Community discussions

 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Thu Oct 26, 2017 11:18 pm

Re: Security issue when Winbox exposed

Mon Feb 25, 2019 4:45 pm

Deantwo
From the reddit response (netsec), the limit of 3 packets is a per connection basis - this means you can scan the whole network for all ports and IPs.
 
User avatar
kuz8
just joined
Posts: 13
Joined: Sun Mar 02, 2014 10:08 am
Location: Boston, MA

Re: Security issue when Winbox exposed

Mon Feb 25, 2019 8:11 pm

Is it only specific to dude agent binary? To remediate is it enough to have dude agent not installed or not enabled?

(of course Winbox port is closed to the internet, but I don't want my LANs to be able to use it, dude is installed, but not enabled)

The article says it's only agent, but I'd appreciate explicit confirmation from Mikrotik. Quote: "However, one of the binaries that handles the probes (agent) fails to verify whether the remote user is authenticated."

Thank you,
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 289
Joined: Tue Sep 30, 2014 4:07 pm

Re: Security issue when Winbox exposed

Mon Feb 25, 2019 9:01 pm

Is it only specific to dude agent binary? To remediate is it enough to have dude agent not installed or not enabled?

(of course Winbox port is closed to the internet, but I don't want my LANs to be able to use it, dude is installed, but not enabled)

The article says it's only agent, but I'd appreciate explicit confirmation from Mikrotik. Quote: "However, one of the binaries that handles the probes (agent) fails to verify whether the remote user is authenticated."

Thank you,
As mentioned in the blog post, the "Dude Agent" is part of the WinBox service. It is used to allow the Dude Server to relay probes through a firewall. But the "Dude Agent" is active always, even if you don't have a Dude server anywhere in your network.

If the WinBox service is accessible from the internet you are vulnerable to this vulnerability. This means that you can mitigate it by blocking access to the WinBox service with a firewall rule, or with the service's "accessed from" whitelist.
I wish my FTP was FTL.
 
User avatar
kuz8
just joined
Posts: 13
Joined: Sun Mar 02, 2014 10:08 am
Location: Boston, MA

Re: Security issue when Winbox exposed

Mon Feb 25, 2019 11:46 pm

As mentioned in the blog post, the "Dude Agent" is part of the WinBox service. It is used to allow the Dude Server to relay probes through a firewall. But the "Dude Agent" is active always, even if you don't have a Dude server anywhere in your network.
I'm not sure this statement is accurate.

I interpret it as dude uses WinBox port. I have a wide range of Mikrotik devices, hAP AC, wAP AC, CRS316/326, CCR1036 and CCR1072.

I did following tests:
1. on hAP which runs on mips there's no dude package at all. If I try to connect with Dude PC client to hAP, given user/pw are right, it cycles between "connecting" and "no dude package"
2. on CCR1072 with installed but not enabled Dude package - Dude Client also can't connect and cycling between "connecting" and "dude not enabled"
3. on CCR1036 with no dude package installed, connect cycles between "connecting" and "no dude package"

In my view it's using winbox port and protocol, it's not always on, but is not functional without the package or with package not turned on in dude package settings.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 1:35 am

@kuz8: his statement is accurate. Dude Agent is part of basic system package. Dude Server has separate package.
Dude Server will allow connections from Dude Client (which make sense because server contains the database and all data..)
Dude Agent allow only connections from Dude Server. Agent works as proxy/relay. It does not store any data. It just forwards probes so your Server don't need direct access to the target network.

Your tests are based on wrong assumptions (connecting client to agent) and you just proved well known fact.


@Deantwo:
But we haven't yet heard of any large scale attacks using this vulnerability.
We didn't hear of any large scale attack on Winbox vulnerability (CVE-2018-14847) until 6 month AFTER the fix was released...
We didn't hear of any large scale attack on web service vulnerability until 18 month AFTER the fix was released...
Large scale attack does not appear overnight. There will be instantly some script-kiddos playing with it and we can expect increased rate of port 8291 scans. To build large attack requires careful preparation and testing. In addition, this may not hit the news that easily, since it does not endanger the RouterOS itself. It give access to internal LAN, where might be unsecured printers, NAS, windows computers etc etc.. you should consider it as a backdoor through firewall to misuse any other vulnerability or unsecured device, which would be normally protected.
 
User avatar
kuz8
just joined
Posts: 13
Joined: Sun Mar 02, 2014 10:08 am
Location: Boston, MA

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 1:48 am

Not sure if it's well known, but the description and lingo allows for interpretation and is not clear.

This wiki page https://wiki.mikrotik.com/wiki/Manual:The_Dude/Agents says
1.
"Agents are other Dude servers that can be used as intermediaries for device monitoring."

2.
"RouterOS As Agent: To scan and monitor a network which is behind another router, in some other location, it is possible to install the Dude Server/Agent onto a RouterOS device. To do this, you need to install the Dude package onto RouterOS"

Can hAP act as an agent? I guess I can spend some time to model active dude server on a spare 1036 or 1072 I have next to me, and try different combinations..

Also part of his answer "If the WinBox service is accessible from the internet you are vulnerable to this vulnerability." was redundant as I've already stated it's not open from the Internet.


In addition did anyone try that https://www.tenable.com/security/research/tra-2019-07 piece of PoC code? I've tried - it prints out nonsense on either hAP with patch, CCR1072 without patch with Dude enabled or disabled - what does this supposed to mean :
rubbish-2019-02-25_18-56-14.png
You do not have the required permissions to view the files attached to this post.
Last edited by kuz8 on Tue Feb 26, 2019 1:58 am, edited 1 time in total.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 1:55 am

it is possible to install the Dude Server/Agent onto a RouterOS device. To do this, you need to install the Dude package onto RouterOS"
I see. That is definitely wrong documentation. Maybe just outdated? Thanks for pointing that out.

edit: I just read the wiki page itself - definitely outdated :lol: You don't assign agents as described on the screenshot anymore in Dude v6. Any accessible RouterOS device will automatically appear as an agent, if you supply login credentials.
 
User avatar
kuz8
just joined
Posts: 13
Joined: Sun Mar 02, 2014 10:08 am
Location: Boston, MA

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 2:10 am

Ok, indeed there's a parallel version of this page with "v6" edited 20180109 while the other one was edited back in 2010 and first appeared in google search for me :
https://wiki.mikrotik.com/wiki/Manual:T ... _v6/Agents

This v6 piece still has that statement:
"RouterOS as Agent To scan and monitor a network which is behind another router, in some other location, it is possible to install the Dude Server/Agent onto a RouterOS device. To do this, you need to install the Dude package onto RouterOS" along with conflicting "Agents are other Dude servers that can be used as intermediaries for device monitoring. Starting from RouterOS 6.38.x any RouterOS device can be a Dude agent without any installation or configuration required." on that same page.. It still doesn't logically confirm if dude packages are needed to be installed or enabled.. Docs are very confusing.

I'll try to set up a local test, meanwhile does PoC py code output make any sense to anybody? Or anyone has clearer instructions how to verify it against my devices?
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 2:29 am

Gosh... Its not easy to convince you mate :D I am using this approach all around and none of my "agents" has a dude server installed. Even RBmAPL works as agent and that one does not even support Dude Server (there is no package for MIPSBE architecture).

Starting from RouterOS 6.38.x any RouterOS device can be a Dude agent without any installation or configuration required.
the 6.38 is over 2 years old and since that Winbox vulnerability from last year, I don't expect that anyone will have ROS older than 6.40.8@bugfix or 6.42.1@current

Docs are very confusing.
Yayyy, finally agreement! High five?
 
Redmor
Member Candidate
Member Candidate
Posts: 248
Joined: Wed May 31, 2017 7:40 pm
Location: Italy

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 8:23 pm

So, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?
ImageImage
 
td32
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Fri Nov 18, 2016 5:55 am

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 8:25 pm

So, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?
only from the accept list ips
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 9:41 pm

This is not rocket science.
Do not open winbox to the internet
Do not open winbox to the input chain (from the LAN side) except for admin.
Disable any unused services
For enabled services only allow the admin

What am I missing here??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1231
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 10:19 pm

What am I missing here??
There may be some time you only are able to support a site from remote location.
But there are many thing you can do to secure the communication. (se my other post about this)
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 11:36 pm

The only open to internet usage would be via port knocking as a last resort, otherwise it would be VPN to router and then access winbox from within router.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Security issue when Winbox exposed

Tue Feb 26, 2019 11:43 pm

The password protection for each connection has a purpose: Even if you connect through VPN, your device itself may be infected with some nasty stuff. per-connection-authentication makes sure that only authorised connection will be accepted.
Not authorised device, Not authorised IP address, Not authorised IP range.. because none of these prevents unauthorised software from doing bad things.
 
Redmor
Member Candidate
Member Candidate
Posts: 248
Joined: Wed May 31, 2017 7:40 pm
Location: Italy

Re: Security issue when Winbox exposed

Wed Feb 27, 2019 12:04 am

So, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?
only from the accept list ips
For real? Only from them?
ImageImage
 
Sob
Forum Guru
Forum Guru
Posts: 4365
Joined: Mon Apr 20, 2009 9:11 pm

Re: Security issue when Winbox exposed

Wed Feb 27, 2019 12:27 am

@Redmor: It depends. If you configure firewall to let only specific addresses in, nothing else will pass. But whether traffic that looks as from some address is really from device that legitimately owns that address, that's a different question. E.g. if I whitelist a.b.c.d on my home router, there's nothing easier for my ISP (through which I route all traffic) than to set up device with a.b.c.d and get around (or right through) my filter. There are obvious limits who can do something like that, but if you want it really safe, any IP-based whitelists are not the right way.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Security issue when Winbox exposed

Wed Feb 27, 2019 2:08 am

@Redmor: It depends. If you configure firewall to let only specific addresses in, nothing else will pass. But whether traffic that looks as from some address is really from device that legitimately owns that address, that's a different question. E.g. if I whitelist a.b.c.d on my home router, there's nothing easier for my ISP (through which I route all traffic) than to set up device with a.b.c.d and get around (or right through) my filter. There are obvious limits who can do something like that, but if you want it really safe, any IP-based whitelists are not the right way.
The sound of sweet pragmatism! I use source address lists for non-sensitive items such as a septic company access to my septic control box.
Otherwise it would be vpn.
The thought of anything without some sort of TLS or SSL protection AND a whitelist also boggles my mind ie ftp server etc.........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 67 guests