Statement on Vault 7 document release

alexjhart · Fri Mar 10, 2017 5:44 pm

Have Mikrotik reached out to Wikileaks
Yes, but as you can imagine, all the big tech companies are probably doing the same.

Normis, when you say you are reaching out to them, does this mean it has only been a one-way effort so far, or have you made two-way contact with them as other tech companies have (http://abcnews.go.com/Technology/wireSt ... g-46017600)?

Sun Mar 12, 2017 6:55 pm

Hotspot is NOT affected by the vulnerability described in the Vault 7 leaks published on March 7.

What about SSTP? (I suddenly recalled SSTP uses HTTPS tunneling).

Sun Mar 12, 2017 8:14 pm

Aren't you mixing port with protocol?

Sun Mar 12, 2017 9:01 pm

Aren't you mixing port with protocol?

Nope. SSTP really tunnels traffic atop HTTPS. I don't know if it is possible to serve both SSL-protected WebFig and SSTP on the same IP simultaneously, but in case it is something should split the traffic, and that something may as well be vulnerable.

Sun Mar 12, 2017 9:52 pm

I used to run sstp tunnels on port 444 leaving 443 for https webfig until I moved from sstp to l2tp because of the udp. So definitely you can run both sstp and https in parallel.

Sob · Sun Mar 12, 2017 10:48 pm

I guess andriys meant also the same port. Which current RouterOS does not allow, but it should be technically possible.

Mon Mar 13, 2017 10:32 am

Protocol and port has no relation to the published vulnerability. The vulnerability is specifically in the www server part, regardless of port used. SSTP is not affected.

bigcw · Mon Mar 13, 2017 1:31 pm

Normis would you kindly comment on the following:

- If the http port is not firewalled but is locked down by access list is the system still vulnerable to attack from an IP other than those on the ACL?

- Is https affected? So far only http has been mentioned.

Thanks, Chris

Mon Mar 13, 2017 1:47 pm

1. If the firewall prohibits opening the Webfig in the browser from an address, the server is safe
2. The vulnerability was in the server, regardless of protocol or port. If you could open Webfig, you could be vulnerable

bigcw · Mon Mar 13, 2017 1:55 pm

1. If the firewall prohibits opening the Webfig in the browser from an address, the server is safe

This does not answer the question. Does the ACL prevent access sufficiently to prevent the attack being possible or is it critical that the firewall is used?

[chris@bacon ~]$ curl -vvv https://x.x.x.x
* About to connect() to x.x.x.x port 443 (#0)
*   Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

^^ the above is a connection attempt from an IP not in the ACL. As you can see, a connection is opened but SSL fails. Is this sufficient to protect the router?

2. The vulnerability was in the server, regardless of protocol or port. If you could open Webfig, you could be vulnerable

Thank you. I will assume https is vulnerable too.

Mon Mar 13, 2017 2:09 pm

What kind of ACL do you mean? Proper firewall will drop all connections, and will not allow the IP to try to negotiate SSL connections.

I always mean firewall, and have answered this many times above already. Firewall will protect you, if you cannot open Webfig.
No matter what ACL you have implemented. Open the Webfig address. If you see Webfig, your ACL is not working. If you don't, you are safe from the exploit.

bigcw · Mon Mar 13, 2017 2:24 pm

What kind of ACL do you mean? Proper firewall will drop all connections, and will not allow the IP to try to negotiate SSL connections

I am referring to 'address' (called 'available from' in webfig) at /ip service.

Can you please state for the record whether routers are vulnerable to attack from an IP which is not listed in this ACL.

Also I have another question which I think is relevant. We have connection tracking set to 'auto' as such:

[admin@XXXXXX] /ip firewall connection tracking> print
                   enabled: auto
...

Will adding a drop rule to the firewall switch connection tracking on? We are concerned about the performance impact this may have on heavily loaded routers*.

Chris

*by heavily loaded I mean CCR1036's running several gigabits per second 24/7

Mon Mar 13, 2017 2:35 pm

Can you please state for the record whether routers are vulnerable to attack from an IP which is not listed in this ACL.

the "available-from" setting works slightly different than a firewall drop rule, but will still protect you from an attack described in the vault7 documents. Even if there was an attempt for an SSL connection, it was dropped way before the exploit was possible. TLDR: yes you are still safe.

Mon Mar 13, 2017 2:39 pm

In more detail:

* About to connect() to x.x.x.x port 443 (#0)
*  Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)

Your device initiated a connection, and received ACK. That's all. RouterOS closed connection and did not communicate any further.
This part is what your device is attempting (and failing):

* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error

bigcw · Mon Mar 13, 2017 2:42 pm

That is exactly the confirmation I was looking for. Thanks.

Chris

smytht · Thu Mar 16, 2017 1:01 am

Hi,

It would be nice if Mikrotik can take some proactive steps. For example IOS/Junos devices has proper shell in devices, and as sysadmin i can inspect system integrity easily, including taking storage/filesystem dumps over dd, checksums for all filesystem files and etc, and i can run also scripts to check for changes over time.
With mikrotik i am totally blind, if someone plant in device backdoor, as they state in document - they dont need even to bother to hide it, it will reflect only on memory consumption, which is not reliable method at all to detect malware. And even Mikrotik will(and as far as i remember there is some) implement their own integrity check, be sure, they will find way around it, so vendor should provide a way for customer to implement integrity verification over several ways, as it more "raw" - it's better (more ways to detect it).

P.S. Please take appropriate steps with recursive DNS server. It is matter of time someone will open this subject, but lack of ACL and/or easiness of putting "allow all", together with lack of any default defensive methods (throttling of specific abusive requests) making Mikrotik units as a top dns amplification DDoS source.
For example severely throttling ips doing identical requests, requests with large answers and etc.

+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.

bigcw · Sat Mar 18, 2017 12:13 am

+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.

As I understand it, if you want a shell on Mikrotik, wait for the code mentioned in vault7 to be released. That seems to do exactly what you want!

fathhi2022 · Sat Apr 15, 2017 7:09 am

Hello,

The microtik system has been compromised by a security vulnerability in the system and many networks have been hijacked and money has been claimed to restore them

There are hundreds of Yemeni network officials serving thousands of customers in Yemen
You can help us find solutions to this problem. We are very dissatisfied, or we will use an alternative system

This is the only video uploaded by the hacker
https://www.youtube.com/watch?v=e19wz5G ... ture=share

As well as the existence of many images of some networks that hacked on Facebook

https://www.facebook.com/kerrar.masik

we are waiting
Thanks,
MikroTik Support

Sat Apr 15, 2017 8:29 am

viewtopic.php?t=120753

notToNew · Wed May 03, 2017 9:49 am

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.
Will you please also release a fix for 6.36.4 as it is the only version which works with my wireless-devices?
The fix for your wireless issue is fixed in 6.38.5 as well

*) wireless - improved compatibility with Intel 2200BG wireless card;

Thank you, tested this on 50+ Devices and: it works, thank you!
Even non Intel Webcams which had problems work now!

Fri Sep 22, 2017 4:01 am

+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.
As I understand it, if you want a shell on Mikrotik, wait for the code mentioned in vault7 to be released. That seems to do exactly what you want!

With many various older versions of Linux, BSD & Unix , I have personally seen and experienced several different services attacked which crashed that TCP/IP service and dumps the attacker out into a shell. There have been hundreds of service buffer-exploits which drop you into a shell - or starts running a embedded program that was injected into the buffer-exploit attack.

North Idaho Tom Jones

Fri Sep 22, 2017 8:53 am

It is worth noting, that we never saw the release of any proof in these claims, let alone the tools mentioned. After a thorough code review, we could not find anything hinting to the described issues.

Fri Dec 14, 2018 7:51 pm

It is worth noting, that we never saw the release of any proof in these claims, let alone the tools mentioned. After a thorough code review, we could not find anything hinting to the described issues.

Well , related to this , I did have some older Mikrotiks on some public IP networks that I could no longer log into because somehow the admin password got changed. The few affected Mikrotiks had no firewall configuration , older ROS versions but did have strong passwords. I also discovered the network scanning software I started using was able to show the admin passwords on all Mikrotik devices using older ROS versions that also did not have a firewall configuration. One of the effected systems was an X86 ROS system - and I was able to confirm the file system had some additional roague files installed on it. I was able to verify this by mounting the effected X86 ROS system as a mount point on an Ubuntu Linux system.

Now knowing this , I now always use firewall configurations and newer ROS versions for everything. A good network admin should never build/confugue a network device then ignore it for-ever after !

mada3k · Wed Mar 13, 2019 11:45 am

I'm not sure if this is still the case, but:

While I agree that a Mikrotik is "secure" by default (ships with firewall enabled and so on) and other vendors gets their exploits as well. Many vendors have their software contained in a single image file (e.g like Cisco, Juniper) that becomes replaced when updating the device. For what I understand RouterOS just appends updated files over old ones, opening the possibility for persistent root-kits (until modified files is replaced).

Wed Mar 13, 2019 5:28 pm

I'm not sure if this is still the case, but:

While I agree that a Mikrotik is "secure" by default (ships with firewall enabled and so on) and other vendors gets their exploits as well. Many vendors have their software contained in a single image file (e.g like Cisco, Juniper) that becomes replaced when updating the device. For what I understand RouterOS just appends updated files over old ones, opening the possibility for persistent root-kits (until modified files is replaced).

YUP - also … One time I took a look at the Reset-to-Factory-Defaults script inside of the ROS file system. If I am correct , when you run this script , it only clears some configurations and that it does not actually restore the entire file system. Thus I believe it is possible for a modified file or new file in the ROS (Linux) file system to not be cleared/reset to a new factory install set of files even when Restore-to-Factory-Defaults has been executed.

Wed Mar 13, 2019 5:36 pm

I think there is a lot of confusion what "reset configuration" do, this command wipes all '''configuration''' and thats it. It does not rely on script that you are talking about.
"Reset configuration" also has nothing to do with clearing linux file system, it is called "reset configuration" for a reason not "reset filesystem" etc.

Netinstall is the only tool that is wiping all filesystem and installing RouterOS on empty drive.

Wed Mar 13, 2019 9:28 pm

I think there is a lot of confusion what "reset configuration" do, this command wipes all '''configuration''' and thats it. It does not rely on script that you are talking about.
"Reset configuration" also has nothing to do with clearing linux file system, it is called "reset configuration" for a reason not "reset filesystem" etc.

Netinstall is the only tool that is wiping all filesystem and installing RouterOS on empty drive.

Yes , I agree re: Netinstall is the only tool that is wiping all filesystem and installing RouterOS on empty drive.

Netinstall is the only way to be sure your system is back to 100 percent factory file-systems. It wipes the file-system then re-installs the file-system.

mada3k · Thu Mar 14, 2019 9:57 am

And thats unfortunately a security flaw itself. Preferably the whole system should be replaced on update, but at least the the complete startup-chain (kernel -> init -> rc etc..)

Netinstall is not always possible. Can be very remote or hard to reach devices.

Thu Mar 14, 2019 10:01 am

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

CZFan · Thu Mar 14, 2019 2:03 pm

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

Chupaka · Fri Mar 15, 2019 11:57 am

And thats unfortunately a security flaw itself. Preferably the whole system should be replaced on update, but at least the the complete startup-chain (kernel -> init -> rc etc..)

Netinstall is not always possible. Can be very remote or hard to reach devices.

If your system is compromised, then running update/reset/etc scripts inside it is insecure by default. Nothing stops malware from changing back necessary files after the "reset". So to be sure you must use clean system for those actions. That's what NetInstall does. It doesn't use any files (well, License...) from your current install.

mada3k · Fri Mar 15, 2019 2:51 pm

I wasn't asking for an explanation of netinstall.

Fri Mar 15, 2019 3:08 pm

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

For some "<>" should be used

Chupaka · Sat Mar 16, 2019 9:44 am

I wasn't asking for an explanation of netinstall.

Please read thoroughly. It was explaination why there can't be any reliable option other than NetInstall.

anav · Tue Mar 19, 2019 3:55 pm

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

Funniest post I have seen in awhile. Thanks for the levity.
If there are any more questions on the subject of this thread and the historical perspective the latest MUM in Vienna had a great deep dive into what has transpired over the past couple of years. Highly recommended!! (and we are still seeing people posting with 6.32 firmwares....... arggggggg)

https://www.youtube.com/watch?v=3aEyqdz7awE

Cha0s · Tue Mar 19, 2019 6:44 pm

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

tomaskir · Thu Mar 21, 2019 3:18 pm

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.

anav · Thu Mar 21, 2019 4:06 pm

So its unanimous use unimus?

Cha0s · Thu Mar 21, 2019 5:14 pm

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.

Thanks for the suggestion. Also, great talk!

I was wondering more about how it is actually done, rather than using a 3rd party service/software.
In the case of Unimus, does it periodically connect to the router and does a full export and produces the diffs you mentioned?

tomaskir · Thu Mar 21, 2019 5:23 pm

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.
Thanks for the suggestion. Also, great talk!

I was wondering more about how it is actually done, rather than using a 3rd party service/software.
In the case of Unimus, does it periodically connect to the router and does a full export and produces the diffs you mentioned?

For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact".
After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.).

Parse the config, check if anything changed against last retrieved config.
If a change is detected, build a diff, and render a full graphical HTML email with the diff.
Send email to configured notification contacts.

That is how Unimus does it, I can't speak to other NCM systems.

Cha0s · Thu Mar 21, 2019 5:58 pm

For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact".
After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.).

Parse the config, check if anything changed against last retrieved config.
If a change is detected, build a diff, and render a full graphical HTML email with the diff.
Send email to configured notification contacts.

That is how Unimus does it, I can't speak to other NMC systems.

Thanks for the explanation

dynek · Fri Mar 22, 2019 9:55 am

How is that different from /exporting the configuration and git it ?
Then compare different commits?

Cause the video on their homepage just looks like it.

tomaskir · Fri Mar 22, 2019 1:57 pm

How is that different from /exporting the configuration and git it ?
Then compare different commits?

Cause the video on their homepage just looks like it.

The difference is you don't have to do it all by yourself.

You would have to script config retrieval, handle all the edgecases and have proper error-handling, and for a network of any large-scale, you scripts will not scale easily.
Then you would have to do git hooks and other funky things to ignore all the dynamic stuff, and figure out if there was actually a change to the config.
Not to mention, to get change notifications, you would have to write something yourself again that generates graphical diffs out of GIT and renders them to HTML / notification of choice.

The point of config change notifications is that it's a notification.
If you have to watch GIT every day/hour to see if anything in your network changed... that defeats the point.
Not to mention it's just about impossible when we are talking about hundreds or thousands of routers.

All of this is doable by yourself if you want.
It will however cost you a bunch of time.

As with everything, it is up to you if you want to spend your time, or buy a solution (like Unimus, or another NCM system) that already works out-of-the-box.
But a proper NCM system does much more than just backups - you can automate RouterOS upgrades, or any other config push across network, config auditing, etc.

NOTE:
This topic should really not be used for this discussion.
We should keep the discussion here on Vault 7

Who is online