Community discussions

 
User avatar
jprietove
Trainer
Trainer
Topic Author
Posts: 88
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Security issue when Winbox exposed

Thu Feb 21, 2019 5:25 pm

There seems to be an issue that allows bypass firewall and nat if winbox is exposed.
Please read this carefully

https://medium.com/tenable-techblog/mik ... d46398bf24

Enviado desde mi Redmi 3 mediante Tapatalk

 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 5:37 pm

I think you missed the red herring and flaw in the whole article..........
"One important thing about this setup is that I opened port 8291 in the router’s firewall to allow Winbox access from the WAN. By default, Winbox is only available on the MikroTik hAP via the LAN. Don’t worry, I’m just simulating real world configurations."

a. who keeps 8291 as the winbox port
b. who allows winbox open to the internet
Last edited by anav on Thu Feb 21, 2019 5:42 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
jprietove
Trainer
Trainer
Topic Author
Posts: 88
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 5:39 pm

No, I haven't missed it: look at the title I have choosen.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 5:46 pm

This, from surface reading the article, seems very serious. There should be full support and expected behavior for allowing Winbox to the world if it is password protected. I think a look from someone at MikroTik is appropriate.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5909
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 5:46 pm

Fixed in 6.42.12, 6.43.12 and 6.44
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 5:51 pm

Fixed in 6.42.12, 6.43.12 and 6.44

Thank you, I was about to ask because I saw 6.42.1 used in the video. So, fixed 9 days ago. I see the line item: *) winbox - improvements in connection handling to router with open winbox service; I would not have caught that as being this serious.
 
r00t
Member Candidate
Member Candidate
Posts: 156
Joined: Tue Nov 28, 2017 2:14 am

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 6:00 pm

This shows that current winbox authentication code is flawed. Winbox server should not accept any commands until you log in with valid user and password.
Checking if user is logged in for every function call is not a good practice, it needs to be fixed globally. User must authenticate itself before any other code is even accessible.
Also this is some dude extension that's not even used in normal winbox. One might wonder how many similar "gems" are still hidden in the code...
 
R1CH
Forum Veteran
Forum Veteran
Posts: 879
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 6:52 pm

Why is this not mentioned as high severity security bug in changelog? Why no mention on security blog? Come on Mikrotik...
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 8:15 pm

Geez, I didn't know this forum was a nursery, I have never heard such whining.
If you proper follow security protocols these are not issues that a serious IT admin is going to lose his bowels over.
I do agree that its best to be transparent and I will await response and some facts from MT before passing any judgement on that front.
Until then, all this rhetoric does is feed trolls --- don't become one ...............
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1665
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 8:18 pm

If it's fixed in .12 means you (@Mikrotik) knew about it for a while now. And you didn't warn your customers? What's the point of security blog if you don't use it (last update: 9th Oct, 2018)?

REALLY disappointed
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 8:32 pm

Wow Sebastia, are you going to lose sleep over it. Has it changed your life drastically, need some depression medication.........................
All kidding aside, as I said, there is no security issue per se, but the transparency and communication piece have yet to be explored and explained by MT.
I will wait for their feedback before passing judgement.

I can send you nekkid pictures of myself running in the snow if it will cheer you up! ;-)
(oops not quite, I will be wearing socks)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 8:35 pm

@anav
Until then, all this rhetoric does is feed trolls --- don't become one ...............
There is no troll feeding. @mrz admitted it was fixed so it is confirmed issue. (if there is not and issue, there wouldn't need to be a fix, right?)
Page with CVE contains timeline which shows how fast it was handled.
Please, do not take this situation lightly anav. You can do better. :(

Ps: it's 5am here.. Your pic won't make my day, no matter how much clothing you have. Good coffee and brekky will... Send those instead.
 
mkx
Forum Guru
Forum Guru
Posts: 2573
Joined: Thu Mar 03, 2016 10:23 pm

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 9:38 pm

Regarding disclosure of full details: I don't think that's necessary nor wise. Or at least not immediately after fix is published. It takes some time for people to install new version and if exploit is not running wild it might be better to stay low profile not to attract attention of some hackers not knowing the vulnerability yet.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 9:43 pm

MKX, damn that sounds plausible!
Since all the other security issues have been on the street for months some years and the corrective actions such as closing down crappy configs, using netinstall to upload the latest firmware should be in the forefront of any reader................. The issue should be covered and issuing another warning to do the same thing (upgrade firmware config properly etc) would not change an iota for people who have not paid attention but would alert badguys to another available tool??? Not bad tactical thinking. In any case ..... speculation.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
msatter
Forum Guru
Forum Guru
Posts: 1159
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 10:17 pm

Would I see the day that Mikrotik just states current, minimal RouterOS version is x.xx in plain sight for us!?!?

We have now a security blog which not telling anything about this even not the current minimal version.

Excellent that it was fixed that fast however we are left in the dark.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Thu Feb 21, 2019 11:14 pm

@mkx: I don't think full detail disclosure is necessary. I even agree that it is not wise. (however that is what actually happened) All I ask, is having correct info in changelog which will at least give me info that it might be good to upgrade the router for security reasons. Given current situation with "stable" being sometime pretty unstable, I can't really update every time there is an "improvement in connection handling". (I hate to admit it, but I actually love this play with words.. "improvement" yeaaaah :lol: )

Current misleading changelog:
What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router with open winbox service;

Appropriate changelog (partially inspired by 6.42.1 and 6.42.7 which both fixed similar vulnerabilities):
MAJOR CHANGES IN v6.43.12:
----------------------
!) winbox - fixed vulnerability that allowed to gain limited access to an unsecured router; (Details will be published in 90 days)
----------------------
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 12:31 am

I see where you are coming from, so I fixed it for ya.................

What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router for morons that do not secure their winbox properly or upgrade their firmware; :-) :-)



Appropriate changelog (partially inspired by 6.42.1 and 6.42.7 which both fixed similar vulnerabilities):
MAJOR CHANGES IN v6.43.12:
----------------------
!) winbox - fixed vulnerability that allowed to gain limited access to an unsecured router; (Details will be published in 90 days),
! winbox - added capability to bitcoin mine any devices behind an improperly secured router in order to pay for the aforementioned fixes ;-) ;-)
----------------------
Last edited by anav on Fri Feb 22, 2019 6:07 am, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4365
Joined: Mon Apr 20, 2009 9:11 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 12:58 am

(I hate to admit it, but I actually love this play with words.. "improvement" yeaaaah :lol: )
Software with fixed bug is better than software without fixed bug, you can't say that it's not an improvement, that description is 100% true. And MikroTik's approach to releasing details is well-thought strategy, carefully crafted to avoid both spreading unnecessary panic among users and tipping off the bad guys at the same time. It's all nice and smooth, "improvement" sounds interesting to users, but not too interesting to bad guys. If they'd use "vulnerability", it scares users and attracts bad guys. Although it's not yet clear how it will work in long term, it's possible that RouterOS users could eventually become terrified by word "improvement". :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 879
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:06 am

I see where you are coming from, so I fixed it for ya.................


Please try to keep in mind some of us run networks where we can't just take down the router for every RouterOS release. This was clearly not labelled as a security fix, so I personally did not consider it a priority to deploy during a maintenance window. And this vulnerability applies equally to LAN or WAN - users inside the network can proxy through winbox to different network segments, potentially accessing management LANs and devices that should be totally restricted.

Now I had to interrupt the network outside of maintenance hours to get this fix applied.
 
msatter
Forum Guru
Forum Guru
Posts: 1159
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:21 am

State minimal safe RouterOS and let the bad boys guess what vulnerability is. Agree with the ones bringing the 'problem' under attention of Mikrotik to have a delay of 30 days after patching, before going public so that users can upgrade in that time. To me Tenable went public to soon.

If Mikrotik takes more than 60 days to patch then the 90 days is still a hard limit.

It is not important how Mikrotik looks in public but that the buyers/users of their devices, can trust in Mikrotik that they are kept up-to-date despite being kept in the dark about what exactly is the vulnerability.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1665
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:24 am

Software with fixed bug is better than software without fixed bug, you can't say that it's not an improvement, that description is 100% true. And MikroTik's approach to releasing details is well-thought strategy, carefully crafted to avoid both spreading unnecessary panic among users and tipping off the bad guys at the same time. It's all nice and smooth, "improvement" sounds interesting to users, but not too interesting to bad guys. If they'd use "vulnerability", it scares users and attracts bad guys. Although it's not yet clear how it will work in long term, it's possible that RouterOS users could eventually become terrified by word "improvement". :)
I disagree with how you frame this release notes (it's a GOOD thing that we don't know that there is a security hole in production systems!), and in bigger picture lack of transparency, especially for security sensitive components: routers.
If you look at any recent (last few years) release notes from major manufacturers, security fixes are clearly labelled as such.

Didn't you hear about the "security by obscurity..." and it not working / back firing thing? This manner of thinking was probably the reason for news explosion last year ...

What I've learned from project management: by not properly addressing an issue, you make it worse.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 2:38 am

@msatter
To me Tenable went public to soon.
Absolutely agree, however, I wonder why would they do it... This is pure hypothesis: Maybe Tenable originally agreed to keep it secret for some period of time, but after they saw that the security fix was silently released as "improvement", they decided to inform users with full disclosure. If that is the case, I bet Mikrotik will not dare to do the same next time.
Fact is, that without Tenable's post, people would not be aware of this vulnerability and many of them might not upgrade until another significant security patch come...

@Sob
you can't say that it's not an improvement, that description is 100% true
That's why I love the choice of words... It is true, yet very misleading.
I strongly disagree with the rest of your thoughts. Mikrotik clearly identified fixed vulnerabilities in the past. There is no excuse for not doing it this time.
users could eventually become terrified by word "improvement".
Can't talk for others but I will be very cautious.

@anav
I see where you are coming from, so I fixed it for ya.................
Not cool mate. Not cool. If you meant it as a joke, couple of smileys would be appreciated. I am up since 4am so my sense of humor might be affected a bit for today.
 
czb123
just joined
Posts: 3
Joined: Tue Jun 26, 2018 8:59 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 3:52 am

... I just finished reading and I am speechless...

@op: thanks for sharing

@mikrotik: seriously gents? This is not "improvements in connection handling to router with open winbox service" . This is another severe vulnerability! I don't actually mind that there was a vulnerability - stuff happens. What makes me angry is the fact that it was not disclosed and the changelog contains deliberate lie.
Agree. Changelog should reflect the fact that this is a security fix rather claiming it's some sort of "improvement"
 
mt99
just joined
Posts: 24
Joined: Wed Jan 03, 2018 6:07 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 5:38 am

Agree. Changelog should reflect the fact that this is a security fix rather claiming it's some sort of "improvement"
pe1chl called this in post #2 of the 6.43.12 thread so nice catch by him. It's a shame but people who want to get a heads up on recently disclosed RouterOS vulnerabilities can't reliably get that here. You'd be much better off going to the NetSec subReddit for example, where they've quickly posted all the recent stuff the Tenable guy's been up to. Even though it'll probably mean many more security patches are coming, I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends!
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1717
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 8:23 am

That was a bit of a dick move, to publish it just days after release of the version with the patch.
if that would happen closer to 90 day limit
1) we would have time to test releases internally and apply them in safe manner
2) 6.44 (stable) would be released, many of us would jump to it because of new features
3) most "attackers" wouldn't be working on a exploit right now.
4) changelog entry used by MikroTik would make much more sense

vulnerability was there for long time , 90 extra days wouldn't change much, but the fact that information was published on how to use it - does change a lot.
Or did that guy rushed to get that $100,000 bounty?
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24048
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 8:59 am

No answer to your question? How to write posts
 
whatever
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Thu Jun 21, 2018 9:29 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 9:26 am

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1231
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 12:33 pm

Some interesting facts about who tries to enter port 8291.
This screenshot is from out work with 256 public IP and list over what blocked port are accessed from were.

First picture show that 8291 does top the list over accessed blocked ports.
8291-1.jpg
Next picture is even more interesting. 99% av all access on port 8291 comes from Iran.
It has been like this for month.
8291-2.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24048
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 12:40 pm

Often times, attackers purchase computing power from various sources and issue command to attack some port. The computing power sometimes comes from infected computers that are used as botnets. So these IP addresses and source of countries - not reliable info.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1159
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:20 pm

I understand that Mikrotik wants to speak in a positive way about this but why include the in bold words?

Tenable had previously contacted MikroTik about this issue, so a fix has already been released on February 11, 2019 in all RouterOS release channels.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24048
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:23 pm

Because the most common question is, when you will fix this. It's already fixed.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1159
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:30 pm

@msatter
To me Tenable went public to soon.
Absolutely agree, however, I wonder why would they do it... This is pure hypothesis: Maybe Tenable originally agreed to keep it secret for some period of time, but after they saw that the security fix was silently released as "improvement", they decided to inform users with full disclosure. If that is the case, I bet Mikrotik will not dare to do the same next time.
Fact is, that without Tenable's post, people would not be aware of this vulnerability and many of them might not upgrade until another significant security patch come...
I assuming that Tenable is also interested in that a vulnarbility is patched and implemented and patched and no one is using the updated version. Is not a game who can piss the longest distance and Tenable and Mikrotik have to trust each other in this.

Mikrotik should have a interest that patches are used before disclosure and scare theshit out of users reading that they are vulnerable on third party sites.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
msatter
Forum Guru
Forum Guru
Posts: 1159
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:31 pm

Because the most common question is, when you will fix this. It's already fixed.
So it was already fixed before Tenable contacted Mikrotik?

I just noticed that my Dect phone was blinking red and it was the Mikrotik RSS feed that was updated about this. I still urge to state minimal safe patch level to the users for know vulnerabilities with Mikrotik.

Example: Current minimal advised RouterOS version: 6.xx.xx 6.xx.ss and 6.xx.xx

It does not states what is patched, and what the vulnerability is. This coordinated with the one that is going to do the disclosure.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24048
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 1:59 pm

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1159
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 2:32 pm

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements.
That is not a direct answer to my question however a indirect one, like this will do. :-)
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 289
Joined: Tue Sep 30, 2014 4:07 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 2:36 pm

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure.
With the WinBox service exploit we were told that an address whitelist on the service was enough to block anything bad. I am HOPING this is true for this exploit too, but I don't see anyone mentioning it.

Would something simple like this prevent the exploit?
/ip service
set winbox address=a.b.c.d/32
That is how I have been protecting my WinBox service port since the whole major exploit last year.

@normis
Would love if that information was actually given in the blog post too, so we knew if we were vulnerable or not.
Last edited by Deantwo on Fri Feb 22, 2019 2:53 pm, edited 3 times in total.
I wish my FTP was FTL.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24048
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 2:40 pm

Yes, "service" menu limitation will protect you, the service "winbox" affects winbox/dude/tik-app all at the same time.
No answer to your question? How to write posts
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 289
Joined: Tue Sep 30, 2014 4:07 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 2:43 pm

Yes, "service" menu limitation will protect you, the service "winbox" affects winbox/dude/tik-app all at the same time.
That is wonderful news, first good news I hear all day.
Can that please be added to the blog post maybe? I am sure more people will want to know this.
I wish my FTP was FTL.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 879
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 3:25 pm

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends!
Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and then sell them to governments and intelligence agencies to compromise foreign networks, spy on people, etc. They definitely aren't reporting them to Mikrotik to be fixed!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24048
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 3:38 pm

We can only thank good people like the Tenable guys, who report to us first.
No answer to your question? How to write posts
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 4:09 pm

We can only thank good people like the Tenable guys, who report to us first.

+1
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 5:14 pm

If I was a coder at MT, I would be royally pissed, imagine if someone reaches down your pants and plays with your personal work! ;-)
I mean, they must be impressed how someone deflowers their work and finds ways to twist it for evil purposes.
I hope the programmers are inspired to include cyber defense in their protocols and processes.
Each code block should have passed some level of scrutiny, can this be hacked, how can it be hacked how do we prevent it, etc.....
I am much more interested in the improvement process in response to such events. :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
r00t
Member Candidate
Member Candidate
Posts: 156
Joined: Tue Nov 28, 2017 2:14 am

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 5:17 pm

I think if Mikrotik had bounties for exploits, it would be much better. If you don't want to offer money, maybe you could offer free devices as prices?
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 5:20 pm

Haha, yes, well I am still waiting for Normis to sell his red car and buy me tickets to Latvia. I have heard its beautiful country with friendly people but then again we are awash in fake news.
The problem is to convince him that I have any hacking skills worth utilizing. At best I can test physical security, aka plastic box vs hammer!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
R1CH
Forum Veteran
Forum Veteran
Posts: 879
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 9:23 pm

Unicode in the updated changelog, which winbox can't handle.

Image
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Fri Feb 22, 2019 9:33 pm

I see where you are coming from, so I fixed it for ya.................

What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router for morons that do not secure their winbox properly or upgrade their firmware; :-) :-)


Appropriate changelog (partially inspired by 6.42.1 and 6.42.7 which both fixed similar vulnerabilities):

MAJOR CHANGES IN v6.43.12:
----------------------
!) winbox - fixed vulnerability that allowed to gain limited access to an unsecured router; (Details will be published in 90 days),
! winbox - added capability to bitcoin mine any devices behind an improperly secured router in order to pay for the aforementioned fixes ;-) ;-)
----------------------
..

@Normis - Using my fixed text as inspiration and after reading this post.........
viewtopic.php?f=13&t=145643
I think we are going to see a new generation of stupid.

Please post on the user guide and help Wizards for the app.

(optional: APPS are for use by experienced admins only - not kids (pretend admins)

If you wish to use this Beta and decide to connect directly to your WAN by changing RB firewall rules, please do not call or email MT for support and please do not bother the real admins at MT forums with indignation and upset that your RB has been hacked. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mt99
just joined
Posts: 24
Joined: Wed Jan 03, 2018 6:07 pm

Re: Security issue when Winbox exposed

Sat Feb 23, 2019 3:55 am

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends!
Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and then sell them to governments and intelligence agencies to compromise foreign networks, spy on people, etc. They definitely aren't reporting them to Mikrotik to be fixed!
On that we agree, and I didn't mean to make it sound like Zerodium (or other 0day aggregators like them) provides *anything* for free to anyone. My hope is that this news gives Mikrotik the incentive to discover the vulnerabilities and provide full disclosure, either by themselves or through 3rd party audits of the source code. I hope this is happening and that Mikrotik doesn't just expect white hats to do the work. If it hadn't been clear to Mikrotik that they are a target, it's news like this that should make it crystal.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Sat Feb 23, 2019 12:18 pm

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements.
The first sentence is irrelevant truth and the second one is like a slap in everyone's face.
- Users were given just 10 days (respectively 14 days for stable branch) which is ridiculously short notice.
- There was not a single word indicating, that the improvement is security related.

I dont know, whether you personally agree or disagree with the approach choosen by your company, but is it really necessary to make things worse by this whole denial policy? One day, it will bite you guys back and that will be very sad day for everyone :(
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1231
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Security issue when Winbox exposed

Sun Feb 24, 2019 10:12 am

@vecernik87

I do agree with you that this is a very short notice, It may be that they did not have a choice to wait.
But an other ting is not posting the changes. Why do we need release notes at all when not all changes are posted??
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 289
Joined: Tue Sep 30, 2014 4:07 pm

Re: Security issue when Winbox exposed

Mon Feb 25, 2019 2:57 pm

Unless I am mistaken, this vulnerability is a lot less dangerous as long as your internal network isn't public knowledge. The attack shown in the article is an example that only works because he knows the LAN IP address of the vulnerable server and the type of server before doing the attack.

I am not saying that it isn't possible to scan an entire network with this vulnerability, but we are talking about probing each possible IP addresses behind the router and then probing each successful hit for what that server might be to see if it is vulnerable.

Not saying people shouldn't upgrade or secure their router better. At the very least set a IP whitelist on your winbox service, and upgrade as soon as possible.
But we haven't yet heard of any large scale attacks using this vulnerability.
I wish my FTP was FTL.

Who is online

Users browsing this forum: Bing [Bot] and 61 guests