Do not forget the users that brought this to the attention of Mikrotik. Those users certainty lost sleep and looks probally still a bit pale around the nose.I'm glad to see this got fixed so soon!
Many thanks to the team who works on this (and lost a lot of sleep probably)!
Attacks seem to be rather specific though, haven't seen the mentioned log entries on my dutch and czech routers.
yes. one can disable the mac-winbox functionality. but the attack surface is a lot broader on the internet. i just pointed out that remote exploits can be mitigated using ip service filtersBut the intruder can also sit inside your network. What if the intruder connects in with the MAC address/Neighbors service? There is no filtering possible on that.
Nope. If in-port is a part of a bridge - You can filter MAC-Winbox and MAC-Telnet pakets using bridge filter chain input.But the intruder can also sit inside your network. What if the intruder connects in with the MAC address/Neighbors service? There is no filtering possible on that.
You should be dropping such packets anyway. If you add them to a blacklist which blocks all communications from that IP, then you block legitimate services if someone spoofs them.Why blocking access to router is bad idea? Should "popular" addresses try to access our router?
/ip firewall filter
add action=drop chain=input comment=mac-winbox dst-port=20561 protocol=udp log=yes log-prefix=macwinbox
[me@hgw2] /ip service> /ip fire filter print stats interval=1 where chain=input and comment~"mac"
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 ;;; mac-winbox
input drop 46 767 876
Dropping in input is fine, but I've seen several blacklists use raw table which would obviously affect forwarded traffic too.I know ... but it input chain is not the same as forward one. You can block access to router but not traffic forwarded to/from users.
This is an application that listens on a raw socket. It sees the traffic before the firewall. It does not matter what you do in the firewall (block or allow).so the IP firewall "sees" the traffic, the rule is actually evaluated _and_ it matches, but no action is taken.
You can access graphs within winbox - no need to use web access to them.This is the second advisory for this same port in as many weeks. Whilst we block it to the world we still feel compelled to update all our customers' routers. I hope this is not a sign of things to come.
While I'm on my soapbox I'd like to suggest that graphs are moved off the web management port. They are very different in the scope of their intended audiences, yet the functions are bound together.
/ip firewall address-list add address=something.allowed.com list=4TheWin
/ip firewall address-list add address=somethingelse.allowed.com list=4TheWin
/ip firewall filter set [find comment="Winbox"] src-address-list="4TheWin"
why? more simple and quick firewall solves this (see above examples).use layer7-protocol can solve this?
if can,how?
becouse i am Maintain 500+ mikrotik node,i have not static ip,i need to remote to connect.i can't reboot the mikrotik nodes,i need keep network normal first.and later to update.why? more simple and quick firewall solves this (see above examples).use layer7-protocol can solve this?
if can,how?
That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.Things would be mush simpler to set if we have option to bind services to specific interfaces. That would help to simply narrow access to services by network interfaces without messy IP filtering rules.
Either configure VPN on the routers so you can connect from anywhere and have more security, or get some VPS at a couple of $/month where you have a static IP, configure VPN to there, and set the fixed IP address of that VPS as your trusted external IP.becouse i am Maintain 500+ mikrotik node,i have not static ip,i need to remote to connect.i can't reboot the mikrotik nodes,i need keep network normal first.and later to update.
i will update all nodes,but need a few days.before update need a temp plan.i want to use layer7-protocol to control.Either configure VPN on the routers so you can connect from anywhere and have more security, or get some VPS at a couple of $/month where you have a static IP, configure VPN to there, and set the fixed IP address of that VPS as your trusted external IP.becouse i am Maintain 500+ mikrotik node,i have not static ip,i need to remote to connect.i can't reboot the mikrotik nodes,i need keep network normal first.and later to update.
To implement any change, you will have to go along all the nodes. So better use a permanent solution instead of wasting time now and having to re-do it later.i will update all nodes,but need a few days.before update need a temp plan.i want to use layer7-protocol to control.
Yes but the graphs in Winbox are rubbish compared to the web ones with their time and throughput scales.
You can access graphs within winbox - no need to use web access to them.
Hence why each router also has a unique admin password, so if the tunnel/radius had to break we can still get into the router/switch. All passwords are stored on a cloud service.There has to be a trade-off between a secure access and the risk of unreachable devices when something breaks.
With such config the device will be inaccessible when the connection to radius cannot be set up.
We use radius for customers, but to use it for management of the device would be too much of a risk for me.
Similar for using address lists. We have address lists with allowed management address (source) but they are static and a drag to maintain.
I would use DNS based address list, if they would not be flushed on reboot. Now, when a device is rebooted and is without DNS, it would be unable to load its address list from DNS and management would not be possible. A bit too risky.
indeed. I do the same with OpenVPN as most of my client routers are either behind NAT or have dynamic IP's.my take on remote accessible device management - and some may be behind a "one-way" access medium, like NAT or 3G/4G, where you can't just connect to the device from the outside - is to have a VPS running routeros. and there's no ports exposed there, but only IPSec.
so the managed devices shall connect to it via IPSec. no need for pushed down routes, what so ever.
then the manager user shall do the same.
and they can rendezvous in "cloud #9".
this way you don't have to expose no mgmt interfaces to anywhere.
you don't even need static IP for this, as tunnels can be initiated to FQDNs.
you can drop any management traffic on all routers on their exposed interfaces. yes, that would include also the subscriber/customer side as well.
whenever you access supports it, you can also use IPv6 as the transport of the tunnels to pull this off on some places.
... but that still leaves you vulnerable to the current problem. only your port filtering saved you, not your advanced password management!Hence why each router also has a unique admin password, so if the tunnel/radius had to break we can still get into the router/switch.
I reacted earlier to your post to include also the users of Mikrotik devices.I'm glad to see this got fixed so soon!
Many thanks to the team who works on this (and lost a lot of sleep probably)!
Yes and no, having a unique admin password at least lets you limit the risk. i.e not one standard password across all devices.... but that still leaves you vulnerable to the current problem. only your port filtering saved you, not your advanced password management!Hence why each router also has a unique admin password, so if the tunnel/radius had to break we can still get into the router/switch.
And what if you have disabled conntrack? In a powerful router, we need all power for routing purposes, and firewall is downstream it. Any linux service can be bound to a specific address / firewall...It can be done with one simple firewall rule.
Create interface list and add
/ip firewall filter add in-interface-list=xx ...
No, it isn't the same. "allowed from" allow you to open a socket to that service, and if it your src ip address isn't listed, it will close the connection. If service daemon is vulnerable...That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.Things would be mush simpler to set if we have option to bind services to specific interfaces. That would help to simply narrow access to services by network interfaces without messy IP filtering rules.
Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to.
Excuse me, but the whole point of releasing RouterOS in all channels yesterday was to completely close the vulnerability. It is right there in the changelog. Why are you even asking? Was this not made clear ?Can we get a straight answer for...
THIS ROUTER OS UPDATE PREVENTS THIS EXPLOIT.
AKA... one CAN NOT download the user file from router OS 6.42.1, using port 8291, without authenticating to the router first.
Can we get a straight answer for...
THIS ROUTER OS UPDATE PREVENTS THIS EXPLOIT.
AKA... one CAN NOT download the user file from router OS 6.42.1, using port 8291, without authenticating to the router first.
unless your question is a very bad attempt at asking for more details of the exploit, now that the fix is out, and how a customer can test that it has been actually fixed...!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Vulnerable to what? This close of the connection occurs before any data exchange. It is not an RST reply to the SYN as was suggested by someone else, that would be even better, but it is SYN/SYN ACK/ACK/FIN ACK/FIN ACK/ACK, all without any data being exchanged. There does not appear to be much room for vulnerability exploits.No, it isn't the same. "allowed from" allow you to open a socket to that service, and if it your src ip address isn't listed, it will close the connection. If service daemon is vulnerable...That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.
Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to.
And what if you send a specially formed packet, and the router answers with the whole user database content? I prefer a brick wall instead of a door with 20 locksVulnerable to what? This close of the connection occurs before any data exchange. It is not an RST reply to the SYN as was suggested by someone else, that would be even better, but it is SYN/SYN ACK/ACK/FIN ACK/FIN ACK/ACK, all without any data being exchanged. There does not appear to be much room for vulnerability exploits.No, it isn't the same. "allowed from" allow you to open a socket to that service, and if it your src ip address isn't listed, it will close the connection. If service daemon is vulnerable...That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.
Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to.
I advise you to stop using software and go out of the IT business. Really.And what if you send a specially formed packet, and the router answers with the whole user database content? I prefer a brick wall instead of a door with 20 locks
You don't need connection tracking for this.And what if you have disabled conntrack? In a powerful router, we need all power for routing purposes, and firewall is downstream it. Any linux service can be bound to a specific address / firewall...It can be done with one simple firewall rule.
Create interface list and add
/ip firewall filter add in-interface-list=xx ...
Somethng about TCP connection usage in applications. There are basically these steps which occurs in TCP conenction life:And what if you send a specially formed packet, and the router answers with the whole user database content? I prefer a brick wall instead of a door with 20 locksVulnerable to what? This close of the connection occurs before any data exchange. It is not an RST reply to the SYN as was suggested by someone else, that would be even better, but it is SYN/SYN ACK/ACK/FIN ACK/FIN ACK/ACK, all without any data being exchanged. There does not appear to be much room for vulnerability exploits.No, it isn't the same. "allowed from" allow you to open a socket to that service, and if it your src ip address isn't listed, it will close the connection. If service daemon is vulnerable...That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.
Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to.