Simply upgrading easy said but users can have reasons to stay on a version that works for them.Simply upgrading your RouterOS device will make sure nothing can be installed into it and will remove any rogue files.
The vulnerability exploited open port 80 from Internet side. Don’t leave any open ports on the input chain unless you limit access to your own IP.
Also having some sort of antivirus in your windows machine will remove any residual DLL files, if Kaspersky already says they have identified it.
It is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".
I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
Thanks, this is clear.Simply upgrading your RouterOS device will make sure nothing can be installed into it and will remove any rogue files.
The vulnerability exploited open port 80 from Internet side. Don’t leave any open ports on the input chain unless you limit access to your own IP.
Also having some sort of antivirus in your windows machine will remove any residual DLL files, if Kaspersky already says they have identified it.
Issue was solved long before new bridgeIt is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".
I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
Then it is wise to learn from errors and learn from them to avoid current and new errors.
I know that and I was anticipating for the next one that is certainly to come.Issue was solved long before new bridgeIt is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".
I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
Then it is wise to learn from errors and learn from them to avoid current and new errors.
Can you elaborate on how this was solved? This particular exploit was fixed, but are there any measures in place to prevent this happening again? Does winbox now verify the files downloaded from the router with a digital signature? Are all the files now client-side?Issue was solved long before new bridgeIt is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".
I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
Then it is wise to learn from errors and learn from them to avoid current and new errors.
That's good to hear. The self-integrity check seems a bit pointless though, if the device is exploited an attacker could easily bypass or disable such a feature.Winbox no longer downloads anything from the router (if using new winbox and new RouterOS). Also, the router now checks all internal file signatures itself.
If Winbox is downloading DLL files, it means your device hasn't been upgraded and you are running an outdated Winbox version. Please upgrade both RouterOS and Winbox.For non-experts, how can somebody test that the vulnerability isnt there? Has Winbox particularly ever been audited?
When I launch winbox under wine it seems to be loading plugins and also the wine log (or window if its been launched from a shell) keeps repeating "IPV6_ADD_MEMBERSHIP:" (string) even though IPv6 has been disabled on all the linux machines on the network which is to say everything besides the router.
I think my first few launches of winbox were before the current version. Is there some simple way somebody can check for the presence of whatever files are involved by name or hex signature?
Their report gives hex signatures, presumably for their own products? Can they be used with some other scanning method?
Hi, from which version of Winbox specifically does not download anything from RouterOS?Winbox no longer downloads anything from the router (if using new winbox and new RouterOS). Also, the router now checks all internal file signatures itself.
This WAS mentioned when it was fixed a year ago.Even worse, it sounds like the issue was fixed over a year ago, but nothing was mentioned about it in any newsletter or email I received from you.
If you don't read the changelogs or even worse you don't update your router a YEAR after this fix, it's in no way Mikrotik's fault.Release 6.38.5 2017-03-09
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
Did you check if you ever had that RouterOS version (6.38.4-6.38.5) on your router in combination with Winbox by checking the c:/users/...../roaming/Mikrotik/Winbox directory.Thanks msatter for the link! I will give it a try.
So ChaOs you feel that "www - fixed http server vulnerability" is an appropriate explanation of the severity of this exploit? When I read something like that, my first thought is that I am not using an http server on or off the Mikrotik so it does not affect me.
Whenever I have read the changelogs for the updated OS I have not seen anything that would affect me or would benefit me.
Ever heard of "if it ain't broke, don't fix it!"?
From what I have known up to this point, nothing in the version of the RouterOS that I am using was broke!
I manage all sorts of systems and I get notified about all of the vulnerabilities for Windows, Windows Software, Linux, Apple, Android, and many others. I subscribe to many different security sites and I am used to detailed explanations of reasons to patch systems so I can determine whether or not to proceed. Many times I hold off until I hear from others whether or not these "fixes" end up causing other issues including security and performance.
Long story short, my main issue with what has happened here is that I am under the impression, based on what I have read, that Mikrotik was aware of this exploit and quietly patched their systems without letting their users know how serious this exploit is and how vitally important it is to move to at least Release 6.38.5 to fix it. I have been a big supporter of Mikrotik for a long time now and have raved and marveled at how easy it is to configure (especially with Winbox) and how powerful and flexible it is. Getting the news from a source like Kaspersky, who I don't trust anymore due to their own vulnerabilities or collusion with Russia (still on the fence about which one it is) instead of directly from Mikrotik is like a punch in the gut.
I have said all I am going to say about this. Thanks again to msatter for bringing this up in the forum and sending me a link to check my own systems!
I agree that it's harder to find this information for Mikrotik than it should be. Would anyone else like to see a forum topic that's dedicated to security? It would be something easy for Mikrotik to do, and it'd be good to have a central place where security questions and answers could be found.I manage all sorts of systems and I get notified about all of the vulnerabilities for Windows, Windows Software, Linux, Apple, Android, and many others. I subscribe to many different security sites and I am used to detailed explanations of reasons to patch systems so I can determine whether or not to proceed.
Well I am sorry to break it to you but... that sounds like your problem.Whenever I have read the changelogs for the updated OS I have not seen anything that would affect me or would benefit me.
Ever heard of "if it ain't broke, don't fix it!"?
Winbox v2 needs DLL files from RouterOS to work. This was it's design. This is normal and harmless. Somebody found a way, to replace one of the legtitimate DLL files with a malicious one. This is not an issue with Winbox v3 which never used any DLL files for it's operation.Hi, is it all of Winbox version 2 that downloads dll files?
Is there a specific version of v2 this was changed?
Please can you clarify this.
Thanks
Now were talking ..Why Mikrotik doesnt make native Winbox App for Linux and rescue us of all this crap ?
Isnt it the time yet ?
Read the entire thread. I think between the articles and Normis's explanation, that should cover most of what you brought up. I'm not going to repeat what's already been said.one thing that bothers me, I have only been using your products for around a month, and I downloaded Winbox 3.11 and was using it. Why was the known to be insecure winbox still there a month ago, if you knew about it a year ago? And even though I have installed 3.12, it still throws up a message about downloading something when its launched. Although I completely de-installed and reinstalled Wine, it still is doing it. WTF?
But there is.There should be a native Linux management utility that is open source.
+1I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere.
Why doesn't Mikrotik have a site that actively lists established security concerns?
People can't be expected to find this forum, this thread & drill halfway down through posts to find answers.
Also, some of the back & forth (not just here) is an embarrassment. To be clear, I'm not asking for moderation.
Now would be a great time to establish a specific section of the site that can be checked & relied upon for security related responses.
Even with such a site, this news would have been a security concern back in 2014 when Winbox was patched. How would that help in this situation?I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere.
Yes, because I would first have checked if this was already information and maybe Mikrotik could also been able to published a way to find out if you where a victim in then.Even with such a site, this news would have been a security concern back in 2014 when Winbox was patched. How would that help in this situation?I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere.