Community discussions

 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:34 pm


What is happening here is downloading files from a router without the password. Over a port that normally doesn't even allow downloading those files.
I find it hard to believe that this is simply "a bug". There must be base functionality of downloading, and the bug is only that it can be done without authentication.
But the downloading functionality shouldn't even be there in the first place, in the model of "we keep all internals secret and the user can only use the config interfaces and API".
To me, it sounds more like a debugging feature accidentally left enabled, or a requirement from law enforcement they are not allowed to tell us about.

Don't attribute to malice what can be easily explained by incompetence. Even a basic buffer overflow or injection bug can allow full control of any networked device on the planet remotely. Security is hard.

Also, like normis said, it would be irresponsible for the manufacturer themselves to release further details of the exploit without a fix, especially when they themselves only discovered it from their customers (who btw, they have unusually not acknowledged) a few days ago.

The only problem here is a startling lack of defense in depth for security in the very core of RouterOS. The normal security assumption is that outer layers of security can always be penetrated, so further layers need to be present, and are normally even stronger. Instead of a good onion, Mikrotik have a coconut - great outer protection, but once you're in, you're IN.
this still is the device users/maintainers fault imo. THEY should implement basic security and best practices. Don't attribute to the vendor what the user should do.
indeed, newer ros version have some basic firewalling in place to prevent access like this, but still, security is everyone's problem, not only the manufacturer's imo
 
User avatar
oortega
just joined
Posts: 5
Joined: Sat Jan 06, 2018 8:33 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:35 pm

Is it enough by changing the winbox port and password?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23511
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:36 pm

Changing the Winbox port only protects your device from being found. If the attacker finds the new port, he can still gain access.
Firewall and the new RouterOS version is the best way to protect your device.
No answer to your question? How to write posts
 
owndyaa
just joined
Posts: 3
Joined: Wed Jul 22, 2015 9:57 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:39 pm

I just added to input specific src address who can access to winbox. I hope it's enough.
+ Rest input ports will be dropped
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23511
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:43 pm

v6.42.1 and v6.43rc4 have been released! They fix the vulnerability.

Bugfix coming soon as well.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4814
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:50 pm

Don't attribute to malice what can be easily explained by incompetence. Even a basic buffer overflow or injection bug can allow full control of any networked device on the planet remotely. Security is hard.
Incompetence by MikroTik, yes. Recently it was already revealed that the webserver is running as root, now it looks like the same is true for the winbox service.
This really cannot be defended. It has to change.
The only problem here is a startling lack of defense in depth for security in the very core of RouterOS. The normal security assumption is that outer layers of security can always be penetrated, so further layers need to be present, and are normally even stronger. Instead of a good onion, Mikrotik have a coconut - great outer protection, but once you're in, you're IN.
Right. Services running on external ports should not have access to data that is considered secret.
In a standard Linux system, processes running at user privileges cannot access password hashes, and setuid-root programs are used to validate passwords.
That already is considered a weak system with opportunities for attacking those "trusted" programs (which have been proven faulty in the past), but nobody would consider running services as root under Linux. Why does MikroTik still do it?
 
anav
Forum Veteran
Forum Veteran
Posts: 758
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:55 pm

I just added to input specific src address who can access to winbox. I hope it's enough.
+ Rest input ports will be dropped
If one does not have a specific FW rule ALLOWING EXTERNAL to INTERNAL access for the Winbox, then one should not be concerned as the default rules block WAN to LAN traffic, as they do for unsolicited traffic for every port. Nothing wrong for limiting access to WINBOX from the internal network as you have done and readily available in the settings.

I think Normis is saying ensure you have the basic default and recommended FW rules in place, and good practice to limit WINBOX to specific IPs in the internal network and wait for the upcoming firmware update.
If one has been using WINBOX for remote access to the WINBOX, I suggest delete the FW rule allowing this, that had to be specifically made by the admin, and learn VPN for remote access.

I still would like a rolling code type apparatus for the 'intimidated by VPN crowd', as remote can mean from any IP. Consider passwords in such scenarios as vulnerable but a rolling code is only of value for a very short period of time. There are good reasons why industry standard uses them and heck Ive used one for my paypal for at least 10 years.
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:56 pm

Here's a simple port-knocking firewall + address list for anyone who wants to implement it in the interim for access to the default winbox port (8291)

First add any custom IP address ranges (known safe networks) you need like so:

/ip firewall address-list add address=123.123.123.123 list=Winbox_Admin comment="Custom";
SNIP
A set of private addresses are added by default so you don't get locked out of your router from internally.
In my posting above. I suggested to Mikrotik to integrate port-knocking in Winbox, Android APP and the router self so that external access is not possible if you don't have the right knock sequence. The sequence can be managed in router and synced to the at that time connected Winbox and Android APP.

If a other session is setup from a Winbox or Android APP that is not synced than the sequence has to be provided by the admin that synced his/her Winbox/APP with that box. The label on the router will only be valid when the router is reset or fresh from the box.

Layered security is needed good. The user database was retrievable and one point of failure made it posible and that was that the user believed that an good password was enough to keep others out. So essential files like the database have to be save even when leaked and an audit has to made to look at other weakpoints of which Mikrotik think that they can't be reached now.

A extra layer(s) of protection of even reaching the control interface of the router have to be implemented so that users who need external access can do that in a save an controlled way.
Password not enough and IP filtering is neglected or not possible due to dynamic source addresses. So an integrated Port-Knocking is in my opinion a good way so that we don't have to go the way of using certificates.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
manuelritter
newbie
Posts: 38
Joined: Wed Sep 16, 2009 4:10 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:00 pm

Hi,

virus seems to download binary files (marchdom4.com/mikrotik/x86_64 marchdom4.com/mikrotik/powerpc marchdom4.com/mikrotik/mips)
Anyone knows what these binaries do and are they removed after RouterOS Update?

Kind Regards
Manuel Ritter
 
bmatic
just joined
Posts: 12
Joined: Fri Oct 21, 2016 8:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:02 pm

Just FYI,

in logs I saw login attemps, but they all seems to failed, not one of them is successfull.
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23511
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:04 pm

Just FYI,

in logs I saw login attemps, but they all seems to failed, not one of them is successfull.
This is from Web. Most likely unrelated.
No answer to your question? How to write posts
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:07 pm

Just FYI,

in logs I saw login attemps, but they all seems to failed, not one of them is successfull.
This is from Web. Most likely unrelated.
but should still be firewalled :)
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:07 pm

Correct me if I'm wrong, but isn't something missing here? Now we know how they got passwords to log in, but what about those files (script and binary) uploaded to router and (probably) executed by RouterOS? Is it some other hidden functionality of WinBox we know nothing about?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23511
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:09 pm

Correct me if I'm wrong, but isn't something missing here? Now we know how they got passwords to log in, but what about those files (script and binary) uploaded to router and (probably) executed by RouterOS? Is it some other hidden functionality of WinBox we know nothing about?
When the tool gets your password, it has full access and installs some kind of tools. This is secondary. Most importantly is to close access to your device so this is impossible.
No answer to your question? How to write posts
 
bmatic
just joined
Posts: 12
Joined: Fri Oct 21, 2016 8:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:15 pm

Just FYI,

in logs I saw login attemps, but they all seems to failed, not one of them is successfull.
This is from Web. Most likely unrelated.
Maybe, but this is strange. Web interface indeed is available from Internet, but I changed default port from 80 to something else, and there was 5 attemps in 2 seconds, possible attack ?
 
User avatar
andressis2k
Member Candidate
Member Candidate
Posts: 103
Joined: Mon Apr 18, 2011 12:47 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:16 pm

Although I understand the decission not to make the vulnerability information public, we need to know if a exposed winbox port with "Available From" address list is vulnerable or not.

We've some devices with disabled conntrack, so we can't protect it by firewall. For now we've completely disabled winbox service.

By the way, as it uses the same user database... can BTest Server be vulnerable? We've also deactivated it in all the routers...

Regards
 
felipehertzer
just joined
Posts: 1
Joined: Mon Apr 23, 2018 4:13 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:16 pm

....
Last edited by felipehertzer on Tue Apr 24, 2018 6:03 am, edited 1 time in total.
 
neoprogger
just joined
Posts: 13
Joined: Tue May 10, 2016 7:55 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:19 pm

Any Informations on how to use this exploit?
I've inherited a wide-range setup with unknown password and resetting will need a crane or something like this :-)
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:20 pm

Just FYI,

in logs I saw login attemps, but they all seems to failed, not one of them is successfull.
This is from Web. Most likely unrelated.
Maybe, but this is strange. Web interface indeed is available from Internet, but I changed default port from 80 to something else, and there was 5 attemps in 2 seconds, possible attack ?
scanning for the new port isn't hard to do.
firewalling that port (and others) will make sure they can't try to brute force it
 
pe1chl
Forum Guru
Forum Guru
Posts: 4814
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 4:28 pm

When the tool gets your password, it has full access and installs some kind of tools.
That is kind of strange, because when I know the password of my router I still cannot install that kind of tools!
So there are multiple faults here.
 
R1CH
Long time Member
Long time Member
Posts: 662
Joined: Sun Oct 01, 2006 11:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:07 pm

Correct me if I'm wrong, but isn't something missing here? Now we know how they got passwords to log in, but what about those files (script and binary) uploaded to router and (probably) executed by RouterOS? Is it some other hidden functionality of WinBox we know nothing about?
When the tool gets your password, it has full access and installs some kind of tools. This is secondary. Most importantly is to close access to your device so this is impossible.
I have the admin password of my own router, how can I upload shell scripts and ELF binaries to be executed?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23511
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:10 pm

Like I said, this issue is secondary. It exists yes.
No answer to your question? How to write posts
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:19 pm

When the tool gets your password, it has full access and installs some kind of tools.
That is kind of strange, because when I know the password of my router I still cannot install that kind of tools!
So there are multiple faults here.
On MT specific hardware and using WINBOX -- winbox -- gains root access and if a vulnerability exists in Winbox code then root access can be had once that code is exploited but no one has yet proven that Winbox has that vulnerability .. so are there multiple faults here ---- like a special provision for Auctoritas?
Last edited by mozerd on Mon Apr 23, 2018 5:27 pm, edited 1 time in total.
 
wispmikrotik
newbie
Posts: 33
Joined: Tue Apr 25, 2017 10:43 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:24 pm

When the tool gets your password, it has full access and installs some kind of tools.
That is kind of strange, because when I know the password of my router I still cannot install that kind of tools!
So there are multiple faults here.
On MT specific hardware and using WINBOX -- winbox -- gains root access and if a vulnerability exists in Winbox code then root access can be had once that code is exploited but no one has yet proven that Winbox has that vulnerability ..
I just installed it again with netinstall ... I do not want hidden visitors in my system....
 
pe1chl
Forum Guru
Forum Guru
Posts: 4814
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:25 pm

Like I said, this issue is secondary. It exists yes.
Is that now fixed in the latest release? Or are we waiting for an exploit for that one once a new way to enter access has been discovered?
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:30 pm

Like I said, this issue is secondary. It exists yes.
Is that now fixed in the latest release? Or are we waiting for an exploit for that one once a new way to enter access has been discovered?
Like a special provision for Auctoritas?
 
R1CH
Long time Member
Long time Member
Posts: 662
Joined: Sun Oct 01, 2006 11:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:38 pm

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
 
anav
Forum Veteran
Forum Veteran
Posts: 758
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:46 pm

The point being is that it appears there are folks out there that seem to understand how this router is coded from the ground up. So either the entire code has been compromised (stolen) or a former employee is disgruntled and is enacting revenge or a current employee is a criminal. I favour the latter scenario seeing as its based on recent work of 6.39..............
However, as I noted before for the Wireless Issues, a lack of communication strategy will lead to speculation which I am quite guilty of.................

To state hey don't worry (its just a secondary issue) about super sophisticated tools, that allow the hacker more granularity than you do as an admin, is the wrong approach with this group.
As for Auctoritas-what? Mozerd. Is this the title of the next book in the Dan Brown's Robert Langdon Series? ;-P
 
djdrastic
Member Candidate
Member Candidate
Posts: 282
Joined: Wed Aug 01, 2012 2:14 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:53 pm

Just finished moving the entire network to 6.40.7 on Sunday and I was so proud :)
And this now :(


Hopefully a new Bugfix will be rolled out very soon
Last edited by djdrastic on Mon Apr 23, 2018 5:55 pm, edited 1 time in total.
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:53 pm

Normis (or other MikroTik people here) - can you, please, share the very important info: Is there a known attack / exploit you were informed about? Did you learn about this vulnerability from your own studies or from a "friendly" user? Or was someone already attacked, and it came during the analysis?
Or - simpler - is there a known exploit scanning the internet right now? Is there a group of people having detailed knowledge about this vulnerability? Or was it caught in advance, before anyone started exploiting it?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5683
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:54 pm

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
Where do you see shifting blame on the users? It is information for users to know that routers are safe against this vulnerability if winbox port was protected.
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1165
Joined: Sat Jun 06, 2009 4:54 am
Location: Brisbane, Australia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:55 pm

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
I can't understand how you have come to such a poorly devised conclusion so I wrote you a haiku.

MikroTik secures
You remove config, bad idea
Now act like boof head
Last edited by omega-00 on Mon Apr 23, 2018 5:58 pm, edited 1 time in total.
brightwifi.com | mikrotik-routeros.com | MTCNA,MTCWE.MTCTCE | Give karma where due
 
User avatar
andressis2k
Member Candidate
Member Candidate
Posts: 103
Joined: Mon Apr 18, 2011 12:47 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:58 pm

Normis (or other MikroTik people here) - can you, please, share the very important info: Is there a known attack / exploit you were informed about? Did you learn about this vulnerability from your own studies or from a "friendly" user? Or was someone already attacked, and it came during the analysis?
Or - simpler - is there a known exploit scanning the internet right now? Is there a group of people having detailed knowledge about this vulnerability? Or was it caught in advance, before anyone started exploiting it?
It started here: viewtopic.php?f=2&t=133438
 
R1CH
Long time Member
Long time Member
Posts: 662
Joined: Sun Oct 01, 2006 11:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 5:58 pm

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
Where do you see shifting blame on the users? It is information for users to know that routers are safe against this vulnerability if winbox port was protected.
Calling it "unsecured" makes it sound like the router was exposed to internet with no firewall or passwords. My router was secured with firewall and strong passwords, and yes, it had the management port open to the WAN. Does opening up any port to the WAN make the router "unsecured"?

I would much prefer if it were written such as:
!) winbox - fixed vulnerability that allowed to gain access to a router with an exposed winbox port
 
sakirozkan
newbie
Posts: 38
Joined: Sat Jun 14, 2014 12:19 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:01 pm

Only closing winbox port is enough?
what about api and api-ssl ports?
 
Moc
just joined
Posts: 10
Joined: Sun Jan 06, 2013 8:47 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:15 pm

When is the first known exploit of this so we can browse the logs. And have exploit rewritten the log file ?
 
mkx
Forum Veteran
Forum Veteran
Posts: 784
Joined: Thu Mar 03, 2016 10:23 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:18 pm

Only closing winbox port is enough?
what about api and api-ssl ports?
Disable any service you really really don't need. If you don't know what's it about, then you don't need it. Whatever remains (either winbox, https or ssh), protect with firewall as much as possible. Leave it open from only a few locations you can physically get to in due time, not to half of the country (just in case you're on the road). Getting hacked due to too wide open ports will give you more headache than occasional drive a few (hundred) kilometres (past experience will help you minimize number of rides after a while).
BR,
Metod
 
ryan0803
just joined
Posts: 2
Joined: Sat Jan 07, 2017 12:11 pm
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:21 pm

Thank You for the info

I've implemented the configuration
 
R1CH
Long time Member
Long time Member
Posts: 662
Joined: Sun Oct 01, 2006 11:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:28 pm

When is the first known exploit of this so we can browse the logs. And have exploit rewritten the log file ?
The exploit may not appear in the logs. It can download system passwords without logging in, so even if there appears no successful or failed logins, you should consider your passwords compromised and change them. As it's apparently possible to run arbitrary code after compromise, system log files could be tampered to remove any traces of exploitation. If you are really paranoid the only safe way would be to netinstall.

So far I have seen very few connection attempts to winbox port via mass internet scanning so it's unlikely you are compromised unless specifically targeted.
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:33 pm

As for Auctoritas-what? Mozerd. Is this the title of the next book in the Dan Brown's Robert Langdon Series? ;-P
Auctoritas is a Latin word and is the origin of English "authority". While historically its use in English was restricted to discussions of the political history of Rome, the beginning of phenomenological philosophy in the 20th century expanded the use of the word.

Many "governments/police/invistigative arms" are requiring access to tech -- sometimes its mandated in a very secret way --- something that the Chinese [China] are doing which is one reason that I no longer will purchase Chinese made routers or switches that can act as routers plus a lot of other tech made in China
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:35 pm

I have the admin password of my own router, how can I upload shell scripts and ELF binaries to be executed?
Now that the feature is officially confirmed (*), I think it won't take long to be documented by some good soul. The question is, how much MikroTik depends on having it in WinBox server, if they can easily block it or not.

(*) It wasn't my plan when I asked. I assumed WinBox used only some secure protocol to read/write options, not to have unlimited access to system internals.
 
ivanfm
newbie
Posts: 34
Joined: Sun May 20, 2012 5:07 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 6:39 pm

That is true, yes.
We have a nice article on how to make your device secure, I suggest everyone read it, as it contains most of the basics:

https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
normis some of the commands in this article works only in old versions.

Like mac-server now uses an interface-list instead of disabled=yes
 
djdrastic
Member Candidate
Member Candidate
Posts: 282
Joined: Wed Aug 01, 2012 2:14 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 7:07 pm

Just as an aside.Would a MAC-Winbox sessions also be vulnerable ?


Thinking of disabling Winbox service on all Routers/Bridges/Switches/Wap's etc.
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 7:21 pm

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
Where do you see shifting blame on the users? It is information for users to know that routers are safe against this vulnerability if winbox port was protected.
Better would be "...gain acces to router accessible from the internet'

The blame is shared between Mikrotik and the owner of the router.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
sakirozkan
newbie
Posts: 38
Joined: Sat Jun 14, 2014 12:19 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 7:24 pm

Only closing winbox port is enough?
what about api and api-ssl ports?
Disable any service you really really don't need. If you don't know what's it about, then you don't need it. Whatever remains (either winbox, https or ssh), protect with firewall as much as possible. Leave it open from only a few locations you can physically get to in due time, not to half of the country (just in case you're on the road). Getting hacked due to too wide open ports will give you more headache than occasional drive a few (hundred) kilometres (past experience will help you minimize number of rides after a while).
If i don't use api's why i ask this???
 
23q
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Thu Sep 02, 2010 2:54 pm
Location: Ukraine

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 8:23 pm

del
Last edited by 23q on Mon Apr 23, 2018 8:27 pm, edited 1 time in total.
 
margi412
just joined
Posts: 2
Joined: Wed Dec 17, 2014 10:18 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 8:26 pm

v6.42.1 and v6.43rc4 have been released! They fix the vulnerability.

Bugfix coming soon as well.
hi Normis,

is bugfix only 6.40.7 -- we need to use for breach fix?
 
Azure
just joined
Posts: 3
Joined: Fri Dec 23, 2016 10:49 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 9:00 pm

v6.42.1 and v6.43rc4 have been released! They fix the vulnerability.

Bugfix coming soon as well.
hi Normis,

is bugfix only 6.40.7 -- we need to use for breach fix?
Bugfix with fix for this issue has not been released just yet. Only Current and RC channels.
 
23q
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Thu Sep 02, 2010 2:54 pm
Location: Ukraine

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 9:05 pm

sorry for my english. Let's say the files save.sh and dnstest hit the router. By changing the password and limiting access from outside through winbox, is there a guarantee that there will be no outgoing connection from my infected router and the new password will not be transferred to the attackers in this way?
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 9:15 pm

sorry for my english. Let's say the files save.sh and dnstest hit the router. By changing the password and limiting access from outside through winbox, is there a guarantee that there will be no outgoing connection from my infected router and the new password will not be transferred to the attackers in this way?
No. Outgoing connection are not that much or even not limited by the default rules.

You have to clean or restore before hooking the router to the wild wide west (internet) and don't forget to learn from and imlement the tios given in the first posting of this thread.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105

Who is online

Users browsing this forum: blimbach, ksteink, markz, Quasar, tdw and 6 guests