Security issue when Winbox exposed

jprietove · Thu Feb 21, 2019 5:25 pm

There seems to be an issue that allows bypass firewall and nat if winbox is exposed.
Please read this carefully

https://medium.com/tenable-techblog/mik ... d46398bf24

Enviado desde mi Redmi 3 mediante Tapatalk

anav · Thu Feb 21, 2019 5:37 pm

I think you missed the red herring and flaw in the whole article..........
"One important thing about this setup is that I opened port 8291 in the router’s firewall to allow Winbox access from the WAN. By default, Winbox is only available on the MikroTik hAP via the LAN. Don’t worry, I’m just simulating real world configurations."

a. who keeps 8291 as the winbox port
b. who allows winbox open to the internet

jprietove · Thu Feb 21, 2019 5:39 pm

No, I haven't missed it: look at the title I have choosen.

pcunite · Thu Feb 21, 2019 5:46 pm

This, from surface reading the article, seems very serious. There should be full support and expected behavior for allowing Winbox to the world if it is password protected. I think a look from someone at MikroTik is appropriate.

Thu Feb 21, 2019 5:46 pm

Fixed in 6.42.12, 6.43.12 and 6.44

pcunite · Thu Feb 21, 2019 5:51 pm

Fixed in 6.42.12, 6.43.12 and 6.44

Thank you, I was about to ask because I saw 6.42.1 used in the video. So, fixed 9 days ago. I see the line item: *) winbox - improvements in connection handling to router with open winbox service; I would not have caught that as being this serious.

r00t · Thu Feb 21, 2019 6:00 pm

This shows that current winbox authentication code is flawed. Winbox server should not accept any commands until you log in with valid user and password.
Checking if user is logged in for every function call is not a good practice, it needs to be fixed globally. User must authenticate itself before any other code is even accessible.
Also this is some dude extension that's not even used in normal winbox. One might wonder how many similar "gems" are still hidden in the code...

R1CH · Thu Feb 21, 2019 6:52 pm

Why is this not mentioned as high severity security bug in changelog? Why no mention on security blog? Come on Mikrotik...

anav · Thu Feb 21, 2019 8:15 pm

Geez, I didn't know this forum was a nursery, I have never heard such whining.
If you proper follow security protocols these are not issues that a serious IT admin is going to lose his bowels over.
I do agree that its best to be transparent and I will await response and some facts from MT before passing any judgement on that front.
Until then, all this rhetoric does is feed trolls --- don't become one ...............

sebastia · Thu Feb 21, 2019 8:18 pm

If it's fixed in .12 means you (@Mikrotik) knew about it for a while now. And you didn't warn your customers? What's the point of security blog if you don't use it (last update: 9th Oct, 2018)?

REALLY disappointed

anav · Thu Feb 21, 2019 8:32 pm

Wow Sebastia, are you going to lose sleep over it. Has it changed your life drastically, need some depression medication.........................
All kidding aside, as I said, there is no security issue per se, but the transparency and communication piece have yet to be explored and explained by MT.
I will wait for their feedback before passing judgement.

I can send you nekkid pictures of myself running in the snow if it will cheer you up!

(oops not quite, I will be wearing socks)

vecernik87 · Thu Feb 21, 2019 8:35 pm

@anav

Until then, all this rhetoric does is feed trolls --- don't become one ...............

There is no troll feeding. @mrz admitted it was fixed so it is confirmed issue. (if there is not and issue, there wouldn't need to be a fix, right?)
Page with CVE contains timeline which shows how fast it was handled.
Please, do not take this situation lightly anav. You can do better.

Ps: it's 5am here.. Your pic won't make my day, no matter how much clothing you have. Good coffee and brekky will... Send those instead.

mkx · Thu Feb 21, 2019 9:38 pm

Regarding disclosure of full details: I don't think that's necessary nor wise. Or at least not immediately after fix is published. It takes some time for people to install new version and if exploit is not running wild it might be better to stay low profile not to attract attention of some hackers not knowing the vulnerability yet.

anav · Thu Feb 21, 2019 9:43 pm

MKX, damn that sounds plausible!
Since all the other security issues have been on the street for months some years and the corrective actions such as closing down crappy configs, using netinstall to upload the latest firmware should be in the forefront of any reader................. The issue should be covered and issuing another warning to do the same thing (upgrade firmware config properly etc) would not change an iota for people who have not paid attention but would alert badguys to another available tool??? Not bad tactical thinking. In any case ..... speculation.

msatter · Thu Feb 21, 2019 10:17 pm

Would I see the day that Mikrotik just states current, minimal RouterOS version is x.xx in plain sight for us!?!?

We have now a security blog which not telling anything about this even not the current minimal version.

Excellent that it was fixed that fast however we are left in the dark.

vecernik87 · Thu Feb 21, 2019 11:14 pm

@mkx: I don't think full detail disclosure is necessary. I even agree that it is not wise. (however that is what actually happened) All I ask, is having correct info in changelog which will at least give me info that it might be good to upgrade the router for security reasons. Given current situation with "stable" being sometime pretty unstable, I can't really update every time there is an "improvement in connection handling". (I hate to admit it, but I actually love this play with words.. "improvement" yeaaaah

)

Current misleading changelog:

What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router with open winbox service;

Appropriate changelog (partially inspired by 6.42.1 and 6.42.7 which both fixed similar vulnerabilities):

MAJOR CHANGES IN v6.43.12:
----------------------
!) winbox - fixed vulnerability that allowed to gain limited access to an unsecured router; (Details will be published in 90 days)
----------------------

anav · Fri Feb 22, 2019 12:31 am

I see where you are coming from, so I fixed it for ya.................

What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router for morons that do not secure their winbox properly or upgrade their firmware;

Appropriate changelog (partially inspired by 6.42.1 and 6.42.7 which both fixed similar vulnerabilities):
MAJOR CHANGES IN v6.43.12:
----------------------
!) winbox - fixed vulnerability that allowed to gain limited access to an unsecured router; (Details will be published in 90 days),
! winbox - added capability to bitcoin mine any devices behind an improperly secured router in order to pay for the aforementioned fixes
----------------------

Sob · Fri Feb 22, 2019 12:58 am

(I hate to admit it, but I actually love this play with words.. "improvement" yeaaaah )

Software with fixed bug is better than software without fixed bug, you can't say that it's not an improvement, that description is 100% true. And MikroTik's approach to releasing details is well-thought strategy, carefully crafted to avoid both spreading unnecessary panic among users and tipping off the bad guys at the same time. It's all nice and smooth, "improvement" sounds interesting to users, but not too interesting to bad guys. If they'd use "vulnerability", it scares users and attracts bad guys. Although it's not yet clear how it will work in long term, it's possible that RouterOS users could eventually become terrified by word "improvement".

R1CH · Fri Feb 22, 2019 1:06 am

I see where you are coming from, so I fixed it for ya.................

Please try to keep in mind some of us run networks where we can't just take down the router for every RouterOS release. This was clearly not labelled as a security fix, so I personally did not consider it a priority to deploy during a maintenance window. And this vulnerability applies equally to LAN or WAN - users inside the network can proxy through winbox to different network segments, potentially accessing management LANs and devices that should be totally restricted.

Now I had to interrupt the network outside of maintenance hours to get this fix applied.

msatter · Fri Feb 22, 2019 1:21 am

State minimal safe RouterOS and let the bad boys guess what vulnerability is. Agree with the ones bringing the 'problem' under attention of Mikrotik to have a delay of 30 days after patching, before going public so that users can upgrade in that time. To me Tenable went public to soon.

If Mikrotik takes more than 60 days to patch then the 90 days is still a hard limit.

It is not important how Mikrotik looks in public but that the buyers/users of their devices, can trust in Mikrotik that they are kept up-to-date despite being kept in the dark about what exactly is the vulnerability.

sebastia · Fri Feb 22, 2019 1:24 am

Software with fixed bug is better than software without fixed bug, you can't say that it's not an improvement, that description is 100% true. And MikroTik's approach to releasing details is well-thought strategy, carefully crafted to avoid both spreading unnecessary panic among users and tipping off the bad guys at the same time. It's all nice and smooth, "improvement" sounds interesting to users, but not too interesting to bad guys. If they'd use "vulnerability", it scares users and attracts bad guys. Although it's not yet clear how it will work in long term, it's possible that RouterOS users could eventually become terrified by word "improvement".

I disagree with how you frame this release notes (it's a GOOD thing that we don't know that there is a security hole in production systems!), and in bigger picture lack of transparency, especially for security sensitive components: routers.
If you look at any recent (last few years) release notes from major manufacturers, security fixes are clearly labelled as such.

Didn't you hear about the "security by obscurity..." and it not working / back firing thing? This manner of thinking was probably the reason for news explosion last year ...

What I've learned from project management: by not properly addressing an issue, you make it worse.

vecernik87 · Fri Feb 22, 2019 2:38 am

@msatter

To me Tenable went public to soon.

Absolutely agree, however, I wonder why would they do it... This is pure hypothesis: Maybe Tenable originally agreed to keep it secret for some period of time, but after they saw that the security fix was silently released as "improvement", they decided to inform users with full disclosure. If that is the case, I bet Mikrotik will not dare to do the same next time.
Fact is, that without Tenable's post, people would not be aware of this vulnerability and many of them might not upgrade until another significant security patch come...

@Sob

you can't say that it's not an improvement, that description is 100% true

That's why I love the choice of words... It is true, yet very misleading.
I strongly disagree with the rest of your thoughts. Mikrotik clearly identified fixed vulnerabilities in the past. There is no excuse for not doing it this time.

users could eventually become terrified by word "improvement".

Can't talk for others but I will be very cautious.

@anav

I see where you are coming from, so I fixed it for ya.................

Not cool mate. Not cool. If you meant it as a joke, couple of smileys would be appreciated. I am up since 4am so my sense of humor might be affected a bit for today.

czb123 · Fri Feb 22, 2019 3:52 am

... I just finished reading and I am speechless...

@op: thanks for sharing

@mikrotik: seriously gents? This is not "improvements in connection handling to router with open winbox service" . This is another severe vulnerability! I don't actually mind that there was a vulnerability - stuff happens. What makes me angry is the fact that it was not disclosed and the changelog contains deliberate lie.

Agree. Changelog should reflect the fact that this is a security fix rather claiming it's some sort of "improvement"

mt99 · Fri Feb 22, 2019 5:38 am

Agree. Changelog should reflect the fact that this is a security fix rather claiming it's some sort of "improvement"

pe1chl called this in post #2 of the 6.43.12 thread so nice catch by him. It's a shame but people who want to get a heads up on recently disclosed RouterOS vulnerabilities can't reliably get that here. You'd be much better off going to the NetSec subReddit for example, where they've quickly posted all the recent stuff the Tenable guy's been up to. Even though it'll probably mean many more security patches are coming, I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends!

Fri Feb 22, 2019 8:23 am

https://medium.com/tenable-techblog/mik ... d46398bf24

That was a bit of a dick move, to publish it just days after release of the version with the patch.
if that would happen closer to 90 day limit
1) we would have time to test releases internally and apply them in safe manner
2) 6.44 (stable) would be released, many of us would jump to it because of new features
3) most "attackers" wouldn't be working on a exploit right now.
4) changelog entry used by MikroTik would make much more sense

vulnerability was there for long time , 90 extra days wouldn't change much, but the fact that information was published on how to use it - does change a lot.
Or did that guy rushed to get that $100,000 bounty?

Fri Feb 22, 2019 8:59 am

Statement https://blog.mikrotik.com/security/cve- ... ility.html

whatever · Fri Feb 22, 2019 9:26 am

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure.

Jotne · Fri Feb 22, 2019 12:33 pm

Some interesting facts about who tries to enter port 8291.
This screenshot is from out work with 256 public IP and list over what blocked port are accessed from were.

First picture show that 8291 does top the list over accessed blocked ports.

8291-1.jpg

Next picture is even more interesting. 99% av all access on port 8291 comes from Iran.
It has been like this for month.

8291-2.jpg

Fri Feb 22, 2019 12:40 pm

Often times, attackers purchase computing power from various sources and issue command to attack some port. The computing power sometimes comes from infected computers that are used as botnets. So these IP addresses and source of countries - not reliable info.

msatter · Fri Feb 22, 2019 1:20 pm

Statement https://blog.mikrotik.com/security/cve- ... ility.html

I understand that Mikrotik wants to speak in a positive way about this but why include the in bold words?

Tenable had previously contacted MikroTik about this issue, so a fix has already been released on February 11, 2019 in all RouterOS release channels.

Fri Feb 22, 2019 1:23 pm

Because the most common question is, when you will fix this. It's already fixed.

msatter · Fri Feb 22, 2019 1:30 pm

@msatter
To me Tenable went public to soon.
Absolutely agree, however, I wonder why would they do it... This is pure hypothesis: Maybe Tenable originally agreed to keep it secret for some period of time, but after they saw that the security fix was silently released as "improvement", they decided to inform users with full disclosure. If that is the case, I bet Mikrotik will not dare to do the same next time.
Fact is, that without Tenable's post, people would not be aware of this vulnerability and many of them might not upgrade until another significant security patch come...

I assuming that Tenable is also interested in that a vulnarbility is patched and implemented and patched and no one is using the updated version. Is not a game who can piss the longest distance and Tenable and Mikrotik have to trust each other in this.

Mikrotik should have a interest that patches are used before disclosure and scare theshit out of users reading that they are vulnerable on third party sites.

msatter · Fri Feb 22, 2019 1:31 pm

Because the most common question is, when you will fix this. It's already fixed.

So it was already fixed before Tenable contacted Mikrotik?

I just noticed that my Dect phone was blinking red and it was the Mikrotik RSS feed that was updated about this. I still urge to state minimal safe patch level to the users for know vulnerabilities with Mikrotik.

Example: Current minimal advised RouterOS version: 6.xx.xx 6.xx.ss and 6.xx.xx

It does not states what is patched, and what the vulnerability is. This coordinated with the one that is going to do the disclosure.

Fri Feb 22, 2019 1:59 pm

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements.

msatter · Fri Feb 22, 2019 2:32 pm

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements.

That is not a direct answer to my question however a indirect one, like this will do.

Deantwo · Fri Feb 22, 2019 2:36 pm

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure.

With the WinBox service exploit we were told that an address whitelist on the service was enough to block anything bad. I am HOPING this is true for this exploit too, but I don't see anyone mentioning it.

Would something simple like this prevent the exploit?

/ip service
set winbox address=a.b.c.d/32

That is how I have been protecting my WinBox service port since the whole major exploit last year.

@normis

Statement https://blog.mikrotik.com/security/cve- ... ility.html

Would love if that information was actually given in the blog post too, so we knew if we were vulnerable or not.

Fri Feb 22, 2019 2:40 pm

Yes, "service" menu limitation will protect you, the service "winbox" affects winbox/dude/tik-app all at the same time.

Deantwo · Fri Feb 22, 2019 2:43 pm

Yes, "service" menu limitation will protect you, the service "winbox" affects winbox/dude/tik-app all at the same time.

That is wonderful news, first good news I hear all day.
Can that please be added to the blog post maybe? I am sure more people will want to know this.

R1CH · Fri Feb 22, 2019 3:25 pm

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends!

Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and then sell them to governments and intelligence agencies to compromise foreign networks, spy on people, etc. They definitely aren't reporting them to Mikrotik to be fixed!

Fri Feb 22, 2019 3:38 pm

We can only thank good people like the Tenable guys, who report to us first.

pcunite · Fri Feb 22, 2019 4:09 pm

We can only thank good people like the Tenable guys, who report to us first.

+1

anav · Fri Feb 22, 2019 5:14 pm

If I was a coder at MT, I would be royally pissed, imagine if someone reaches down your pants and plays with your personal work!

I mean, they must be impressed how someone deflowers their work and finds ways to twist it for evil purposes.
I hope the programmers are inspired to include cyber defense in their protocols and processes.
Each code block should have passed some level of scrutiny, can this be hacked, how can it be hacked how do we prevent it, etc.....
I am much more interested in the improvement process in response to such events.

r00t · Fri Feb 22, 2019 5:17 pm

I think if Mikrotik had bounties for exploits, it would be much better. If you don't want to offer money, maybe you could offer free devices as prices?

anav · Fri Feb 22, 2019 5:20 pm

Haha, yes, well I am still waiting for Normis to sell his red car and buy me tickets to Latvia. I have heard its beautiful country with friendly people but then again we are awash in fake news.
The problem is to convince him that I have any hacking skills worth utilizing. At best I can test physical security, aka plastic box vs hammer!

R1CH · Fri Feb 22, 2019 9:23 pm

Unicode in the updated changelog, which winbox can't handle.

anav · Fri Feb 22, 2019 9:33 pm

I see where you are coming from, so I fixed it for ya.................

What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router for morons that do not secure their winbox properly or upgrade their firmware;

Appropriate changelog (partially inspired by 6.42.1 and 6.42.7 which both fixed similar vulnerabilities):

MAJOR CHANGES IN v6.43.12:
----------------------
!) winbox - fixed vulnerability that allowed to gain limited access to an unsecured router; (Details will be published in 90 days),
! winbox - added capability to bitcoin mine any devices behind an improperly secured router in order to pay for the aforementioned fixes
----------------------

..

@Normis - Using my fixed text as inspiration and after reading this post.........
viewtopic.php?f=13&t=145643
I think we are going to see a new generation of stupid.

Please post on the user guide and help Wizards for the app.

(optional: APPS are for use by experienced admins only - not kids (pretend admins)

If you wish to use this Beta and decide to connect directly to your WAN by changing RB firewall rules, please do not call or email MT for support and please do not bother the real admins at MT forums with indignation and upset that your RB has been hacked.

mt99 · Sat Feb 23, 2019 3:55 am

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends!
Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and then sell them to governments and intelligence agencies to compromise foreign networks, spy on people, etc. They definitely aren't reporting them to Mikrotik to be fixed!

On that we agree, and I didn't mean to make it sound like Zerodium (or other 0day aggregators like them) provides *anything* for free to anyone. My hope is that this news gives Mikrotik the incentive to discover the vulnerabilities and provide full disclosure, either by themselves or through 3rd party audits of the source code. I hope this is happening and that Mikrotik doesn't just expect white hats to do the work. If it hadn't been clear to Mikrotik that they are a target, it's news like this that should make it crystal.

vecernik87 · Sat Feb 23, 2019 12:18 pm

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements.

The first sentence is irrelevant truth and the second one is like a slap in everyone's face.
- Users were given just 10 days (respectively 14 days for stable branch) which is ridiculously short notice.
- There was not a single word indicating, that the improvement is security related.

I dont know, whether you personally agree or disagree with the approach choosen by your company, but is it really necessary to make things worse by this whole denial policy? One day, it will bite you guys back and that will be very sad day for everyone

Jotne · Sun Feb 24, 2019 10:12 am

@vecernik87

I do agree with you that this is a very short notice, It may be that they did not have a choice to wait.
But an other ting is not posting the changes. Why do we need release notes at all when not all changes are posted??

Deantwo · Mon Feb 25, 2019 2:57 pm

Unless I am mistaken, this vulnerability is a lot less dangerous as long as your internal network isn't public knowledge. The attack shown in the article is an example that only works because he knows the LAN IP address of the vulnerable server and the type of server before doing the attack.

I am not saying that it isn't possible to scan an entire network with this vulnerability, but we are talking about probing each possible IP addresses behind the router and then probing each successful hit for what that server might be to see if it is vulnerable.

Not saying people shouldn't upgrade or secure their router better. At the very least set a IP whitelist on your winbox service, and upgrade as soon as possible.
But we haven't yet heard of any large scale attacks using this vulnerability.

BRMateus2 · Mon Feb 25, 2019 4:45 pm

Deantwo
From the reddit response (netsec), the limit of 3 packets is a per connection basis - this means you can scan the whole network for all ports and IPs.

kuz8 · Mon Feb 25, 2019 8:11 pm

Is it only specific to dude agent binary? To remediate is it enough to have dude agent not installed or not enabled?

(of course Winbox port is closed to the internet, but I don't want my LANs to be able to use it, dude is installed, but not enabled)

The article says it's only agent, but I'd appreciate explicit confirmation from Mikrotik. Quote: "However, one of the binaries that handles the probes (agent) fails to verify whether the remote user is authenticated."

Thank you,

Deantwo · Mon Feb 25, 2019 9:01 pm

Is it only specific to dude agent binary? To remediate is it enough to have dude agent not installed or not enabled?

(of course Winbox port is closed to the internet, but I don't want my LANs to be able to use it, dude is installed, but not enabled)

The article says it's only agent, but I'd appreciate explicit confirmation from Mikrotik. Quote: "However, one of the binaries that handles the probes (agent) fails to verify whether the remote user is authenticated."

Thank you,

As mentioned in the blog post, the "Dude Agent" is part of the WinBox service. It is used to allow the Dude Server to relay probes through a firewall. But the "Dude Agent" is active always, even if you don't have a Dude server anywhere in your network.

If the WinBox service is accessible from the internet you are vulnerable to this vulnerability. This means that you can mitigate it by blocking access to the WinBox service with a firewall rule, or with the service's "accessed from" whitelist.

kuz8 · Mon Feb 25, 2019 11:46 pm

As mentioned in the blog post, the "Dude Agent" is part of the WinBox service. It is used to allow the Dude Server to relay probes through a firewall. But the "Dude Agent" is active always, even if you don't have a Dude server anywhere in your network.

I'm not sure this statement is accurate.

I interpret it as dude uses WinBox port. I have a wide range of Mikrotik devices, hAP AC, wAP AC, CRS316/326, CCR1036 and CCR1072.

I did following tests:
1. on hAP which runs on mips there's no dude package at all. If I try to connect with Dude PC client to hAP, given user/pw are right, it cycles between "connecting" and "no dude package"
2. on CCR1072 with installed but not enabled Dude package - Dude Client also can't connect and cycling between "connecting" and "dude not enabled"
3. on CCR1036 with no dude package installed, connect cycles between "connecting" and "no dude package"

In my view it's using winbox port and protocol, it's not always on, but is not functional without the package or with package not turned on in dude package settings.

vecernik87 · Tue Feb 26, 2019 1:35 am

@kuz8: his statement is accurate. Dude Agent is part of basic system package. Dude Server has separate package.
Dude Server will allow connections from Dude Client (which make sense because server contains the database and all data..)
Dude Agent allow only connections from Dude Server. Agent works as proxy/relay. It does not store any data. It just forwards probes so your Server don't need direct access to the target network.

Your tests are based on wrong assumptions (connecting client to agent) and you just proved well known fact.

@Deantwo:

But we haven't yet heard of any large scale attacks using this vulnerability.

We didn't hear of any large scale attack on Winbox vulnerability (CVE-2018-14847) until 6 month AFTER the fix was released...
We didn't hear of any large scale attack on web service vulnerability until 18 month AFTER the fix was released...
Large scale attack does not appear overnight. There will be instantly some script-kiddos playing with it and we can expect increased rate of port 8291 scans. To build large attack requires careful preparation and testing. In addition, this may not hit the news that easily, since it does not endanger the RouterOS itself. It give access to internal LAN, where might be unsecured printers, NAS, windows computers etc etc.. you should consider it as a backdoor through firewall to misuse any other vulnerability or unsecured device, which would be normally protected.

kuz8 · Tue Feb 26, 2019 1:48 am

Not sure if it's well known, but the description and lingo allows for interpretation and is not clear.

This wiki page https://wiki.mikrotik.com/wiki/Manual:The_Dude/Agents says
1.
"Agents are other Dude servers that can be used as intermediaries for device monitoring."

2.
"RouterOS As Agent: To scan and monitor a network which is behind another router, in some other location, it is possible to install the Dude Server/Agent onto a RouterOS device. To do this, you need to install the Dude package onto RouterOS"

Can hAP act as an agent? I guess I can spend some time to model active dude server on a spare 1036 or 1072 I have next to me, and try different combinations..

Also part of his answer "If the WinBox service is accessible from the internet you are vulnerable to this vulnerability." was redundant as I've already stated it's not open from the Internet.

In addition did anyone try that https://www.tenable.com/security/research/tra-2019-07 piece of PoC code? I've tried - it prints out nonsense on either hAP with patch, CCR1072 without patch with Dude enabled or disabled - what does this supposed to mean :

rubbish-2019-02-25_18-56-14.png

vecernik87 · Tue Feb 26, 2019 1:55 am

it is possible to install the Dude Server/Agent onto a RouterOS device. To do this, you need to install the Dude package onto RouterOS"

I see. That is definitely wrong documentation. Maybe just outdated? Thanks for pointing that out.

edit: I just read the wiki page itself - definitely outdated

You don't assign agents as described on the screenshot anymore in Dude v6. Any accessible RouterOS device will automatically appear as an agent, if you supply login credentials.

kuz8 · Tue Feb 26, 2019 2:10 am

Ok, indeed there's a parallel version of this page with "v6" edited 20180109 while the other one was edited back in 2010 and first appeared in google search for me :
https://wiki.mikrotik.com/wiki/Manual:T ... _v6/Agents

This v6 piece still has that statement:
"RouterOS as Agent To scan and monitor a network which is behind another router, in some other location, it is possible to install the Dude Server/Agent onto a RouterOS device. To do this, you need to install the Dude package onto RouterOS" along with conflicting "Agents are other Dude servers that can be used as intermediaries for device monitoring. Starting from RouterOS 6.38.x any RouterOS device can be a Dude agent without any installation or configuration required." on that same page.. It still doesn't logically confirm if dude packages are needed to be installed or enabled.. Docs are very confusing.

I'll try to set up a local test, meanwhile does PoC py code output make any sense to anybody? Or anyone has clearer instructions how to verify it against my devices?

vecernik87 · Tue Feb 26, 2019 2:29 am

Gosh... Its not easy to convince you mate

I am using this approach all around and none of my "agents" has a dude server installed. Even RBmAPL works as agent and that one does not even support Dude Server (there is no package for MIPSBE architecture).

Starting from RouterOS 6.38.x any RouterOS device can be a Dude agent without any installation or configuration required.

the 6.38 is over 2 years old and since that Winbox vulnerability from last year, I don't expect that anyone will have ROS older than 6.40.8@bugfix or 6.42.1@current

Docs are very confusing.

Yayyy, finally agreement! High five?

Redmor · Tue Feb 26, 2019 8:23 pm

So, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?

td32 · Tue Feb 26, 2019 8:25 pm

So, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?

only from the accept list ips

anav · Tue Feb 26, 2019 9:41 pm

This is not rocket science.
Do not open winbox to the internet
Do not open winbox to the input chain (from the LAN side) except for admin.
Disable any unused services
For enabled services only allow the admin

What am I missing here??

Jotne · Tue Feb 26, 2019 10:19 pm

What am I missing here??

There may be some time you only are able to support a site from remote location.
But there are many thing you can do to secure the communication. (se my other post about this)

anav · Tue Feb 26, 2019 11:36 pm

The only open to internet usage would be via port knocking as a last resort, otherwise it would be VPN to router and then access winbox from within router.

vecernik87 · Tue Feb 26, 2019 11:43 pm

The password protection for each connection has a purpose: Even if you connect through VPN, your device itself may be infected with some nasty stuff. per-connection-authentication makes sure that only authorised connection will be accepted.
Not authorised device, Not authorised IP address, Not authorised IP range.. because none of these prevents unauthorised software from doing bad things.

Redmor · Wed Feb 27, 2019 12:04 am

So, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?
only from the accept list ips

For real? Only from them?

Sob · Wed Feb 27, 2019 12:27 am

@Redmor: It depends. If you configure firewall to let only specific addresses in, nothing else will pass. But whether traffic that looks as from some address is really from device that legitimately owns that address, that's a different question. E.g. if I whitelist a.b.c.d on my home router, there's nothing easier for my ISP (through which I route all traffic) than to set up device with a.b.c.d and get around (or right through) my filter. There are obvious limits who can do something like that, but if you want it really safe, any IP-based whitelists are not the right way.

anav · Wed Feb 27, 2019 2:08 am

@Redmor: It depends. If you configure firewall to let only specific addresses in, nothing else will pass. But whether traffic that looks as from some address is really from device that legitimately owns that address, that's a different question. E.g. if I whitelist a.b.c.d on my home router, there's nothing easier for my ISP (through which I route all traffic) than to set up device with a.b.c.d and get around (or right through) my filter. There are obvious limits who can do something like that, but if you want it really safe, any IP-based whitelists are not the right way.

The sound of sweet pragmatism! I use source address lists for non-sensitive items such as a septic company access to my septic control box.
Otherwise it would be vpn.
The thought of anything without some sort of TLS or SSL protection AND a whitelist also boggles my mind ie ftp server etc.........

msatter · Thu Sep 05, 2019 6:04 pm

Yesterday a new article on this was published: https://blog.trendmicro.com/trendlabs-s ... nsactions/

Mikrotik securityblog on this: https://blog.mikrotik.com/security/new- ... ility.html

Source: https://www.security.nl/posting/623248/ ... ik-routers

Who is online