Community discussions

MikroTik App
 
nmaton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Fri Feb 18, 2011 12:31 am

OPENSSL 5 june bugs

Thu Jun 05, 2014 8:44 pm

Can anyone inform us if mikrotik is vulnerable to the following openssl bugs?


https://www.openssl.org/news/secadv_20140605.txt
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: OPENSSL 5 june bugs

Fri Jun 06, 2014 10:38 am

if you are worried about this please upgrade to RouterOS 6.14 when released.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2394
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: OPENSSL 5 june bugs

Fri Jun 06, 2014 11:02 am

OpenSSL bug - SSL/TLS MITM (CVE-2014–0224) - type: "Man-in-the-middle"

http://ccsinjection.lepidum.co.jp/blog/ ... index.html
 
robertpenz
Member Candidate
Member Candidate
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: OPENSSL 5 june bugs

Fri Jun 06, 2014 5:35 pm

Which services / protocols on the RouterOS are vulnerable?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 12:48 pm

just use 6.14
 
robertpenz
Member Candidate
Member Candidate
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 2:20 pm

With my routers running 6.x thats easy. But we've many 5.x still and a upgrade to 6.14 is not that fast done. So I would like to know which services/protocols are affected. If I don't use them I don't need to upgrade. Or will there be a 5.x security release.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 2:45 pm

v5.x will not receive security updates.

6.14 has this security update.
 
lavv17
Member Candidate
Member Candidate
Posts: 120
Joined: Sat Sep 01, 2007 9:01 am

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 2:51 pm

I think it's only https (www-ssl) which is affected. But I don't know for sure. Use good firewall settings and you would be fine.
 
robertpenz
Member Candidate
Member Candidate
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 2:52 pm

ok only 6.x gets an security update. so switch services are vulnerable? I need this to compare the the security impact against the time and money the update from 5.x costs.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26318
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 2:54 pm

ok only 6.x gets an security update. so switch services are vulnerable? I need this to compare the the security impact against the time and money the update from 5.x costs.
You should evaluate if there are any actual risks from the described vulnerability. "Could be" doesn't mean anyone has, or ever will create an exploit. See how far are you willing to go to protect against the tiniest possibility. Upgrade doesn't seem so expensive if you think this is important.
 
robertpenz
Member Candidate
Member Candidate
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 2:59 pm

What I want to know is, if only the administration (HTTPS, Winbox) is vulnerable, which would be not big problem as we're using dedicated management networks, or production service also external user can reach.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26318
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: OPENSSL 5 june bugs

Tue Jun 10, 2014 3:16 pm

These vulnerabilities have nothing to do with Winbox or SSH, your router cannot be hacked with this.
Currently I can't imagine any feature in RouterOS that could be affected with the issues in the first post.

Who is online

Users browsing this forum: gigabyte091, onnyloh, RobertsN, TheCat12 and 83 guests