continue to attack my opinion rather than engage in proper discussion -3

A . Please make up your mind: "You sitll continue to attack my opinion" vs "Play the Ball not Man ..."
B. Your are taking it personally despite your asseveration and therefore I am rated -3. Not you.
C. Proper discussion seems to be this one you accept.
D. You should be aware of fact that English is not primary language for many users of this forum and you should be not too sensitive to particular words/sentences written by foreigners. Be more lenient.

Dont Take it Personally Im Not ... your tone says other wise I think you can conduct yourself better...
You sitll continue to attack my opinion rather than engage in proper discussion -3

A . Please make up your mind: "You sitll continue to attack my opinion" vs "Play the Ball not Man ..."
B. Your are taking it personally despite your asseveration and therefore I am rated -3. Not you.
C. Proper discussion seems to be this one you accept.
D. You should be aware of fact that English is not primary language for many users of this forum and you should be not too sensitive to particular words/sentences written by foreigners. Be more lenient.

lets agree to disagree on this one ... and let others suggest ideas for improving Mikrotik Security, this topic is bigger than your or my opinions and suggestions.. . free market of Ideas... I want to see more ideas on this thread I want to see where some of my ideas wont work if they wont work... and I want to see if other users agree with some of my ideas.. lets add the ideas to the pool and play positive... lets move on

... free market of Ideas... and I want to see if other users agree with some of my ideas..

A. Free market ? So why do you rate people not opinions ? They could be different than yours. It is forum, not your discourse.
B. If you want to see opinions about your ideas then you should do not be offened if someone does not think the way you do.

... free market of Ideas... and I want to see if other users agree with some of my ideas..

A. Free market ? So why do you rate people not opinions ? They could be different than yours. It is forum, not your discourse.
B. If you want to see opinions about your ideas then you should do not be offened if someone does not think the way you do.

Bartosz You are a forum Moderator... how about being moderate... take a breath... deescalate, we have some disagreements, its ok to have them... this thread is not about you or me it is about Ideas and a response to a serious situation beyond our individual control but as users we can work together with our vendor and improve the situation for all.

I know it's illegal, but i've reverse enigineered Mikrotik
And I can confirm, all this Nova stuff - they do care about security, most of intermediate libs/sw is writted by them in C++, and finding exploits surely is possible, but TAKES TIME AND MONEY, unlikely open-sourced UBNT products, as we saw in the past

sounds interesting can you expand this on the libs / software in C++, any clues to the compilers used library versions...etc

Thanks

I think it would be good if MikroTik share with the community some of the mitigations they do implement in Router OS... It would help the discussion, and certainly put our minds at ease, (well Mine at least )

what do people think of compiler based mitigations ?
http://oss-security.openwall.org/wiki/e ... mitigation
or
https://blog.trailofbits.com/2016/10/17 ... ng-edition ?

I remember an analysis of Router OS a few years ago that different versions of GCC were used over the years and

Bartosz You are a forum Moderator... how about being moderate... take a breath... deescalate,

Don't you think it is quite rude ? Is it worth "-3" to your reputation for symmetry ? You accuse me of beeing "not nice for you" but you do not see your own behaviour. You move discussion to areas totally not connected to technology to cover lack of more arguments than the obvious statement that "we need more security and it should be done" IMHO.

P.S.
As Moderator I do not want participate in the "rating war" as it is not professional.
I have to live with the fact that sometimes users could overuse such tools without any real reason.

Just a note - this topic is officially successfully drowned by you two...
I hope that fact alone smytht indicate that your "method of delivery" seriously lacks something..

my personal standpoint is very simple - i think Linux Kernel development has the highest standards in the world (especially security wise), If MT would update Linux Kernel to up to date version (yes,yes, i know, i repeat myself) RouterOS v7, that is would keep my mind at ease - closed system with secure core... that is best you can ask for in modern world.

Just a note - this topic is officially successfully drowned by you two...
I hope that fact alone smytht indicate that your "method of delivery" seriously lacks something..

yeah you may have a Point... Lets return it to a technical discussion ... Ill work on my delivery, thanks,

re V7 I think there are incremental improvements in mitigations and security improvements that can be made without waiting for a major release,

Thanks

You should be aware of fact that English is not primary language for many users of this forum

Have you heard Tom speak? I'm not sure that's English.

Another Vendor of Networking Hardware recently published a security advisory, via email I was wondering if any thing could be learned from their approach,
The ideas implemented below make sense to me! I was wondering what do you think ?

• Dedicated Security Director focused 100% on Vendors software vulnerabilities and supported by a strong group of engineers
  
  Participation in third-party vulnerability assessment programs such as HackerOne, where we have given out substantial rewards
  
  Significant investment retaining third-party external security audit company to review our software solutions frequently

also the fact that they used their promotion channels to inform users of risks and to urge an update on software is commendable.

I think you best buy only equipment from that other vendor and leave us alone here...

I think you best buy only equipment from that other vendor and leave us alone here...

No Need to be like that cant we all just get along ...

I think you best buy only equipment from that other vendor and leave us alone here...

LOL!

Even though a regular firewall (the default config, in fact) will protect you against the CIA malware, this is an excellent guide to follow for any public RouterOS device: https://www.manitonetworks.com/mikrotik ... -hardening

I see you posted a link to one of my articles - if there's anything you think I should add to it or clarify please let me know. Thanks!

-Tyler

Even though a regular firewall (the default config, in fact) will protect you against the CIA malware, this is an excellent guide to follow for any public RouterOS device: https://www.manitonetworks.com/mikrotik ... -hardening

I see you posted a link to one of my articles - if there's anything you think I should add to it or clarify please let me know. Thanks!

Thanks for that article!
I used it before it was posted here, great resource!