Community discussions

MikroTik App
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Statement on Vault 7 document release

Wed Mar 08, 2017 4:43 pm

On March 7th, 2017, Wikileaks made public a set of documents that is being referred to as “Vault 7”. This is a large collection of documents purported to belong to the United States Central Intelligence Agency (CIA) Center for Cyber Intelligence. According to Wikileaks, this disclosure is the first one, additional disclosures will be coming in the near future.

According to the released documents, the CIA supposedly has tools that can inject malicious tools into RouterOS devices, if the public interface of the RouterOS device has no firewall on port 80. The exploit is called "ChimayRed".

Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20250630.html:
"ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed"
Also, it seems that this exploit may not be functional in RouterOS version above v6.30.1 (released 2015-07-15).

Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20251203.html:
"Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2"
Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.5 'current' and 6.37.5 'bugfix' or newer). We will continue to strengthen RouterOS services and have already released RouterOS version 6.38.5 which removes any malicious files in devices that have been compromised. MikroTik will follow Wikileaks for any new information on this exploit.

Most RouterBOARD products come with default firewall rules that already protect against malicious access from the public interface. If you have disabled these rules, or have cleared the default config, please apply firewall rules on the public interfaces of your devices to block access to port 80, upgrade RouterOS to the latest version and follow general router protection guides in our documentation, like limiting access only to your own IP address and disabling unused services.

UPDATE 1: Hotspot is not affected by the vulnerabilities outlined above.

UPDATE 2: v6.38.5 and 6.39rc49 has been released, this version fixes the vulnerabilities outlined in the above documents, and cleans any files installed by the tools described.

UPDATE 3: As of November 2017, Wikileaks have NOT followed up their claims and have not provided any tools for our inspection.
 
0ldman
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Jul 27, 2006 5:01 am

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 5:00 pm

Thanks for the update.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 5:29 pm

Thanks for the update. Have Mikrotik reached out to Wikileaks in order to obtain an early release of the ChimayRed tool?
"Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2"
The reason it doesn't work with 6.30.2 is most likely due to memory or executable offsets changing between versions. Exploits tend to be very sensitive to the layout of memory and executables, so every time a new RouterOS release is made, the exploit authors will have to code in offsets specifically for that version (this is why the exploit appears to query the version from the httpd). So while it sounds like > 6.30.2 are unaffected, I do not believe this to be the case unless some vulnerable code was patched in 6.30.2.
 
ptoribiop
just joined
Posts: 12
Joined: Wed Apr 17, 2013 8:07 pm
Location: Peru
Contact:

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 5:37 pm

Thanks for the information Normis. We will be attentive to the updates.
regards
 
Ape
Member Candidate
Member Candidate
Posts: 177
Joined: Sun Oct 06, 2013 3:32 pm
Location: Freiburg, Germany
Contact:

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 6:01 pm

Hi,

thank you very much normis!
This is a real professional handling of the situation.

Regards,
Ape
 
Lakis
Forum Veteran
Forum Veteran
Posts: 703
Joined: Wed Sep 23, 2009 7:52 pm

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 6:02 pm

''the CIA supposedly has tools that can inject malicious tools into RouterOS devices,''
it's not possible to do that without admin password second ROS kernel is closed not like Ubq source code
That's why CIA ''supposedly'' has tools

Any way how can I find if, how or ''supposedly'' my router is infected with so called "ChimayRed"?
 
kez
newbie
Posts: 40
Joined: Tue Jul 05, 2005 4:13 am

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 6:15 pm

Normis, Mikrotik should release a tool to check if there is any suspicious file.
If the router was infected running an exploitable version, maybe the trojan continues in the system.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1768
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 6:43 pm

Any way how can I find if, how or ''supposedly'' my router is infected with so called "ChimayRed"?
From what i read:
There is no solid information about that yet, without hacking tools themselves, they need to have 'supposedly'' hacked router on their hands to determine and create precise method of detection, at this point firewall log rule for TCP/80 ( maybe TCP/8291) port from and to router (input/output) will work just as well , just look if there are some out-of-ordinary traffic - persistent connections that don't suppose to be there.

It looks like MT just released 6.38.4, that, just in case, clears all file system from any stuff unrelated to RouterOS.
*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;
And in fact with given set of information that is all they can do atm.
 
User avatar
Hotz1
Member
Member
Posts: 393
Joined: Tue Oct 09, 2007 6:55 am

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 6:44 pm

... it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.4 'current' and 6.37.5 'bugfix' or newer)...
FYI, the current download page still indicates the bugfix version as 6.37.4. Not sure if 6.37.5 was a typo, or if the page needs to be updated.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1768
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 6:46 pm

... it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.4 'current' and 6.37.5 'bugfix' or newer)...
FYI, the current download page still indicates the bugfix version as 6.37.4. Not sure if 6.37.5 was a typo, or if the page needs to be updated.
I think that is on purpose, bugfix probably takes more time to be released.
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1008
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 7:58 pm

We will continue to strengthen RouterOS services and have already released RouterOS version 6.38.4 which removes any malicious files in devices that have been compromised.
The obvious question is: does it report the presence of such files if any are detected?
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1742
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 9:02 pm

Thanks for the update Normis.

So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?
 
ndbjorne
just joined
Posts: 23
Joined: Sat Dec 15, 2012 5:06 pm
Location: Italy

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 10:04 pm

Thank you.
 
francisconeto
Trainer
Trainer
Posts: 22
Joined: Thu Nov 10, 2011 5:55 pm

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 11:19 pm

Thanks for the update Normis.

So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?

Please could you confirm this Normis ?
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Statement on Vault 7 document release

Wed Mar 08, 2017 11:36 pm

Thanks for the update Normis.
So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?
Please could you confirm this Normis ?
In the documents provided by wikileaks it details this - you can ask MikroTik but they are (like the rest of us) just working off the information that has been made available thus far.

Source: https://wikileaks.org/ciav7p1/cms/page_20250869.html
Operator Notes
ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed.
 
markdutton
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Sep 24, 2010 4:59 am

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 3:04 am

Whilst we block most of our client routers from the Internet to all but our own IP address for management, there are some clients who want to have the graphs publicly available.

I would like to see a separate port for graphing if possible so that this functionality can be available to anyone without leaving port 80 open for management. Alternatively, have an option to remove management capability from the internal web server so it has no access to ROS and config, leaving all management to Winbox and CLI.
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1008
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 3:29 am

Alternatively, have an option to remove management capability from the internal web server so it has no access to ROS and config, leaving all management to Winbox and CLI.
You can limit the IP addresses for defined users. Just make sure that any user IDs that have anything more than read capability can log in only from the LAN side of the network.
 
markdutton
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Sep 24, 2010 4:59 am

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 4:34 am

You can limit the IP addresses for defined users. Just make sure that any user IDs that have anything more than read capability can log in only from the LAN side of the network.
Yeah I know I can limit IP on the graphing, but what I would like to see is open to world graphing. From my understanding the ChimayRed hack is not dependent on authenticating to the box. Although the issue is fixed with current ROS releases,it would be nice to have the web server for graphing isolated from the router core so any future compromise leads nowhere.
 
pauljames
just joined
Posts: 6
Joined: Sun Aug 21, 2016 3:10 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 7:01 am

Normis, thank you for the posting and info on Vault 7 and how it might affect a Mikrotik device as well as having the upgrade.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 8:45 am

Have Mikrotik reached out to Wikileaks
Yes, but as you can imagine, all the big tech companies are probably doing the same.
most likely due to memory or executable offsets changing between versions
Likely, maybe, but nothing is definite. We are researching.
Mikrotik should release a tool to check if there is any suspicious file.
We have so far not seen a single affected device, we are only working based on the released text documents, so it is not yet possible to create a tool with high accuracy. All we can do is clean the system upon upgrade to 6.38.4
page still indicates the bugfix version as 6.37.4. Not sure if 6.37.5 was a typo, or if the page needs to be updated.
We plan to release it later today
does it report the presence of such files if any are detected
No. We clean the system as such, we do not speculate if a certain file came from this malware or from elsewhere.
So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?
Please could you confirm this Normis ?
Yes
here are some clients who want to have the graphs publicly available.
You can open the port 80 for the specific customer IP address, or use graphing on external services through SNMP until we provide alternate solutions
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 1:06 pm

Hi,

It would be nice if Mikrotik can take some proactive steps. For example IOS/Junos devices has proper shell in devices, and as sysadmin i can inspect system integrity easily, including taking storage/filesystem dumps over dd, checksums for all filesystem files and etc, and i can run also scripts to check for changes over time.
With mikrotik i am totally blind, if someone plant in device backdoor, as they state in document - they dont need even to bother to hide it, it will reflect only on memory consumption, which is not reliable method at all to detect malware. And even Mikrotik will(and as far as i remember there is some) implement their own integrity check, be sure, they will find way around it, so vendor should provide a way for customer to implement integrity verification over several ways, as it more "raw" - it's better (more ways to detect it).

P.S. Please take appropriate steps with recursive DNS server. It is matter of time someone will open this subject, but lack of ACL and/or easiness of putting "allow all", together with lack of any default defensive methods (throttling of specific abusive requests) making Mikrotik units as a top dns amplification DDoS source.
For example severely throttling ips doing identical requests, requests with large answers and etc.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 2:09 pm

I appreciate the way how mikrotik officially stands in this situation. Thank you.

My questions is what was the attacking vector because we were told in the past that even authorised user with Ros admin rights cannot manipulate with system files or inject and run whatever code.

So how it could be possible to do it without any authorisation?
 
User avatar
pietroscherer
Trainer
Trainer
Posts: 170
Joined: Thu Mar 05, 2015 3:05 pm
Location: RS, Brazil
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 2:25 pm

Normis,

Thank you for reply!
No. We clean the system as such, we do not speculate if a certain file came from this malware or from elsewhere.
This procedure will become a routine in every new release, to warranty that the system will be always free of any suspicious file?

Thank you again!
 
doush
Long time Member
Long time Member
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 2:29 pm

They get shell access by exploiting an unknown vulnerability.
But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with :)
It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc..
As @nuclearcat stated, even JunOS has one. Why not mikrotik ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 2:39 pm

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

RC and Bugfix builds coming a bit later.
 
slawekk
just joined
Posts: 24
Joined: Sun Jan 02, 2011 3:48 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 2:40 pm

It is only www management interface problem or Hotspot service is affected too?
 
User avatar
ppereira
just joined
Posts: 9
Joined: Mon Sep 09, 2013 10:24 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 2:50 pm

Re: Statement on Vault 7 document release
by jarda » Thu Mar 09, 2017 9:09 am

I appreciate the way how mikrotik officially stands in this situation. Thank you.

My questions is what was the attacking vector because we were told in the past that even authorised user with Ros admin rights cannot manipulate with system files or inject and run whatever code.

So how it could be possible to do it without any authorisation?
+1
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 3:00 pm

They get shell access by exploiting an unknown vulnerability.
But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with :)
It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc..
As @nuclearcat stated, even JunOS has one. Why not mikrotik ?
I can say more - it does became requirements even in old deployments, and many customers started to ask how we can inspect if our systems are breached. As i say there is no way and tools at all, sorry, they ask to provide alternative solution, that can do so.
Unfortunately, if before administrators was able to slip it between fingers such drawback of mikrotik solutions, because it is very low cost, after this incident any IA/Security engineer will demand complete removal of hardware/software that can't be isolated and can't be inspected for possible "implants".
So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 3:04 pm

So how it could be possible to do it without any authorisation?
that is the definition of an exploit :) to be able to do something that was not supposed to be possible.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 3:13 pm

It is only www management interface problem or Hotspot service is affected too?
Hotspot is NOT affected by the vulnerability described in the Vault 7 leaks published on March 7.
So people with public hotspots are safe.
 
notToNew
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Feb 19, 2016 3:15 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 4:10 pm

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.
Will you please also release a fix for 6.36.4 as it is the only version which works with my wireless-devices?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 4:22 pm

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.
Will you please also release a fix for 6.36.4 as it is the only version which works with my wireless-devices?
The fix for your wireless issue is fixed in 6.38.5 as well
*) wireless - improved compatibility with Intel 2200BG wireless card;
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2942
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 5:47 pm

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.
Are you sure ?
You are asking them to write antivirus software for all version till 6.30.2 ? Isn't it smarter to upgrade routers to newer versions ?
What if you will not find any virus installed ? Do you leave routers "open" for beeing attacked ? Do you want to secure them other way ?
 
User avatar
lastguru
Member
Member
Posts: 432
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 6:06 pm

They get shell access by exploiting an unknown vulnerability.
But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with :)
It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc..
As @nuclearcat stated, even JunOS has one. Why not mikrotik ?
A proper hack would modify the shell, so that it would hide the presence of such files. So, if a router is hacked, any and all available tools are not to be trusted. Moreover, that would create a false sense of security. Only the upgrade process can be relied upon in this case.
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 6:18 pm

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.
Are you sure ?
You are asking them to write antivirus software for all version till 6.30.2 ? Isn't it smarter to upgrade routers to newer versions ?
What if you will not find any virus installed ? Do you leave routers "open" for beeing attacked ? Do you want to secure them other way ?
Yes i am sure.
Its not antivirus at all, not even close, it is trivial file/filesystem structure integrity verification tool, and it is trivial to write as well to detect unathorized modified executable/library files.
Also it is not a virus at all, such "implants" don't replicate themself.
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 6:23 pm

They get shell access by exploiting an unknown vulnerability.
But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with :)
It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc..
As @nuclearcat stated, even JunOS has one. Why not mikrotik ?
A proper hack would modify the shell, so that it would hide the presence of such files. So, if a router is hacked, any and all available tools are not to be trusted. Moreover, that would create a false sense of security. Only the upgrade process can be relied upon in this case.
It will be MUCH more difficult to hide all traces of presence from raw storage reading tool (similar to dd) + memory inspection + regular checksum verification + common linux rootkit detection techniques.
Right now Mikrotik provide no tools at all to detect malicious content inside system, and if it is possible to plant this payload even without exploit, just if bad person have access to hardware for a while, and trivial to provide for this malware persistence.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 7:06 pm

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

RC and Bugfix builds coming a bit later.
After people have had time to upgrade, could you share some technical details of how the exploit work or what was vulnerable?
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 7:13 pm

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

RC and Bugfix builds coming a bit later.
After people have had time to upgrade, could you share some technical details of how the exploit work or what was vulnerable?
Why to give hints for hackers, who will might create botnet from non-upgraded mikrotiks?
It is enough obvious already this exploit seems was using some function from management web-interface, that is most probably available without authorization.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 7:25 pm

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

RC and Bugfix builds coming a bit later.
After people have had time to upgrade, could you share some technical details of how the exploit work or what was vulnerable?
Why to give hints for hackers, who will might create botnet from non-upgraded mikrotiks?
It is enough obvious already this exploit seems was using some function from management web-interface, that is most probably available without authorization.
If you opened your management services to the internet and run old versions of software then it's your own problem. Any service exposed to the internet without being updated is in the same situation, expect outdated services to be compromised regardless if it's RouterOS, Linux, Windows, etc. I want to know the details so I can evaluate if further services in RouterOS may be vulnerable (ie winbox) and what kind of coding bug allowed the device to be fully compromised (was it a simple mistake that code review could have spotted, or some complex series of minor bugs that unfolded into full compromise?). Also keep in mind the exploit is already circulating, having it public or not doesn't really make much difference.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 7:39 pm

Please make also the fix for last mipsle working version...
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 7:44 pm

If you opened your management services to the internet and run old versions of software then it's your own problem. Any service exposed to the internet without being updated is in the same situation, expect outdated services to be compromised regardless if it's RouterOS, Linux, Windows, etc. I want to know the details so I can evaluate if further services in RouterOS may be vulnerable (ie winbox) and what kind of coding bug allowed the device to be fully compromised (was it a simple mistake that code review could have spotted, or some complex series of minor bugs that unfolded into full compromise?). Also keep in mind the exploit is already circulating, having it public or not doesn't really make much difference.
Majority of users dont bother to change defaults. Majority of users also doesn't bother to update, if it is working. None of vendors in normal mental health release exploit details, because it will directly hurt their users(and users will have full right to sue such vendor for irresponsible disclosure), in best case they might release IDS signatures, but usually signatures disclose how exploit works, just specific "triggers", such as shellcode offsets in released scripts and etc.
Whoever can do security assessment and qualified enough to run disassembler will find such bugs by themself without any hints, and mostly such skilled people wont release their findinds in public. But most probably they will sell them to cia/nsa/etc :)
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 8:08 pm

Defaults block WAN access, so no need to worry about those users.
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 8:18 pm

RB1100/1200, CCR - doesnt have such rules.
Often inexperienced admins removed such rules intentionally, to access mikrotik from outside.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2942
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Statement on Vault 7 document release

Thu Mar 09, 2017 11:47 pm

....
Yes i am sure.
Its not antivirus at all, not even close, it is trivial file/filesystem structure integrity verification tool, and it is trivial to write as well to detect unathorized modified executable/library files.
Also it is not a virus at all, such "implants" don't replicate themself.
It would be kind of antivirus ... checking file system integrity is one of antivirus check.
IMHO just upgrade.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Statement on Vault 7 document release

Fri Mar 10, 2017 12:25 pm

@normis: Really appreciate mikrotik's openness and inmediacy on this issue.
...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.
[...]
It will be MUCH more difficult to hide all traces of presence from raw storage reading tool (similar to dd) + memory inspection + regular checksum verification + common linux rootkit detection techniques.
Right now Mikrotik provide no tools at all to detect malicious content inside system, and if it is possible to plant this payload even without exploit, just if bad person have access to hardware for a while, and trivial to provide for this malware persistence.
You don't need such a tool to verify if a system has been compromised.

A much direct, and less time consuming way :

1.- Put another router (or switch) in front of router to be tested (L2)
2.- Torch it / look at outgoing connections.

or, if possible (no in production service traffic):

1.- Replace the router to be tested
2.- set up a controlled lab environment with a router/switch in L2 in front of device to be tested
3.- Torch/analyze outgoing connections

Regarding integrity tools: You can already check installed packages integrity via System > Packages [Check Installation].

Developing such tools won't bring anything anyway, as any properly implemented "hack" would compromise such integrated tools.
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Fri Mar 10, 2017 12:33 pm

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.
[...]
It will be MUCH more difficult to hide all traces of presence from raw storage reading tool (similar to dd) + memory inspection + regular checksum verification + common linux rootkit detection techniques.
Right now Mikrotik provide no tools at all to detect malicious content inside system, and if it is possible to plant this payload even without exploit, just if bad person have access to hardware for a while, and trivial to provide for this malware persistence.
You don't need such a tool to verify if a system has been compromised.

A much direct, and less time consuming way :

1.- Put another router (or switch) in front of router to be tested
2.- Torch it / look at outgoing connections.
Much direct - maybe, but less consuming? definitely no, if it is not single box at home.
For example, one of my customers have several racks of CCR, with almost all ports utilized (aggregation network), how often he should remove and put spare ones and how many people he need to sit and watch torch? Can you imagine labor cost and downtime comparing with proper integrity verification that is done completely automated way?
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Statement on Vault 7 document release

Fri Mar 10, 2017 12:43 pm

Can you imagine labor cost and downtime comparing with proper integrity verification that is done completely automated way?
Yes... What I cannot imagine is such a company leaving webfig enabled and open to the internet (or any other management tools).

I'm confident Mikrotik would produce such detection package for current hack/situation, but for that they need a compromised system to analyze, so it's up to Wikileaks to collaborate, there's little more they can do.

And there would be no point on having them as a system tool, as again, any properly implemented exploit/hack will bypass them.
 
nuclearcat
Member Candidate
Member Candidate
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

Re: Statement on Vault 7 document release

Fri Mar 10, 2017 12:55 pm

Can you imagine labor cost and downtime comparing with proper integrity verification that is done completely automated way?
Yes... What I cannot imagine is such a company leaving webfig enabled and open to the internet (or any other management tools) .

Mikrotik would produce such detection package for current hack, but for that they need a compromised system, so it's up to Wikileaks to collaborate, there's little more they can do.

And there would be no point on having them as a system tool, as again, any properly implemented exploit/hack will bypass them.
It should be expected, that exploits may exist for other ports/protocols.
Also, it is easy to see in wikileaks documents, for such infiltrators it is much harder to hide artifacts of implant on cisco, that has quite comprehensive debug tools, but trivial to hide on mikrotik, because it has no tools at all.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Statement on Vault 7 document release

Fri Mar 10, 2017 3:26 pm

Please make also the fix for last mipsle working version...
Normis, what about the 6.32.4, the last working mipsle 6.x version? Will we get the bugfix version 6.32.5 to secure the routers?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Fri Mar 10, 2017 3:36 pm

Please make also the fix for last mipsle working version...
Normis, what about the 6.32.4, the last working mipsle 6.x version? Will we get the bugfix version 6.32.5 to secure the routers?
This architecture is not supported anymore. As you know, firewall protects the devices against any such vulnerabilties. You could even disable www services altogether.
 
alexjhart
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Jan 20, 2011 8:03 pm

Re: Statement on Vault 7 document release

Fri Mar 10, 2017 5:44 pm

Have Mikrotik reached out to Wikileaks
Yes, but as you can imagine, all the big tech companies are probably doing the same.
Normis, when you say you are reaching out to them, does this mean it has only been a one-way effort so far, or have you made two-way contact with them as other tech companies have (http://abcnews.go.com/Technology/wireSt ... g-46017600)?
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Statement on Vault 7 document release

Sun Mar 12, 2017 6:55 pm

Hotspot is NOT affected by the vulnerability described in the Vault 7 leaks published on March 7.
What about SSTP? (I suddenly recalled SSTP uses HTTPS tunneling).
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Statement on Vault 7 document release

Sun Mar 12, 2017 8:14 pm

Aren't you mixing port with protocol?
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Statement on Vault 7 document release

Sun Mar 12, 2017 9:01 pm

Aren't you mixing port with protocol?
Nope. SSTP really tunnels traffic atop HTTPS. I don't know if it is possible to serve both SSL-protected WebFig and SSTP on the same IP simultaneously, but in case it is something should split the traffic, and that something may as well be vulnerable.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Statement on Vault 7 document release

Sun Mar 12, 2017 9:52 pm

I used to run sstp tunnels on port 444 leaving 443 for https webfig until I moved from sstp to l2tp because of the udp. So definitely you can run both sstp and https in parallel.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Statement on Vault 7 document release

Sun Mar 12, 2017 10:48 pm

I guess andriys meant also the same port. Which current RouterOS does not allow, but it should be technically possible.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 10:32 am

Protocol and port has no relation to the published vulnerability. The vulnerability is specifically in the www server part, regardless of port used. SSTP is not affected.
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 112
Joined: Mon Sep 08, 2014 2:38 pm

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 1:31 pm

Normis would you kindly comment on the following:

- If the http port is not firewalled but is locked down by access list is the system still vulnerable to attack from an IP other than those on the ACL?

- Is https affected? So far only http has been mentioned.

Thanks, Chris
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 1:47 pm

1. If the firewall prohibits opening the Webfig in the browser from an address, the server is safe
2. The vulnerability was in the server, regardless of protocol or port. If you could open Webfig, you could be vulnerable
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 112
Joined: Mon Sep 08, 2014 2:38 pm

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 1:55 pm

1. If the firewall prohibits opening the Webfig in the browser from an address, the server is safe
This does not answer the question. Does the ACL prevent access sufficiently to prevent the attack being possible or is it critical that the firewall is used?
[chris@bacon ~]$ curl -vvv https://x.x.x.x
* About to connect() to x.x.x.x port 443 (#0)
*   Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
^^ the above is a connection attempt from an IP not in the ACL. As you can see, a connection is opened but SSL fails. Is this sufficient to protect the router?
2. The vulnerability was in the server, regardless of protocol or port. If you could open Webfig, you could be vulnerable
Thank you. I will assume https is vulnerable too.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 2:09 pm

What kind of ACL do you mean? Proper firewall will drop all connections, and will not allow the IP to try to negotiate SSL connections.

I always mean firewall, and have answered this many times above already. Firewall will protect you, if you cannot open Webfig.
No matter what ACL you have implemented. Open the Webfig address. If you see Webfig, your ACL is not working. If you don't, you are safe from the exploit.
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 112
Joined: Mon Sep 08, 2014 2:38 pm

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 2:24 pm

What kind of ACL do you mean? Proper firewall will drop all connections, and will not allow the IP to try to negotiate SSL connections
I am referring to 'address' (called 'available from' in webfig) at /ip service.

Can you please state for the record whether routers are vulnerable to attack from an IP which is not listed in this ACL.

Also I have another question which I think is relevant. We have connection tracking set to 'auto' as such:
[admin@XXXXXX] /ip firewall connection tracking> print
                   enabled: auto
...
Will adding a drop rule to the firewall switch connection tracking on? We are concerned about the performance impact this may have on heavily loaded routers*.

Chris

*by heavily loaded I mean CCR1036's running several gigabits per second 24/7
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 2:35 pm

Can you please state for the record whether routers are vulnerable to attack from an IP which is not listed in this ACL.
the "available-from" setting works slightly different than a firewall drop rule, but will still protect you from an attack described in the vault7 documents. Even if there was an attempt for an SSL connection, it was dropped way before the exploit was possible. TLDR: yes you are still safe.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 2:39 pm

In more detail:
* About to connect() to x.x.x.x port 443 (#0)
*  Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
Your device initiated a connection, and received ACK. That's all. RouterOS closed connection and did not communicate any further.
This part is what your device is attempting (and failing):
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 112
Joined: Mon Sep 08, 2014 2:38 pm

Re: Statement on Vault 7 document release

Mon Mar 13, 2017 2:42 pm

That is exactly the confirmation I was looking for. Thanks.

Chris
 
smytht
Trainer
Trainer
Posts: 87
Joined: Wed Jun 06, 2007 6:35 pm
Location: Tipperary / Dublin & Ireland
Contact:

Re: Statement on Vault 7 document release

Thu Mar 16, 2017 1:01 am

Hi,

It would be nice if Mikrotik can take some proactive steps. For example IOS/Junos devices has proper shell in devices, and as sysadmin i can inspect system integrity easily, including taking storage/filesystem dumps over dd, checksums for all filesystem files and etc, and i can run also scripts to check for changes over time.
With mikrotik i am totally blind, if someone plant in device backdoor, as they state in document - they dont need even to bother to hide it, it will reflect only on memory consumption, which is not reliable method at all to detect malware. And even Mikrotik will(and as far as i remember there is some) implement their own integrity check, be sure, they will find way around it, so vendor should provide a way for customer to implement integrity verification over several ways, as it more "raw" - it's better (more ways to detect it).

P.S. Please take appropriate steps with recursive DNS server. It is matter of time someone will open this subject, but lack of ACL and/or easiness of putting "allow all", together with lack of any default defensive methods (throttling of specific abusive requests) making Mikrotik units as a top dns amplification DDoS source.
For example severely throttling ips doing identical requests, requests with large answers and etc.
+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.
 
User avatar
bigcw
Member Candidate
Member Candidate
Posts: 112
Joined: Mon Sep 08, 2014 2:38 pm

Re: Statement on Vault 7 document release

Sat Mar 18, 2017 12:13 am


+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.
As I understand it, if you want a shell on Mikrotik, wait for the code mentioned in vault7 to be released. That seems to do exactly what you want!
 
fathhi2022
just joined
Posts: 3
Joined: Sat Apr 15, 2017 4:55 am

Hacked Mikrotik System

Sat Apr 15, 2017 7:09 am

Hello,

The microtik system has been compromised by a security vulnerability in the system and many networks have been hijacked and money has been claimed to restore them

There are hundreds of Yemeni network officials serving thousands of customers in Yemen
You can help us find solutions to this problem. We are very dissatisfied, or we will use an alternative system

This is the only video uploaded by the hacker
https://www.youtube.com/watch?v=e19wz5G ... ture=share

As well as the existence of many images of some networks that hacked on Facebook

https://www.facebook.com/kerrar.masik

we are waiting
Thanks,
MikroTik Support
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Statement on Vault 7 document release

Sat Apr 15, 2017 8:29 am

 
notToNew
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Feb 19, 2016 3:15 pm

Re: Statement on Vault 7 document release

Wed May 03, 2017 9:49 am

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.
Will you please also release a fix for 6.36.4 as it is the only version which works with my wireless-devices?
The fix for your wireless issue is fixed in 6.38.5 as well
*) wireless - improved compatibility with Intel 2200BG wireless card;
Thank you, tested this on 50+ Devices and: it works, thank you!
Even non Intel Webcams which had problems work now!
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1544
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Statement on Vault 7 document release

Fri Sep 22, 2017 4:01 am


+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.
As I understand it, if you want a shell on Mikrotik, wait for the code mentioned in vault7 to be released. That seems to do exactly what you want!
With many various older versions of Linux, BSD & Unix , I have personally seen and experienced several different services attacked which crashed that TCP/IP service and dumps the attacker out into a shell. There have been hundreds of service buffer-exploits which drop you into a shell - or starts running a embedded program that was injected into the buffer-exploit attack.

North Idaho Tom Jones
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26822
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Statement on Vault 7 document release

Fri Sep 22, 2017 8:53 am

It is worth noting, that we never saw the release of any proof in these claims, let alone the tools mentioned. After a thorough code review, we could not find anything hinting to the described issues.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1544
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Statement on Vault 7 document release

Fri Dec 14, 2018 7:51 pm

It is worth noting, that we never saw the release of any proof in these claims, let alone the tools mentioned. After a thorough code review, we could not find anything hinting to the described issues.
Well , related to this , I did have some older Mikrotiks on some public IP networks that I could no longer log into because somehow the admin password got changed. The few affected Mikrotiks had no firewall configuration , older ROS versions but did have strong passwords. I also discovered the network scanning software I started using was able to show the admin passwords on all Mikrotik devices using older ROS versions that also did not have a firewall configuration. One of the effected systems was an X86 ROS system - and I was able to confirm the file system had some additional roague files installed on it. I was able to verify this by mounting the effected X86 ROS system as a mount point on an Ubuntu Linux system.

Now knowing this , I now always use firewall configurations and newer ROS versions for everything. A good network admin should never build/confugue a network device then ignore it for-ever after !
 
mada3k
Forum Veteran
Forum Veteran
Posts: 739
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Statement on Vault 7 document release

Wed Mar 13, 2019 11:45 am

I'm not sure if this is still the case, but:

While I agree that a Mikrotik is "secure" by default (ships with firewall enabled and so on) and other vendors gets their exploits as well. Many vendors have their software contained in a single image file (e.g like Cisco, Juniper) that becomes replaced when updating the device. For what I understand RouterOS just appends updated files over old ones, opening the possibility for persistent root-kits (until modified files is replaced).
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1544
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Statement on Vault 7 document release

Wed Mar 13, 2019 5:28 pm

I'm not sure if this is still the case, but:

While I agree that a Mikrotik is "secure" by default (ships with firewall enabled and so on) and other vendors gets their exploits as well. Many vendors have their software contained in a single image file (e.g like Cisco, Juniper) that becomes replaced when updating the device. For what I understand RouterOS just appends updated files over old ones, opening the possibility for persistent root-kits (until modified files is replaced).
YUP - also … One time I took a look at the Reset-to-Factory-Defaults script inside of the ROS file system. If I am correct , when you run this script , it only clears some configurations and that it does not actually restore the entire file system. Thus I believe it is possible for a modified file or new file in the ROS (Linux) file system to not be cleared/reset to a new factory install set of files even when Restore-to-Factory-Defaults has been executed.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7169
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Statement on Vault 7 document release

Wed Mar 13, 2019 5:36 pm

I think there is a lot of confusion what "reset configuration" do, this command wipes all '''configuration''' and thats it. It does not rely on script that you are talking about.
"Reset configuration" also has nothing to do with clearing linux file system, it is called "reset configuration" for a reason not "reset filesystem" etc.

Netinstall is the only tool that is wiping all filesystem and installing RouterOS on empty drive.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1544
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Statement on Vault 7 document release

Wed Mar 13, 2019 9:28 pm

I think there is a lot of confusion what "reset configuration" do, this command wipes all '''configuration''' and thats it. It does not rely on script that you are talking about.
"Reset configuration" also has nothing to do with clearing linux file system, it is called "reset configuration" for a reason not "reset filesystem" etc.

Netinstall is the only tool that is wiping all filesystem and installing RouterOS on empty drive.
Yes , I agree re: Netinstall is the only tool that is wiping all filesystem and installing RouterOS on empty drive.

Netinstall is the only way to be sure your system is back to 100 percent factory file-systems. It wipes the file-system then re-installs the file-system.
 
mada3k
Forum Veteran
Forum Veteran
Posts: 739
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Statement on Vault 7 document release

Thu Mar 14, 2019 9:57 am

And thats unfortunately a security flaw itself. Preferably the whole system should be replaced on update, but at least the the complete startup-chain (kernel -> init -> rc etc..)

Netinstall is not always possible. Can be very remote or hard to reach devices.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7169
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Statement on Vault 7 document release

Thu Mar 14, 2019 10:01 am

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Statement on Vault 7 document release

Thu Mar 14, 2019 2:03 pm

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand :-)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Statement on Vault 7 document release

Fri Mar 15, 2019 11:57 am

And thats unfortunately a security flaw itself. Preferably the whole system should be replaced on update, but at least the the complete startup-chain (kernel -> init -> rc etc..)

Netinstall is not always possible. Can be very remote or hard to reach devices.
If your system is compromised, then running update/reset/etc scripts inside it is insecure by default. Nothing stops malware from changing back necessary files after the "reset". So to be sure you must use clean system for those actions. That's what NetInstall does. It doesn't use any files (well, License...) from your current install.
 
mada3k
Forum Veteran
Forum Veteran
Posts: 739
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Statement on Vault 7 document release

Fri Mar 15, 2019 2:51 pm

I wasn't asking for an explanation of netinstall.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2942
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Statement on Vault 7 document release

Fri Mar 15, 2019 3:08 pm

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand :-)
For some "<>" should be used :)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Statement on Vault 7 document release

Sat Mar 16, 2019 9:44 am

I wasn't asking for an explanation of netinstall.
Please read thoroughly. It was explaination why there can't be any reliable option other than NetInstall.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Statement on Vault 7 document release

Tue Mar 19, 2019 3:55 pm

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand :-)
Funniest post I have seen in awhile. Thanks for the levity.
If there are any more questions on the subject of this thread and the historical perspective the latest MUM in Vienna had a great deep dive into what has transpired over the past couple of years. Highly recommended!! (and we are still seeing people posting with 6.32 firmwares....... arggggggg)

https://www.youtube.com/watch?v=3aEyqdz7awE
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Oct 11, 2005 4:53 pm

Re: Statement on Vault 7 document release

Tue Mar 19, 2019 6:44 pm

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Statement on Vault 7 document release

Thu Mar 21, 2019 3:18 pm

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Statement on Vault 7 document release

Thu Mar 21, 2019 4:06 pm

So its unanimous use unimus? ;-)
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Oct 11, 2005 4:53 pm

Re: Statement on Vault 7 document release

Thu Mar 21, 2019 5:14 pm

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.
Thanks for the suggestion. Also, great talk!

I was wondering more about how it is actually done, rather than using a 3rd party service/software.
In the case of Unimus, does it periodically connect to the router and does a full export and produces the diffs you mentioned?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Statement on Vault 7 document release

Thu Mar 21, 2019 5:23 pm

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.
Thanks for the suggestion. Also, great talk!

I was wondering more about how it is actually done, rather than using a 3rd party service/software.
In the case of Unimus, does it periodically connect to the router and does a full export and produces the diffs you mentioned?
For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact".
After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.).

Parse the config, check if anything changed against last retrieved config.
If a change is detected, build a diff, and render a full graphical HTML email with the diff.
Send email to configured notification contacts.

That is how Unimus does it, I can't speak to other NCM systems.
Last edited by tomaskir on Thu Mar 21, 2019 8:49 pm, edited 1 time in total.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Oct 11, 2005 4:53 pm

Re: Statement on Vault 7 document release

Thu Mar 21, 2019 5:58 pm

For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact".
After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.).

Parse the config, check if anything changed against last retrieved config.
If a change is detected, build a diff, and render a full graphical HTML email with the diff.
Send email to configured notification contacts.

That is how Unimus does it, I can't speak to other NMC systems.
Thanks for the explanation :)
 
User avatar
dynek
Member Candidate
Member Candidate
Posts: 223
Joined: Tue Jan 21, 2014 10:03 pm

Re: Statement on Vault 7 document release

Fri Mar 22, 2019 9:55 am

How is that different from /exporting the configuration and git it ?
Then compare different commits?

Cause the video on their homepage just looks like it.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Statement on Vault 7 document release

Fri Mar 22, 2019 1:57 pm

How is that different from /exporting the configuration and git it ?
Then compare different commits?

Cause the video on their homepage just looks like it.
The difference is you don't have to do it all by yourself.

You would have to script config retrieval, handle all the edgecases and have proper error-handling, and for a network of any large-scale, you scripts will not scale easily.
Then you would have to do git hooks and other funky things to ignore all the dynamic stuff, and figure out if there was actually a change to the config.
Not to mention, to get change notifications, you would have to write something yourself again that generates graphical diffs out of GIT and renders them to HTML / notification of choice.

The point of config change notifications is that it's a notification.
If you have to watch GIT every day/hour to see if anything in your network changed... that defeats the point.
Not to mention it's just about impossible when we are talking about hundreds or thousands of routers.

All of this is doable by yourself if you want.
It will however cost you a bunch of time.

As with everything, it is up to you if you want to spend your time, or buy a solution (like Unimus, or another NCM system) that already works out-of-the-box.
But a proper NCM system does much more than just backups - you can automate RouterOS upgrades, or any other config push across network, config auditing, etc.

NOTE:
This topic should really not be used for this discussion.
We should keep the discussion here on Vault 7 :)

Who is online

Users browsing this forum: mantouboji and 3 guests