Community discussions

 
msatter
Forum Veteran
Forum Veteran
Posts: 853
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 9:18 pm

v6.42.1 and v6.43rc4 have been released! They fix the vulnerability.

Bugfix coming soon as well.
hi Normis,

is bugfix only 6.40.7 -- we need to use for breach fix?
Even with the fix in place you will still have to implement the limiting of access to the router. See first posting of this thread.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43RC45 / Winbox 3.16 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
msatter
Forum Veteran
Forum Veteran
Posts: 853
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 9:22 pm

Is it enough by changing the winbox port and password?
Not if they can just request that new user and password because the vulnerability is still there. Also limit access as subscribed in the fist posting in this thread.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43RC45 / Winbox 3.16 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
scob
just joined
Posts: 2
Joined: Thu Oct 26, 2017 6:48 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 9:54 pm

ok, so it seems that the proper firewall rules, dropping winbox and ssh connections from outside my trusted network - saves me for now from big f*up?
 
anav
Forum Veteran
Forum Veteran
Posts: 711
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 10:49 pm

ok, so it seems that the proper firewall rules, dropping winbox and ssh connections from outside my trusted network - saves me for now from big f*up?
Not necessarily. If you had left your router open previously how do you know your device is not full of crapware. In other words, the correct thing to do is if the router was wide open previously to do some sort of reset to defaults PLUS PLUS. Mikrotik SHOULD PUBLISH a how to scrub the unit clean so it gets rid of whatever that virus planted or send you a new unit.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1567
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 10:51 pm

still waiting for the bugfix only update
 
mkx
Member
Member
Posts: 377
Joined: Thu Mar 03, 2016 10:23 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 11:05 pm

Mikrotik SHOULD PUBLISH a how to scrub the unit clean so it gets rid of whatever that virus planted or send you a new unit.
netinstall without previous configuration ....
BR,
Metod
 
User avatar
macsrwe
Long time Member
Long time Member
Posts: 613
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 11:13 pm

Hello please tell me how I will update my 3000 mikrotiks again quickly and easily is already the second time that this happens ...
The critical need is to update the ones that directly touch external gateways. Routers within your own network are much less at risk (assuming you don't serve an unusually vicious territory).
 
User avatar
ploquets
Member Candidate
Member Candidate
Posts: 111
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 11:24 pm

still waiting for the bugfix only update
Same here.
 
User avatar
macsrwe
Long time Member
Long time Member
Posts: 613
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 11:24 pm

Mikrotik SHOULD PUBLISH a how to scrub the unit clean so it gets rid of whatever that virus planted or send you a new unit.
netinstall without previous configuration ....
This is not acceptable. Netinstall requires local travel to each individual router. Also, many routers are already installed in hard-to-access locations, such as towers and customer premises.
 
freemannnn
Long time Member
Long time Member
Posts: 605
Joined: Sun Oct 13, 2013 7:29 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 11:36 pm

still waiting for the bugfix only update
Same here.
Me too
 
pe1chl
Forum Guru
Forum Guru
Posts: 4566
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 11:42 pm

This is not acceptable. Netinstall requires local travel to each individual router. Also, many routers are already installed in hard-to-access locations, such as towers and customer premises.
Then what do you consider acceptable? A way to wipe the entire router erasing all traces of previous actions, but keeping the current configuration? Weird...
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1567
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 11:46 pm

Hello please tell me how I will update my 3000 mikrotiks again quickly and easily is already the second time that this happens ...
use the dude to manage and monitor your mikrotik routers
 
onnoossendrijver
Member
Member
Posts: 415
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:15 am

Hello please tell me how I will update my 3000 mikrotiks again quickly and easily is already the second time that this happens ...
If you know how to manage 3000 devices you must have heard of The Dude or expect scripting.
At work we use expect scripting to automate a lot of networking related tasks.
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
anav
Forum Veteran
Forum Veteran
Posts: 711
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:22 am

I am too new to have discovered or researched netinstall or dude. I did buy and install an SD card which I believe is needed for dude.......
Thats fine if there is a way but I would expect MIKROTIK to publish a specific how to for this episode.
 
BRMateus2
newbie
Posts: 40
Joined: Thu Oct 26, 2017 11:18 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:24 am

So how do you expect to secure 3000 routers without even reading MikroTik Documentation which is way smaller than the C++17 release specification??
 
neticted
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Jan 04, 2012 10:36 am

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:56 am

If I understood correctly, Mikrotik keeps user passwords in a file in open form, not encrypted?!?!?!?!
 
User avatar
andressis2k
Member Candidate
Member Candidate
Posts: 103
Joined: Mon Apr 18, 2011 12:47 am

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 1:19 am

If I understood correctly, Mikrotik keeps user passwords in a file in open form, not encrypted?!?!?!?!
Yes it is.
(and this bugfix doesn't solve it)
 
User avatar
macsrwe
Long time Member
Long time Member
Posts: 613
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 2:22 am

This is not acceptable. Netinstall requires local travel to each individual router. Also, many routers are already installed in hard-to-access locations, such as towers and customer premises.
Then what do you consider acceptable? A way to wipe the entire router erasing all traces of previous actions, but keeping the current configuration? Weird...
A previous exploit was closed with a release that ran a tool that sought out and destroyed files that were not supposed to be in the ROS image. That's a fair solution.

I can also envision a tool that allows a router to reboot from something you might think of as a predefined virgin netinstall image. As long as there is a way to set the default radio behavior so it would reconnect to its tower, everything else could be managed via ROMON.

But driving out to every router in a 220-square-mile territory, and making appointments to enter 400 homes to access their ethernet cables, is a non-starter.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1567
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 4:10 am

still waiting for the bugfix only update
Same here.
Me too
still waiting ...
 
Lukasz032
just joined
Posts: 4
Joined: Tue Apr 29, 2014 4:31 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 7:50 am

If I understood correctly, Mikrotik keeps user passwords in a file in open form, not encrypted?!?!?!?!
Yes it is.
(and this bugfix doesn't solve it)
Nope. Passwords do are encrypted, but using symmetric (a.k.a. reversible) encryption. And there is a pretty big reason for that - Winbox "secure mode" uses CHAP for authentication. CHAP requires the server to know the correct user input in order to derive hashes for confirmation. (TMK MT doesn't use MSCHAPv2 for some patent reasons inside the USA and PAP authentication is not secure in transit. They also can't use a proprietary protocol because of SSO login / RADIUS integration.)

Clue: attackers can compromise only the local user database, so if you make a local admin account "emergency-only" and active only to the reserved IP address (after a VPN or something like that) and every normal admin is authenticated through radius SSO, their account are 100% secure (provided they aren't using trivial passwords) ;)
 
User avatar
routik
Member Candidate
Member Candidate
Posts: 105
Joined: Wed Oct 14, 2009 5:40 pm
Location: Abuja-Nigeria
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 8:43 am

Change the service port can resolve the problem?
The problem with allow from is that not always we have static ip address
Suggestions could be that field accept dns names, or allow to read from addressing list

Sent from my XT1580 using Tapatalk

You may consider using a VPN (PPTP/OpenVPN) to be accessing your touter and set a firewall rule to allow only the IP of the VPN server.
I enjoy building wireless network with @Mikrotik
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23344
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 8:48 am

sorry for my english. Let's say the files save.sh and dnstest hit the router. By changing the password and limiting access from outside through winbox, is there a guarantee that there will be no outgoing connection from my infected router and the new password will not be transferred to the attackers in this way?
No. Outgoing connection are not that much or even not limited by the default rules.
You have to clean or restore before hooking the router to the wild wide west (internet) and don't forget to learn from and imlement the tios given in the first posting of this thread.
No. These files were found in the RouterOS files directory. You can't run binaries or scripts from there. It seems the attacker though he will copy them inside RouterOS system to run them, but failed to do so. You can even see it inside the script, that there are actions that were supposed to be done, but obviously failed (like deleting of these files).

When a previously discovered vulnerability was fixed, we closed any options to run scripts and copy files inside other directories. This is why in this case, the attacker has uploaded something to the RouterOS Files folder (like you can also), but has failed to do anything else.
No answer to your question? How to write posts
 
User avatar
markrobo
just joined
Posts: 6
Joined: Tue Sep 26, 2017 10:29 am

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 9:28 am

Well, this is really embarrassing, my enthusiasm with MikroTik is fading due to this few recent vulnerabilities and attacks.

Security must be top priority of vendor this size - we are not in the 90's anymore.
You could have set up at least few honey pot routers and tie them with some SIEM software so you could have deeper info when attack is happening - people have this at their homes nowadays.

Kind regards,
Robo
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 9:29 am

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
why would you let everyone have possible access to your router?
EVERY router needs to be secured. You would not want anyone controlling your Cisco router, so why would you allow that on any other type of router?
If you want mgmt access, get a secure ip range or some fixed IP's which you control and deem as secure and manage from there. Like you would with any platform.
Securing your router is YOUR responsibility, not the manufacturers. Granted that they have to make sure the platform is secure, but leaving everything open because you *think* it is secure is your own fault if you're hacked then.

Just my $0,02
 
zajadacz
just joined
Posts: 16
Joined: Fri Jul 29, 2016 12:30 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 9:46 am

Well, this is really embarrassing, my enthusiasm with MikroTik is fading due to this few recent vulnerabilities and attacks.
Use Ubiquiti instead :lol: Then you will have huge security problems and vulnerabilities. In last two years they had very serious problems with attacks (with one our network was seriously affected). If you properly configure firewall on Mikrotik it is very safe.
 
User avatar
doneware
Trainer
Trainer
Posts: 418
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 10:26 am

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
true indeed, but you shall not use winbox anyway. stuff that just downloads dlls from a remote devie (it used to for quite a long time) always scared the sht out of me
#TR0359
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23344
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 10:45 am

1. No. RouterOS user passwords are not stored in plain text, but anything can be decrypted with enough effort. We will now make this much harder to do.
2. Even if your device has other firewalls, but you have Management access open to the world, yes this still means unprotected.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4566
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 10:55 am

true indeed, but you shall not use winbox anyway. stuff that just downloads dlls from a remote devie (it used to for quite a long time) always scared the sht out of me
Winbox should be merged with WebFig, everything in javascript and executed in a browser sandbox on the client.
But at the moment, the priorities are probably different.

There has to be privilege separation on the router. The service running on the router for winbox/webfig should not run with root permissions and it should not have access to things like user/password files, no write access to software storage locations, etc.
All accesses to those spaces should be via small and well-audited programs similar to "login", "sudo", "passwd" etc.
 
User avatar
dgnevans
Member
Member
Posts: 463
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 10:57 am

When can we expect the fixed BUGFIX. still waiting on that.
 
User avatar
macsrwe
Long time Member
Long time Member
Posts: 613
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:07 pm

6.42.1 is "newer" than 6.42rcNN, right? It's an upgrade, not a downgrade?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23344
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:09 pm

6.42.1 is "newer" than 6.42rcNN, right? It's an upgrade, not a downgrade?
Yes, of course. We also have 6.43rc, don't mix those up.

Versions with FIX are the following:

6.42.1 (released)
6.43rc4 (released)
6.40.8 bugfix (released)


Firewall for Winbox port also protects your device, even with older versions.
No answer to your question? How to write posts
 
notToNew
Member Candidate
Member Candidate
Posts: 125
Joined: Fri Feb 19, 2016 3:15 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:29 pm

6.40.8 is released, just updated!
--------------------------------------------------------------------------------------------
CCR1036-12G-4S, several 952Ui-5ac2nD, ...
 
User avatar
Raf
Member Candidate
Member Candidate
Posts: 169
Joined: Thu May 07, 2009 4:26 pm
Location: Olesnica, Poland
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:32 pm

@MT devs: I'd love to see new feature/button in Winbox (in wireless > registration table) which would mass upgrade all clients currently connected to AP to (let's say) latest version from current channel.
Rafał Wójcik from AWB-NET
High Definition enthusiast
 
Joe1vm
just joined
Posts: 20
Joined: Sat Apr 06, 2013 4:07 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:36 pm

6.42.1 is "newer" than 6.42rcNN, right? It's an upgrade, not a downgrade?
Yes, of course. We also have 6.43rc, don't mix those up.

Versions with FIX are the following:

6.42.1 (released)
6.43rc4 (released)
6.40.8 bugfix (release coming today)


Firewall for Winbox port also protects your device, even with older versions.
Maybe someones will not agree with me, but I appreciate the speed of actions. The guide how to minimize the risks within 36 hours (over the weekend) after the first info popped up and the new release with the fix within one working day.
Thank you, normis.
 
9wYDY
just joined
Posts: 4
Joined: Fri Feb 26, 2016 3:28 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 12:51 pm

Hi,
should I also upgrade firmware or just RouterOS is enough?
Image
 
User avatar
macsrwe
Long time Member
Long time Member
Posts: 613
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 1:04 pm

@MT devs: I'd love to see new feature/button in Winbox (in wireless > registration table) which would mass upgrade all clients currently connected to AP to (let's say) latest version from current channel.
Not likely to get added to Winbox, as it's already in Dude.
 
parscon
newbie
Posts: 32
Joined: Mon Dec 02, 2013 4:17 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 1:10 pm

My Router after upgrade , Restart and Restart and Restart and ... what i must do ? i have CCR1036-12G-4S
 
User avatar
WirtelPL
newbie
Posts: 29
Joined: Sat Nov 11, 2017 11:22 am
Location: Poland

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 1:11 pm

Hi,
should I also upgrade firmware or just RouterOS is enough?

Yes, new firmware brings better performance.
RB951G-2HnD for home production
RBmAP2nD | RB952Ui-5ac2nD-TC for home lab
 
pe1chl
Forum Guru
Forum Guru
Posts: 4566
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 1:12 pm

Hi,
should I also upgrade firmware or just RouterOS is enough?
As you have not done that for a long time, it is a good idea to upgrade it.
However I question the need for updating firmware each and every RouterOS update (requiring an extra reboot).
 
User avatar
Raf
Member Candidate
Member Candidate
Posts: 169
Joined: Thu May 07, 2009 4:26 pm
Location: Olesnica, Poland
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 1:22 pm

@MT devs: I'd love to see new feature/button in Winbox (in wireless > registration table) which would mass upgrade all clients currently connected to AP to (let's say) latest version from current channel.
Not likely to get added to Winbox, as it's already in Dude.
But You have to add all clients on the map as devices?
Rafał Wójcik from AWB-NET
High Definition enthusiast
 
stam
just joined
Posts: 21
Joined: Mon May 16, 2011 11:36 am

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 2:16 pm

Well, this is really embarrassing, my enthusiasm with MikroTik is fading due to this few recent vulnerabilities and attacks.
Disappointment, the only word i can think right now.
BruteForce Prevention rules, Port scanning rules... are useless if front door is wide open.
Image
 
User avatar
omidkosari
Trainer
Trainer
Posts: 609
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 2:25 pm

Warning : Don't forget IPv6 if it is enabled on your router .
You must also create rules in
/ipv6 firewall filter
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
dada
Member Candidate
Member Candidate
Posts: 243
Joined: Tue Feb 21, 2006 1:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 2:28 pm

Hi,

another report and still the same attack IP 103.1.221.39. Do the attacker really sends these probes from the same IP? Or it is some bug in Router OS logging improper IP source?
 
eddieb
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 2:29 pm

always blame the knife if you cut yourself ...
 
User avatar
doneware
Trainer
Trainer
Posts: 418
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 2:40 pm

Just to bust some myths, i re-did the connection to a device that doesn't have no firewall input filter protection for the winbox port, but only the "allowed-address" type filterint in /ip service. some claim, that it is possible to extract information from the device this way. it seems, it isn't.

whenever a TCP SYN is sent to the device from a source address, that is not listed in the "allowed-address" field of ip service, the device responds with a TCP reset (RST, ACK). that is, no tcp connection is established. TCP RST messages do not have payload.
all in all, i suppose the address filtering is taking place "service independent" like a set of auto-generated invisible firewall rules with "reject" action or using TCP-wrappers.

capture screenshot attached.

long story short: ip services address restriction is OK.
additional message: nowadays no network segment can be treated as "secure" :-)
You do not have the required permissions to view the files attached to this post.
#TR0359
 
Muqatil
Trainer
Trainer
Posts: 567
Joined: Mon Mar 03, 2008 1:03 pm
Location: London - UK
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 3:01 pm

Thanks for checking and reporting to us @doneware. Much appreciated.
Renato Bernardi

skype: medtech5
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5588
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 3:03 pm

Only difference between firewall access restriction and ip service access restriction is that last one accepts connection, if source address does not match allowed list closes it. Firewall drops starting from the first syn packet.
 
msatter
Forum Veteran
Forum Veteran
Posts: 853
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 3:07 pm

Just to bust some myths, i re-did the connection to a device that doesn't have no firewall input filter protection for the winbox port, but only the "allowed-address" type filterint in /ip service. some claim, that it is possible to extract information from the device this way. it seems, it isn't.

whenever a TCP SYN is sent to the device from a source address, that is not listed in the "allowed-address" field of ip service, the device responds with a TCP reset (RST, ACK). that is, no tcp connection is established. TCP RST messages do not have payload.
all in all, i suppose the address filtering is taking place "service independent" like a set of auto-generated invisible firewall rules with "reject" action or using TCP-wrappers.

capture screenshot attached.

long story short: ip services address restriction is OK.
additional message: nowadays no network segment can be treated as "secure" :-)
But the intruder can also sit inside your network. What if the intruder connects in with the MAC address/Neighbors service? There is no filtering possible on that.
Last edited by msatter on Tue Apr 24, 2018 6:15 pm, edited 1 time in total.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43RC45 / Winbox 3.16 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
limaunion
just joined
Posts: 14
Joined: Sun Sep 03, 2017 5:51 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 3:20 pm

Hi, just to clearly understand, and according to the OP that said 'RouterOS user database security will be hardened, and deciphering will no longer be possible in the same manner.', does the patched release already include that feature ?
TIA
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23344
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Tue Apr 24, 2018 3:25 pm

Hi, just to clearly understand, and according to the OP that said 'RouterOS user database security will be hardened, and deciphering will no longer be possible in the same manner.', does the patched release already include that feature ?
TIA
It is a work in progress, it will take a while (weeks, possibly). Many programs need to be changed.
No answer to your question? How to write posts

Who is online

Users browsing this forum: nescafe2002, TmH, Traveller and 12 guests