Community discussions

 
User avatar
andressis2k
Member Candidate
Member Candidate
Posts: 100
Joined: Mon Apr 18, 2011 12:47 am

Re: Advisory: Vulnerability exploiting the Winbox port

Wed Apr 25, 2018 2:31 pm

That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.
Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to.
No, it isn't the same. "allowed from" allow you to open a socket to that service, and if it your src ip address isn't listed, it will close the connection. If service daemon is vulnerable...
Vulnerable to what? This close of the connection occurs before any data exchange. It is not an RST reply to the SYN as was suggested by someone else, that would be even better, but it is SYN/SYN ACK/ACK/FIN ACK/FIN ACK/ACK, all without any data being exchanged. There does not appear to be much room for vulnerability exploits.
And what if you send a specially formed packet, and the router answers with the whole user database content? I prefer a brick wall instead of a door with 20 locks
 
pe1chl
Forum Guru
Forum Guru
Posts: 4307
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Wed Apr 25, 2018 2:37 pm

And what if you send a specially formed packet, and the router answers with the whole user database content? I prefer a brick wall instead of a door with 20 locks
I advise you to stop using software and go out of the IT business. Really.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5511
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Wed Apr 25, 2018 2:42 pm

It can be done with one simple firewall rule.
Create interface list and add
/ip firewall filter add in-interface-list=xx ...
And what if you have disabled conntrack? In a powerful router, we need all power for routing purposes, and firewall is downstream it. Any linux service can be bound to a specific address / firewall...
You don't need connection tracking for this.
Read the manual for which features connection tracking is necessary
https://wiki.mikrotik.com/wiki/Manual:I ... n_tracking
 
dada
Member Candidate
Member Candidate
Posts: 241
Joined: Tue Feb 21, 2006 1:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Wed Apr 25, 2018 2:49 pm

That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.
Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to.
No, it isn't the same. "allowed from" allow you to open a socket to that service, and if it your src ip address isn't listed, it will close the connection. If service daemon is vulnerable...
Vulnerable to what? This close of the connection occurs before any data exchange. It is not an RST reply to the SYN as was suggested by someone else, that would be even better, but it is SYN/SYN ACK/ACK/FIN ACK/FIN ACK/ACK, all without any data being exchanged. There does not appear to be much room for vulnerability exploits.
And what if you send a specially formed packet, and the router answers with the whole user database content? I prefer a brick wall instead of a door with 20 locks
Somethng about TCP connection usage in applications. There are basically these steps which occurs in TCP conenction life:
1) LISTEN phase = application/daemon indicates that it is waiting for a connection
2) ACCEPT phase = a connection is established by a remote and application is informed that there is a connection in queue ready to be served. The application calls 'accept' function on the connection and receives basic information about the remote side (IP address, port). And this is the time when allow-from is checked. If all is OK the step 3) occurs, if not the connection is closed. It means the application reads no data from remote but just informs the kernel to close the connection.
3) reading/sending data
4) connection close/teminate

Yes, there is a possibility that some packet type/content can cause the kernel (TCP/IP stack) will go nuts (there were ping of death packets etc) but the chance that it will allow to read /etc/passwd file very low IMHO (I wouldn't like to be wrong). Since there are tons of lines of software which handles the packet delivery (network drivers, TCP/IP stack) before it reaches firewalling rules, there still is a chance that something wrong can happen.
There is a possibility to upload filtering rules directly to network card (not supported by ROS) but the card is full of potentially badly written software too :-)
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6607
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Wed Apr 25, 2018 3:09 pm

Please upgrade to 6.40.8 or 6.42.1,
https://mikrotik.com/download
The issue was addressed in both versions,
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;

Who is online

Users browsing this forum: No registered users and 5 guests