Community discussions

 
MHzTweaker
just joined
Topic Author
Posts: 6
Joined: Sat Dec 29, 2018 5:17 pm

Has this remote ROOT exploit been patched??

Sat Dec 29, 2018 6:12 pm

Good morning
I'm new here and to Mikrotik products

I have a CRS328-24P-4S+ I installed a couple weeks ago to replace my combination Procurve 2900-48G switch and pfSense PC router box.
I use this in my home for both personal and business stuff. I was specifically wanting the 10GB uplinks.

I setup the CRS328 to the best of my ability, got my network going, changed the Admin password and went about my life.
A week later I went back in using winbox to check things. I went to the logs and frankly it scared the hell out of me!!! I saw a constant flow of failed login attempts from IP's all over the world. Every minute there was one. There were so many that the log would not contain them and they rolled off the page. I went into panic mode and set out to try and secure this router. I read a Wiki and turned off all the remote services except ssh and winbox. I created a new admin user and turned off the default admin account. I limited the ssh port to just one. I then only allowed winbox to connect within my private network from a specific static IP on one workstation. I also implemented most of the other suggestions in the Wiki as well.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Now I am still getting about 5-6 failed login attempts every day (denied winbox/dude connect from x.x.x.x) which is certainly better than hundreds per day. Still, is this normal??

I have a friend who is into vulnerability testing and he said there was a current exploit.
This one: https://www.exploit-db.com/exploits/45578
MicroTik RouterOS < 6.43rc3 - Remote Root
Does anyone know if this has been patched yet???

I am running v6.43.8 ROS and a current winbox client.
Is this exploit block-able somehow?
I am not a router OS guy but do service desktop and laptop computers as I have for 25+ years. I will need clear and thorough explanations.

thanks
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 6:19 am

You should be patched, except that you may want to netinstall to reimage the system.
 
mistry7
Forum Guru
Forum Guru
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 10:25 am

Show us your firewall configuration
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 10:59 am

 
MHzTweaker
just joined
Topic Author
Posts: 6
Joined: Sat Dec 29, 2018 5:17 pm

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 12:51 pm

Show us your firewall configuration
I have no firewall configuration and I do not know how to configure it.
As I stated from the beginning, I am not a router OS guy.
It is as it was from the default settings. There are no "filter rules" listed.
Not understanding I have been hesitant to add rules for fear of making things worse.
I only use Winbox inside my local private network and have Winbox configured to only accept connects from within my 192.168.0.x network.

I updated router OS and Winbox to v6.43.7 new out of the box a couple of weeks ago as soon as I unboxed and turned on the router the first time.

I updated to v6.43.8 as soon as I saw those logs filled with hundreds or thousands failed attempts to login.
I then went through the Wiki disabling all but ssh and winbox services.
 
Pea
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 1:10 pm

it scared the hell out of me!!!
Yes, you do inappropriate configuration changes. Scary.
Study some basics about firewall and fix it.
If you don't want to study then reset your router to default to get firewall back.
 
mistry7
Forum Guru
Forum Guru
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 1:14 pm

Show us your firewall configuration
I have no firewall configuration and I do not know how to configure it.
As I stated from the beginning, I am not a router OS guy.
It is as it was from the default settings. There are no "filter rules" listed.
Not understanding I have been hesitant to add rules for fear of making things worse.
I only use Winbox inside my local private network and have Winbox configured to only accept connects from within my 192.168.0.x network.

I updated router OS and Winbox to v6.43.7 new out of the box a couple of weeks ago as soon as I unboxed and turned on the router the first time.

I updated to v6.43.8 as soon as I saw those logs filled with hundreds or thousands failed attempts to login.
I then went through the Wiki disabling all but ssh and winbox services.
Zero Firewall = Zero Security for your router......
 
MHzTweaker
just joined
Topic Author
Posts: 6
Joined: Sat Dec 29, 2018 5:17 pm

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 4:08 pm

it scared the hell out of me!!!
Yes, you do inappropriate configuration changes. Scary.
Study some basics about firewall and fix it.
If you don't want to study then reset your router to default to get firewall back.
What is inappropriate about anything I did??????
Initially much was left at defaults except the password. I have corrected things as I have learned about them. I came here to learn.

Why would I reset my router? I never turned the firewall off. There are just no filter rules added.

I came here for help and suggestions, not to be talked down to. We all had to start somewhere. If you have nothing constructive to say then please say nothing.

What does anyone think of this tutorial and the accompanied video?
http://tksja.com/essential-firewall-rules/
https://www.youtube.com/watch?v=78jhP62VvwI
SCRIPT from video:
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
END SCRIPT

Is this a good starting point?
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 6:04 pm


I setup the CRS328 to the best of my ability, got my network going, changed the Admin password and went about my life.
A week later I went back in using winbox to check things. I went to the logs and frankly it scared the hell out of me!!! I saw a constant flow of failed login attempts from IP's all over the world. Every minute there was one. There were so many that the log would not contain them and they rolled off the page. I went into panic mode and set out to try and secure this router. I read a Wiki and turned off
Yes, it is to be expected. There are thousands of active bots out there - trying to connect to ALL IPs in sequence, one by one, on the off chance that it will pay off. Best thing to do is to deny everything, and accept what you need. Use a default drop rule, at the very end of the firewall. Before this rule You put the ones needed, and as restricted as possible. Winbox, in this case: You say it is only used from your intranet. So, Your firewall should only allow a connection to the Winbox port if originated from your intranet, and destined to your switch internal address.

Be careful: It is easy to lock yourself out while changing firewall rules. Use the safe mode of your Mikrotik - it will save you a world of pain.

Now I am still getting about 5-6 failed login attempts every day (denied winbox/dude connect from x.x.x.x) which is certainly better than hundreds per day. Still, is this normal??

I have a friend who is into vulnerability testing and he said there was a current exploit.
This one: https://www.exploit-db.com/exploits/45578
MicroTik RouterOS < 6.43rc3 - Remote Root
Does anyone know if this has been patched yet???

I am running v6.43.8 ROS and a current winbox client.
Is this exploit block-able somehow?
I am not a router OS guy but do service desktop and laptop computers as I have for 25+ years. I will need clear and thorough explanations.

thanks
If the logins failed, there is no problem. You may want to revisit this policies - but it is up to you and your needs. One advice: use public/private keys, instead of password, to authenticate through SSH.

RoS 6.43RC3 is the third release candidate, before the 6.43 final version. You device is running 6.43.8 - so, should be safe. Did you upgrade it, before all this? If it was left exposed, with a vulnerable version, it is possible that it got exploited.

In this case (if it did get exploited), do a full export, save certificates and keys, and reinstall from netinstall. I know it is a pain, but if you really suspect the device, it is the only way to be sure. Well, this and nuke it from orbit - but I don't think we are there yet. :D
 
MHzTweaker
just joined
Topic Author
Posts: 6
Joined: Sat Dec 29, 2018 5:17 pm

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 7:36 pm


If the logins failed, there is no problem. You may want to revisit this policies - but it is up to you and your needs. One advice: use public/private keys, instead of password, to authenticate through SSH.

RoS 6.43RC3 is the third release candidate, before the 6.43 final version. You device is running 6.43.8 - so, should be safe. Did you upgrade it, before all this? If it was left exposed, with a vulnerable version, it is possible that it got exploited.

In this case (if it did get exploited), do a full export, save certificates and keys, and reinstall from netinstall. I know it is a pain, but if you really suspect the device, it is the only way to be sure. Well, this and nuke it from orbit - but I don't think we are there yet. :D
No I started initially with 6.43.7 minutes after I turned the power on the first time. The first thing I did after unboxing this router was upgrade to the latest Router OS on December 7th. On December 26th I upgraded again to the now current 6.43.8 and proceeded to try and lock things down.

I am still unsure whether I need to wipe and netinstall yet since I started with a current ROS.
The doubts in my mind will probably eat at me until I do.
 
mkx
Forum Guru
Forum Guru
Posts: 3176
Joined: Thu Mar 03, 2016 10:23 pm

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 10:02 pm

For some time default setup in ROS 6.43.x had no firewall. If one did reset with default setup (or received new unit with factory installed ROS of that version), firewall did not exist. ROS version 6.43.8 fixed this problem.

As default firewall rules seem quite good, it is recommended to perform reset with default config on such units after upgrade. Proper sequence would be as follows:
  1. Upgrade ROS to most recent version
  2. export current config (that's export, not backup!) and copy it off device
  3. perform reset with default config
  4. selectively apply config from saved file
If you want really be sure your device is not compromised in any way, you might want to perform netinstall regardless.
BR,
Metod
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 11:08 pm

No I started initially with 6.43.7 minutes after I turned the power on the first time. The first thing I did after unboxing this router was upgrade to the latest Router OS on December 7th. On December 26th I upgraded again to the now current 6.43.8 and proceeded to try and lock things down.

I am still unsure whether I need to wipe and netinstall yet since I started with a current ROS.
The doubts in my mind will probably eat at me until I do.
You should be ok, then. Well, You used a good, strong password, right? Do a full export and take a look at it. If there isn't something weird, and if your mikrotik doesn't have some strange behavior, then it's probably ok.

The firewall is closed now, so...
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Has this remote ROOT exploit been patched??

Sun Dec 30, 2018 11:13 pm

For some time default setup in ROS 6.43.x had no firewall. If one did reset with default setup (or received new unit with factory installed ROS of that version), firewall did not exist. ROS version 6.43.8 fixed this problem.
His equipment is a switch - its default config doesn't have firewall rules.
 
Pea
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: Has this remote ROOT exploit been patched??

Mon Dec 31, 2018 12:13 am

But you can dual boot to RouterOS on this CRS and this should have default firewall. If not then it would be good idea to add it :)
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Has this remote ROOT exploit been patched??

Mon Dec 31, 2018 1:24 am

But you can dual boot to RouterOS on this CRS and this should have default firewall. If not then it would be good idea to add it :)
Not all devices have firewall enabled by default.

Usually the ones destined to SOHO come with it. The others, don't.
 
MHzTweaker
just joined
Topic Author
Posts: 6
Joined: Sat Dec 29, 2018 5:17 pm

Re: Has this remote ROOT exploit been patched??

Mon Dec 31, 2018 3:07 am

I purchase mine through Amazon
https://www.amazon.com/gp/product/B07C6 ... UTF8&psc=1

I do use my CRS328 for routing and as my primary switch yes.
There were no firewall rules listed until I added some today. Since early this morning I have not had a single denied login attempt after adding the rules. :-)

My original 15 character password was decent, a mixture of names with lots of upper case and numbers.
Since the Dec 26th I have gone to a 40 character generated password to authenticate Winbox.
 
Pea
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: Has this remote ROOT exploit been patched??

Mon Dec 31, 2018 9:23 am

I am surprised that there was no default firewall. I really thought you removed it :) I am sorry.
And I am happy that you fixed it for your needs.
 
mkx
Forum Guru
Forum Guru
Posts: 3176
Joined: Thu Mar 03, 2016 10:23 pm

Re: Has this remote ROOT exploit been patched??

Mon Dec 31, 2018 6:11 pm

But you can dual boot to RouterOS on this CRS and this should have default firewall. If not then it would be good idea to add it :)
Not all devices have firewall enabled by default.

Usually the ones destined to SOHO come with it. The others, don't.
My RBD52G (hAP ac2) as prime example of a SOHO device did not have FW after I netinstalled it to 6.43.1 and selected default config upon initial connection. 6.43.7 (or somewhere around that) fixed the bug.
You can upgrade/downgrade your own SOHO RB to one of affected ROS versions and check /system default-configuration print (or do reset to default config to make it more obvious).
AFAIK only CCRs are without FW rules by default (but I may be wrong).
BR,
Metod
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Has this remote ROOT exploit been patched??

Mon Dec 31, 2018 11:02 pm

But you can dual boot to RouterOS on this CRS and this should have default firewall. If not then it would be good idea to add it :)
Not all devices have firewall enabled by default.

Usually the ones destined to SOHO come with it. The others, don't.
My RBD52G (hAP ac2) as prime example of a SOHO device did not have FW after I netinstalled it to 6.43.1 and selected default config upon initial connection. 6.43.7 (or somewhere around that) fixed the bug.
You can upgrade/downgrade your own SOHO RB to one of affected ROS versions and check /system default-configuration print (or do reset to default config to make it more obvious).
AFAIK only CCRs are without FW rules by default (but I may be wrong).
You are. CRS don't have it, RB1100AH don't either.

https://wiki.mikrotik.com/wiki/Manual:D ... igurations
 
MHzTweaker
just joined
Topic Author
Posts: 6
Joined: Sat Dec 29, 2018 5:17 pm

Re: Has this remote ROOT exploit been patched??

Tue Jan 01, 2019 6:08 pm

Happy new year everyone

The GOOD news....

No failed LOGIN attempts since adding these rules: http://tksja.com/essential-firewall-rules/ 2 days ago.
I have increased my LOG size in case I cannot check the logs for a few days.
 
Pea
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: Has this remote ROOT exploit been patched??

Tue Jan 01, 2019 7:55 pm

This is not the best example.
Why those rules open udp port 69 (TFTP)?
Also there is defined address list which won't be used later (the rule is after general drop)...
 
mkx
Forum Guru
Forum Guru
Posts: 3176
Joined: Thu Mar 03, 2016 10:23 pm

Re: Has this remote ROOT exploit been patched??

Tue Jan 01, 2019 8:22 pm

Also there is defined address list which won't be used later (the rule is after general drop)...
General drop before drop with address list is not that general ... it drops everything from WAN (assuming ether1 is WAN). That drop with address list will work for rogue users trying to pass router from inside out.
BR,
Metod
 
Pea
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: Has this remote ROOT exploit been patched??

Wed Jan 02, 2019 12:25 am

Yes but this is likely not going to happen for home use :) Therefore it is IMHO useless at the end.

Who is online

Users browsing this forum: Google [Bot] and 106 guests