Community discussions

MikroTik App
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Security announcement blog

Thu Jul 26, 2018 8:04 am

We have made a blog, where we will publish the most important announcements regarding security and other topics.
Bookmark this link for Security related news:

https://blog.mikrotik.com/security/

Here is the RSS feed link:
https://blog.mikrotik.com/rss/?cat=security
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Thu Jul 26, 2018 9:56 am

Very good idea. Thank you for that.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Jul 26, 2018 10:22 am

Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Thu Jul 26, 2018 11:16 am

Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
can you see if this works now?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Jul 26, 2018 11:37 am

Yes, now it works OK
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Thu Jul 26, 2018 1:21 pm

Is there a way to sign up for email announcements of new articles too?
 
User avatar
amt
Long time Member
Long time Member
Posts: 529
Joined: Fri Jan 16, 2015 2:05 pm

Re: Security announcement blog

Thu Jul 26, 2018 3:40 pm

Is there a way to sign up for email announcements of new articles too?
+1
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Security announcement blog

Thu Jul 26, 2018 11:48 pm

That works
 
DummyPLUG
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jan 03, 2018 10:17 am

Re: Security announcement blog

Fri Jul 27, 2018 2:35 pm

Is there a way to sign up for email announcements of new articles too?
+1
RSS is good, but will be nice to have some mailing list for security announcement and firmware update
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Fri Jul 27, 2018 3:00 pm

It also depends on when new articles will be published there, if half of year after the security incident or when. In such case there is no need to send email notifications.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Fri Jul 27, 2018 3:10 pm

Did we publish forum posts half year after discovered issues? Jarda, what are you talking about.
Also, there are numerous IFTTT recipes to do things when RSS gets a new article: https://ifttt.com/applets/YnbGBZDy-send ... s?term=rss
You can even have your Hue lights flash red :)
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Fri Jul 27, 2018 3:23 pm

I received email (urgent security advisory) for the web port vulnerability because I have a user account on mikrotik homepage. As far as I know, the winbox port vulnerability didn't get similar warning email. However, I received email about newly released 6.42.1 and 6.40.8 which fixed this vulnerability (and it was clearly stated in changelog) so everyone who reads these emails should know about it instantly.

@normis: I am sure Jarda is refering to the web port issue. Despite the fact it was fixed during March 2017, there was not much coverage, so even year after, massive amount of devices was vulnerable. Due to that, It make sense to send email (despite the fact it is already too late) once the vulnerability gets misused extensively.
Personally, I perceive it as a Mikrotik failure that there was not "urgent security advisory" email about winbox port vulnerability. I am aware that everyone is responsible for their device and I know well that with correctly set up firewall, vulnerability would be protected. However spreading the word (even negative one) is important part of the business and crucial to build trust between manufacturer and customers. I believe many people would appreciate if Mikrotik PR department takes lesson from it and sends the email next time.
Meanwhile, I will hold fingers crossed that it will take loooong time until next vulnerability appears :)
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Fri Jul 27, 2018 4:22 pm

Normis, I am talking about the blog only. Of course I know that the info was published fastly on the forum. But the blog is new now and from this perspective the info already provided there is really old at the moment. Actually I am fine with the forum announcements for such cases, so even though I appreciate the blog, it moreless seems to me that it is a way to duplicate the source of information. Wiki manual page section would work the same too.
Don't beat me for the opinion, maybe it was misunderstood because of its condensed form... My bad. Sorry for that.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Security announcement blog

Fri Jul 27, 2018 7:07 pm

Blog didn't exist at all when those vulnerabilities appeared.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Security announcement blog

Sun Jul 29, 2018 12:27 pm

We have made a blog, where we will publish the most important announcements regarding security and other topics.
Bookmark this link for Security related news:

https://blog.mikrotik.com/security/

Here is the RSS feed link:
https://blog.mikrotik.com/rss/?cat=security
Great!!! Killer idea!
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Security announcement blog

Tue Jul 31, 2018 5:06 pm

Thanks Mikrotik guys. This should reduce the amount of panicked calls I get from customers.
 
Ixo
just joined
Posts: 22
Joined: Fri Dec 07, 2012 9:43 pm

Re: Security announcement blog

Tue Jul 31, 2018 9:33 pm

I am furious angry!
My router had admin disabled and most of the services such as SSH/Telnet etc. The username I used was a long name and the password had 16 chars. I had a proper configuration on firewall, lots of scripts etc. YET...
Today I went on Google and got the CAPTCHA. I knew right of the bat that something is not good.

Logged to Mikrotik. First I spotted that most of FW rules were gone, then SOCKS enabled! Scripts are gone except some mikrotik.php thing. First thing... plug out internet cable.

After panic was over, went on LTE Internet to see what is going on. In 2 minutes I find that Mikrotik got compromised. I mean seriously?!

OK I think... many systems have security bugs. In fact this is the first one I have ever had through a Mikrotik. But what made me super angry wasnt't that there was a bug but Your replies to people saying "You should keep up to date" or "You should check our announcements" --EOT.

If the issue is there since April and you have my bloody email as I am registered on this forum, why I have not received an email saying "We have found a security vulnerability, so please update your Router OS immediately"? Seriously, why? I mean my IP worked as free SOCKS tunnel for god knows how long and god knows what went through it.

I just don't login to a router OS every day to check if everything is fine. You should not expect people to do that, you should not expect people to keep the router OS up to date (for many reasons e.g. the RouterBoard sits on the mast high up in the mountains and you simply don't do upgrade unless you are psychically there in case of something goes wrong), you should not expect people to look at your BLOG all of the time. It should be on your cards to let your customers know about such events.

EDIT: Please add newsletter widget to this "BLOG". I don't use RSS feeds.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Tue Jul 31, 2018 10:13 pm

That's effective idea. All registered users (anywhere in the mikrotik, not only on the forum...) should receive a notification in such emergency case! Otherwise the blog is nothing more than a post in the right section of the forum...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 8:44 am

I'm sorry you have not received that email, because we did send it on March 30, with specifically the content you asked for.
EDIT: Please add newsletter widget to this "BLOG". I don't use RSS feeds.
Please clarify what you mean by that.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Aug 01, 2018 10:45 am

People apparently like to get a mail message (a push mechanism) instead of using RSS (a pull mechanism), but of
course the disadvantage is that a database of mail addresses would have to be kept. Of course MikroTik already
have two databases: the valid users for login on the main webpage (where you can manage licenses etc, and also
used to send the newsletter) and the valid users logging in on the Forum.
Adding a third one just to send security announcements coud be a bit overkill when they are already sent to the
other two lists. However,
- I think they are sent only to that webpage list, not to the Forum list
- They should be sent much sooner than was done the first time.

Important security fixes should get the attention of the admins once they are available, not when an exploit is
seen in the wild. Anyway, you will find that now that MikroTIk is on the radar of the malvolents, those times
will be very close together anyway.
(there are people who examine security updates to see what exactly was fixed and quickly write exploits for them
to use the time window between release of the updates and installation by the majority of users)
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Wed Aug 01, 2018 11:22 am

@peichl: Great summary! I find myself in total agreement with your post. However, one point might be added:
- emails should be sent EVERYTIME there is serious security issue.
(I am refering to the fact that winbox port vulnerability - end of april - was not emailed)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 11:24 am

Doesn't that contradict with the other point made?
there are people who examine security updates to see what exactly was fixed and quickly write exploits for them
to use the time window between release of the updates and installation by the majority of users
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Aug 01, 2018 11:42 am

I hope you don't mean to suggest "we better keep the updates secret so the hackers don't know about them and don't exploit the vulnerabilities"
because that is not going to work anymore. Especially when there is no auto-update mechanism that would install the update on the majority
of installations before it is analyzed.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 12:27 pm

Vulnerability confirmed but not fixed sent message, to close or deactivate certain services if those are not secured additional by filtering.

Vulnerability confirmed and fixed, sent message. Go public and publish in blog.

Vulnerability not confirmed send message to a small and closed group to have a look at it, if it is indeed a vulnerability ask advise to have temporary effective filtering/services.

If it is alredy public communicate that you are investigating it. Message this to all the known users.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 12:36 pm

I know very well that some people are never fully satisfied, but please also try and appreciate the progress in this regard.
MikroTik did send an email to everyone in March 30, MikroTik did use forum/socialmedia also. MikroTik did fix it within a few hours of finding out. There is a changelog now where one version contains more lines than all of the v4 versions had together. There is also a blog now.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 12:48 pm

I did not get an e-mail.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 12:50 pm

Make sure you have not opted-out in your mikrotik.com account.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 1:32 pm

I don't have a Mikrotik.com account.

The forum does contain also e-mail addresses and many you can combine it with a GDPR information message to inviste also subscribing to security bulletins/messages by creating a Mikrotik account.

I am hesitant when I look at the page.

Allow to use my account from netinstall and winbox I don't see any explanation what this means.

Send me information about MikroTik news this should be clearer if you write Send me the MikroTik newsletter

Add a the line that account holders also receive security bulletins. If a GDPR is not yet sent that could be used to inform the current accounts that this is added.

If you want to limit by using accounts put a link close to the general newsletter line that also a security bulletin is available. In the confirmation of creating a account also include the link to the new blog of Mikrotik.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Aug 01, 2018 2:17 pm

I know very well that some people are never fully satisfied, but please also try and appreciate the progress in this regard.
Yes it has certainly improved. It is not so long ago that MikroTik denied the existence of vulnerabilities.
I did get a mail, two I think, on my mikrotik.com registered address and the second time it was at a more suitable point in time.
You could consider using the mail address list of the forum (maybe after subtracting the addresses from the site) to send a
one-time mail summarizing the security situation and referring to methods to get uptodate information.
But of course then there still remains a large group of buyers who never registered on the site, never visited the forum,
and have their router out of sight and never updated. Those are going to be difficult to reach.
It could also be considered to add pointers to this information in other places, like product leaflets in the boxes, product
pages on the website, and other places that people who are not aware of issues could accidentally visit.
I understand there is always a balance between making people aware of sales-unfriendly issues like security and keeping
people informed well, but on the other hand a category of prospective users might actually appreciate it when they are well
informed about the necessary maintenance to keep their device safe.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Wed Aug 01, 2018 2:54 pm

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 2:59 pm

If you don't use RSS, you are welcome to use IFTTT service to get an email/call/alert/HUE blink when the RSS gets an update.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Security announcement blog

Wed Aug 01, 2018 3:01 pm

Sure:
Captura de pantalla 2018-08-01 a las 14.00.23.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Security announcement blog

Wed Aug 01, 2018 3:19 pm

"vulnerability in the www server" and "vulnerability in the winbox server" are different.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Security announcement blog

Wed Aug 01, 2018 3:46 pm

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?
Same here. I only got an e-mail on March 29th about the www vulnerability. Never for the winbox vulnerability.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1616
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 3:59 pm

Winbox vulnerability was solved so fast and updated version was released on the same day so we did send out e-mails about new, patched versions released and did not have separate Winbox vulnerability e-mail. That was discussed in forum (in future, similar information also will be discussed in the blog):

Subject:

MikroTik RouterOS 6.40.8 [bugfix] and 6.42.1 [current]

Part of the message:

We have released new RouterOS versions in bugfix and current channels.
...
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
...

Another example that shows how important is to read changelog. That is why we have tried to upgrade it a little bit after few last releases in order to highlight major fixes and improvements.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 4:01 pm

The point is, we try to improve.
Sending out as many emails as we would have to send, takes a very long time. RSS/Twitter is much faster.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 5:02 pm

And we are pleased that we find a listening ear at the side of Mikrotik and the improvements made. We are pushing to have more security and we are certainly see significant steps and that is beneficiary for both sides.

Communication has room to improve and RSS is something I used a long long time ago and Twitter....I believe I have account but just to claim the name. My twitter expierence is on the moment not good because 9 out 10 times I want to see a twitter message it shows that I am rate limited so I end up not seeing the twitter message. This probably due that I connect through a VPN service.

E-mail has is old but it aged very well and it gained security and encryption if you want and your can now even chat through it and if someone does not have the APP then it display in you e-mail program.

Back to security e-mails. If you are afraid that it takes long to get hundreds of thousands ;-) of e-mails out then you are right. You can also have a mailing service sent out the mails for you and you must allow in your DNS (SPF) that they can do it. If you do it yourself please use BCC when using lists.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Wed Aug 01, 2018 5:03 pm

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
...

Another example that shows how important is to read changelog. That is why we have tried to upgrade it a little bit after few last releases in order to highlight major fixes and improvements.
I would actually use this as an example of a bad changelog entry. It was very unclear, an "unsecured router" could mean an empty / weak admin password. My router was perfectly secure - strong admin password, firewalls for everything except the winbox port. If there was a vulnerability in OpenSSH, would you see a Linux distribution with a changelog that said "ssh - fixed vulnerability that allowed access to an insecure server"? No. The blame would be squarely on OpenSSH itself, not the security of the whole system. There are quite a few examples of users on this forum who in fact did see this changelog entry and ignored upgrading because they thought their router wasn't classified as "unsecured". If winbox was never meant to be exposed to untrusted networks, this is not documented anywhere.

Going forward I'm sure we would all appreciate more candid statements regarding security vulnerabilities. Yes, it isn't fun to admit that there's a bug in that allows exploitation, but network admins deserve to know the full details in order to make informed decisions about how and when to upgrade.
 
rua
newbie
Posts: 25
Joined: Fri Aug 01, 2014 8:53 pm
Location: Copenhagen, DK

Re: Security announcement blog

Wed Aug 01, 2018 5:49 pm

I'm sorry you have not received that email, because we did send it on March 30, with specifically the content you asked for.
EDIT: Please add newsletter widget to this "BLOG". I don't use RSS feeds.
Please clarify what you mean by that.
re notifications
i have been on this forum some years - and hurried to sign up for email alerts/announcements.
however - during the years, i have received but a few for news letter announcements - cant say how many, but maybe for every third.
result is that i sign up again several times - well, to be sure :-)

the only security annoncment was received was concerning gdpr policy 25th may

i was never introduced to any harmful intrusion, though.

i check dayly mikrotik.com for news - but would like to be timely updated, in case i should be absent, or missed it.

thank you
 
Modestas
newbie
Posts: 25
Joined: Mon Jul 16, 2012 10:59 am
Location: Vilnius, Lithuania

Re: Security announcement blog

Thu Aug 02, 2018 12:44 am

Doesn't that contradict with the other point made?
there are people who examine security updates to see what exactly was fixed and quickly write exploits for them
to use the time window between release of the updates and installation by the majority of users
It would take certain time to reverse-engineer update and prepare new exploit. Maybe significant time.
I have no doubt that some fancy bears are following this forum and would love to get security bulletins into email. But I think timely alerting regular customers would outweight such risk. Customers will be aware of risks and perhaps will be able to patch known holes.
I would prefer to receive security alerts from vendor arriving sooner than Talos/F5/whatever "sky is falling" articles appear in their social media.

P.S. 2 karma points for the security blog
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Security announcement blog

Thu Aug 02, 2018 11:46 am

...ignored upgrading because they thought their router wasn't classified as "unsecured"...
Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Aug 02, 2018 12:18 pm

...ignored upgrading because they thought their router wasn't classified as "unsecured"...
Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure.
That is only the situation after it went wrong. In fact I always configured my equipment like that and carried it forward into MikroTik
equipment configuration, but there could be many users who believe that a service listening on an open port and fitted with authentication
is "secure" too. Unless the attacker knows the password they can't get in, right?

Of course others have become victim of that when there turned out to be bugs in the service handling the request
(remember logging in to systems by entering the username -froot instead of root because -f meant "no need to authenticate this login"?)
and now the general stance is that a service cannot be trusted no matter if it does authentication or not, you need to lock the attackers
out of the service before they attempt authentication.

But as you know, there is a very big group of users of your equipment in countries where there apparently is a market for wireless last mile
internet access, technical development in general is a bit back compared to other countries, but there are bright guys with no money who
don't mind to hack the system to get the access they want. The operators usually have little networking and security knowledge and they
deploy more or less default configurations and/or follow guidelines for setup they find on youtube (before consulting your own documentation).
These networks are hacked all the time because the security mechanisms are not well configured, or simply are not up to the task of
really providing security as opposed to holding back some nosey people who have no real interest in cracking the system.

This is partly because of the availability of vulnerabilities like the last two big ones, partly because of naive approach to security,
and some of that is of course part of the standards that are being used. A system like hotspot really cannot withstand any serious attack,
but it is likely not so easy do do much better.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 02, 2018 12:51 pm

 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Thu Aug 02, 2018 12:56 pm

...ignored upgrading because they thought their router wasn't classified as "unsecured"...
Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure.
So services like OpenVPN and IPsec in Mikrotik are "unsecure" as well? A router that drops all traffic on all interfaces is probably secure, but it also isn't much use to anyone.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Thu Aug 02, 2018 1:01 pm

"Open to public networks", yes. There is an immediate high risk, unless you implement a good firewall, if you really need to access that OpenVPN server from ANY IP address.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Aug 02, 2018 2:07 pm

For road warrior VPN, it usually is not practical to have a valid peer address list. So those types of services require even more attention from you (and other developers) to keep the secure.
Of course for VPN between two fixed addresses I always have firewall rules that permit only that traffic.
But e.g. for L2TP/IPsec from mobile users it cannot be done.
(especially as there are no script possibilities in the IPsec peer config where you could run a script when an IPsec peering comes up to allow the traffic from that peer's current address)
 
schadom
Member Candidate
Member Candidate
Posts: 156
Joined: Sun Jun 25, 2017 2:47 am

Re: Security announcement blog

Thu Aug 02, 2018 2:23 pm

RSS is good, but will be nice to have some mailing list for security announcement and firmware update
+1 for security announcement mailinglist
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 02, 2018 2:40 pm

Posted in an other thread also and I had the idea after discussion with an other member. My ISP will close down my connection when I have a device that misbehave so why not extent this to the router itself.

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version.

If ignored then after two weeks the router only functions when you are initiating an update. After the update all the functions are restored.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Security announcement blog

Thu Aug 02, 2018 3:03 pm

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version.

If ignored then after two weeks the router only functions when you are initiating an update. After the update all the functions are restored.
What a terrible idea :shock:
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Security announcement blog

Thu Aug 02, 2018 5:35 pm

Maybe it's just me (and @R1CH, I guess), but aren't we slowly crossing the ridiculous boundary? Wouldn't it be better to just admit that this WinBox bug was as bad as it can get, instead of trying to redefine security? You have my word, I'll forgive you.

I mean, whitelist for OpenVPN (assuming that it's used mainly for road warriors, so by design nobody knows from where will clients need to connect)? So maybe a 24/7 operator and clients phoning in IP adresses they need to whitelist? Maybe port knocking, but unless it's something more complex (and not easily doable with RouterOS), it's just security through obscurity. What will be next? One company I'm involved with has some client portal on https and of course open to whole world, 10k clients or so. Security depends only on username and password, kind of similar to WinBox. By the same logic, should I suggest a whitelist to them too? Or perhaps an unconditional drop on tcp/443? No doubt it would be secure then. :)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 02, 2018 5:45 pm

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version.

If ignored then after two weeks the router only functions when you are initiating an update. After the update all the functions are restored.
What a terrible idea :shock:
It is a terrible idea but we have to start somewhere. It is a responsibility to each of us and hacked routers can do a lot of damage.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Security announcement blog

Thu Aug 02, 2018 6:49 pm

Yes we have to start somewhere. How about users start to read how networks work and don't make stupid mistakes like disabling a firewall?

Where to start....

You talk about doing MITM essentially to modify forwarded traffic. That's preposterous! And what about TLS? Everything moves to TLS. Doing it on http is not even viable.

You also talk about call home. I don't know what exactly are you referring to, but AFAIK the only 'call home' that ROS does (not CHR) is when using the IP > Cloud feature (which I generally don't use).
How does invading our privacy by calling home (so MikroTik knows our IPs and our exact router model/serial for starters) will make things better?

And the worst of all: Forcing me to update to a potentially unwanted version (because of bugs, because of removed functionality, or because there is no need frankly) is monumentally stupid. It's as stupid as Microsoft's forced win10 updates.

Remove functionality until you upgrade? Are you out of your mind? :shock:
I know the Netherlands have good weed, but man, you must be high as a kite to suggest such things! :lol:
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 02, 2018 7:59 pm

To go to a HTTPS page you most of the time need a initiate that on http.
Even the handshake on 80/443 is giving away that someone is looking at a screen that can be warned.

Call home is the term for a device/application getting in touch with where it comes from. The IP address is to me not a significant problem. We share it and much more when we request a firmware/routerOS. Or do you have a separate IP to have your firmware/RouterOS updates.

Which type device or settings of any kind is not shared with Mikrotik and the page just contains the information that the router needs to know. There can be more information on that page that not applies to that router. You could use exiting download page and add in plain text the minimal requered routerOS version.

If you are not waning to update you router you forbid the router to visit the mikrotik page like I do Windows 10. It is then not Mikrotiks fault that your router is turned evil.

My Windows 10 does not use it's own mechanism to update and I use WSUS for that.

Yes weed is the stuff that attracks many people to the Neterlands and of course the canals in Giethoorn. I use neither.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Security announcement blog

Thu Aug 02, 2018 8:23 pm

"Mikrotik call home" :) .... crazy idea.
And what about routers which has "unsafe" ROS version but are hidden behind other firewall with good security? Should they magically be banned? What about connections with low bandwith? Should it be "eaten" by regular ROS verion checks?

Tha main idea of routers like Mikrotik where you HAVE TO configure it yourself is FREEDOM. You are not pushed to do things "the right way"
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 02, 2018 8:38 pm

Then that good firewall takes the burden on them by not allowing to have that unsafe router to call home. The must not be a button to switch itall of and only a firewall rule can block it.

It is like you are jumping out of a plain on a parachute and start cutting lines. Nobody can help you by knotting the correct lines together. There is no reserve chute when your router is hacked.

When I advise a RouterOS device I always tell that it has a very steep learning ramp and the best is to use the default config first and grow from there.

You have all the freedom but Mikrotik has the fallout from this freedom.
 
mt99
newbie
Posts: 43
Joined: Wed Jan 03, 2018 6:07 pm

Re: Security announcement blog

Wed Aug 08, 2018 10:55 pm

 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Security announcement blog

Wed Aug 08, 2018 11:03 pm

What is the conclusion?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 09, 2018 12:42 am

I made a filter that act as a honeypot for port 8291 and I caught some fish and added that to my drop line in RAW and log when there is a revisit in that CIDR.

I have the 146.185.222.0/24 (Barbarich Viacheslav Yuryevich) CDIR trying every 30 seconds to approach a port. It is still going it tried port: 34441,6436,8168,3961,37818,4566,3126,3497,3911,2989,7993,4600,9608,22676,42264,52463....... with addresses ending on 222.29 222.32 222.37 222.7 222.11 222.28 222.35 and address 146.185.222.32 is used the most.

More addresses and ports are coming in but time to post it.

Update:

After a night sleep it is still going on so I am going it to add this CIDR to the list that is blocks but not log it and I have 809 log entries of that address range coming along. It was probably not looking specific for port 8291 like some others did. Reset the counter to see if there are more returning port 8291 sniffers.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Security announcement blog

Tue Aug 14, 2018 5:00 pm

To go to a HTTPS page you most of the time need a initiate that on http.
Those days are almost gone. HSTS
Plus, all major browsers have their own predefined list of major websites that support https and will connect only to https even if you only type the domain in the address bar.
https://hstspreload.org/

What you suggest will break TLS faster than you can spell out its initials.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Wed Aug 22, 2018 11:56 pm

It's been a full business day and the blog is still not updated with the news about what these four security bugs from the latest RouterOS release actually are. This seems to be a step backwards, before the blog the changelog said things like "www) fixed vulnerability" so admins at least knew the www service was affected and could take necessary steps to limit access if a RouterOS upgrade wasn't immediately possible.

Now we have private CVE numbers and no information to go on, meanwhile hackers are likely reverse engineering the patches to find the vulnerabilities. I appreciate the effort to be more public about security issues but the disclosure about these four issues so far is really not giving me a good feeling.
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Security announcement blog

Thu Aug 23, 2018 6:44 am

I am furious angry!
My router had admin disabled and most of the services such as SSH/Telnet etc. The username I used was a long name and the password had 16 chars. I had a proper configuration on firewall, lots of scripts etc. YET...
Today I went on Google and got the CAPTCHA. I knew right of the bat that something is not good.

Logged to Mikrotik. First I spotted that most of FW rules were gone, then SOCKS enabled! Scripts are gone except some mikrotik.php thing. First thing... plug out internet cable.

After panic was over, went on LTE Internet to see what is going on. In 2 minutes I find that Mikrotik got compromised. I mean seriously?!

OK I think... many systems have security bugs. In fact this is the first one I have ever had through a Mikrotik. But what made me super angry wasnt't that there was a bug but Your replies to people saying "You should keep up to date" or "You should check our announcements" --EOT.


If the issue is there since April and you have my bloody email as I am registered on this forum, why I have not received an email saying "We have found a security vulnerability, so please update your Router OS immediately"? Seriously, why? I mean my IP worked as free SOCKS tunnel for god knows how long and god knows what went through it.

I just don't login to a router OS every day to check if everything is fine. You should not expect people to do that, you should not expect people to keep the router OS up to date (for many reasons e.g. the RouterBoard sits on the mast high up in the mountains and you simply don't do upgrade unless you are psychically there in case of something goes wrong), you should not expect people to look at your BLOG all of the time. It should be on your cards to let your customers know about such events.

EDIT: Please add newsletter widget to this "BLOG". I don't use RSS feeds.
Add me to this. I should have gotten an email instead of having to find out the hard way. Now we have 40-50 user CPE's, many mounted in trees that are probably unusable. Can't log into them to fix them. What a disaster!
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Security announcement blog

Thu Aug 23, 2018 6:55 am

Getting down to fixing this cluster. Is the reset button disabled? Or can a person go to each router site, hit the reset button and put an upgraded OS on it, and the new setup? Or is the hardware now trash?
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Security announcement blog

Thu Aug 23, 2018 7:00 am

Is there a way to log into these compromised devices remotely? The devices that were compromised today are not reachable using telnet, ssh, or winbox. They are still running, presumably performing their Internet access function, but I've lost control of them. Maybe MT, having seriously dropped the ball in not informing a customer of 18 years that this was a problem, could suggest a comeback path?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Thu Aug 23, 2018 7:56 am

npyoung, just make sure you have not removed your mikrotik.com account or put mikrotik.com in some spam filter, because MikroTik did send mails about this and other vulnerabilities.
Also, since the issue was patched back in april, I suggest to also check our communication channels more often (social networks, forum).
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Security announcement blog

Thu Aug 23, 2018 9:51 am

npyoung, just make sure you have not removed your mikrotik.com account or put mikrotik.com in some spam filter, because MikroTik did send mails about this and other vulnerabilities.
Also, since the issue was patched back in april, I suggest to also check our communication channels more often (social networks, forum).
Ok, I'm glad to hear that, but I'm pretty screwed now that I didn't get it.

Now that I have 40 infected Dynadishes, what can be done? They seem to still be functioning, but I cannot get into them from Winbox. Port 80 sort of works, the login page comes up, but then it shuts down after entering user/pass. Any ideas? Does the exploit allow for a hard reset of the dish, or are they now scrap?
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Security announcement blog

Thu Aug 23, 2018 1:51 pm

npyoung, just make sure you have not removed your mikrotik.com account or put mikrotik.com in some spam filter, because MikroTik did send mails about this and other vulnerabilities.
Also, since the issue was patched back in april, I suggest to also check our communication channels more often (social networks, forum).
Having been through this sort of thing with UBNT before, I have to say there's a world of difference in the response. UBNT almost immediately had a fix for infected devices, followed by improvement in their excellent NMS tool, AirControl, which allows an operator to keep all the devices up on their FW. (The Dude is a pale shadow of this software.) None of this, "well, you should have been brushing your teeth after each meal" and blaming the customer. I've been a customer of MT for 18 years now, and I've been impressed by how solid a product it is. But, I'm thinking at this point, after this very expensive fiasco, it's time to part ways, especially as it appears from the silence on a fix that I'd need to purchase new hardware. I'll be purchasing new hardware all right, but just not from MT!
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Thu Aug 23, 2018 1:54 pm

This is a public user forum, official support is not provided here, but we do try to post useful responses.
Have you tried contacting support@mikrotik.com?

You only mention that you can't access these devices. This could be because of any number of reasons. At least you should try to connect from both interfaces, not only ethernet, but also from the wireless side.
 
raxxeh
just joined
Posts: 1
Joined: Mon Mar 12, 2018 9:30 am

Re: Security announcement blog

Sat Aug 25, 2018 8:53 am

Doesn't always work Normis.

Please provide an itemized breakdown including disclosure on the blog of what these exploits entailed.
 
User avatar
hknet
Member Candidate
Member Candidate
Posts: 126
Joined: Sun Jul 17, 2016 6:05 pm
Location: Vienna, Austria
Contact:

Re: Security announcement blog

Sat Aug 25, 2018 10:04 am

RSS is good, but will be nice to have some mailing list for security announcement and firmware update
+1 for security announcement mailinglist
+2
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Sat Aug 25, 2018 4:17 pm

 
User avatar
boldsuck
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: Security announcement blog

Sun Aug 26, 2018 5:48 pm

@npyoung
Is there a way to log into these compromised devices remotely? The devices that were compromised today are not reachable using telnet, ssh, or winbox.
Telnet?! (You're kidding, right?) ;-)
or winbox from WAN?!

I think you should read basic about the security configuration of your router.
Here is a very good introduction:
https://www.manitonetworks.com/networki ... figuration

Take the time to read. Winbox or Web service vulnerability can not harm your routers then.

I think you'll have to visit your routers local if they're really compromised.
Make a factory reset and play your backup.
Do not forget to create a backup after each upgrade!

Hint:
No SSH login via password only with ssh key.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Security announcement blog

Tue Sep 04, 2018 4:25 pm

CVE-2018-14847 - https://thehackernews.com/2018/09/mikro ... cking.html

Is the above a new vulnerability, tried searching the blog for the CVE Article number, but can't find it on the Mikrotik Security Blog or change logs
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Tue Sep 04, 2018 4:31 pm

CVE-2018-14847 - https://thehackernews.com/2018/09/mikro ... cking.html

Is the above a new vulnerability, tried searching the blog for the CVE Article number, but can't find it on the Mikrotik Security Blog or change logs
same old. we did not assign that CVE, so we don't mention it:
https://blog.mikrotik.com/security/winb ... ility.html
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Security announcement blog

Tue Sep 04, 2018 4:48 pm

Thought so, thx Normis
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Sep 05, 2018 9:07 am

ite is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
can you see if this works now?
blog works fine over ipv6, make sure your ipv6 is configured correctly and you can ping 2a02:610:7501:1000::195
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Sep 05, 2018 10:47 am

ite is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
can you see if this works now?
blog works fine over ipv6, make sure your ipv6 is configured correctly and you can ping 2a02:610:7501:1000::195
It is a copy/paste of an earlier exchange in this topic (page 1) between you and me. No idea why!
That IPv6 problem was solved immediately back then.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Sep 05, 2018 10:49 am

ite is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
can you see if this works now?
blog works fine over ipv6, make sure your ipv6 is configured correctly and you can ping 2a02:610:7501:1000::195
It is a copy/paste of an earlier exchange in this topic (page 1) between you and me. No idea why!
That IPv6 problem was solved immediately back then.
probably spammer
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Sep 05, 2018 10:50 am

probably spammer
I think so, I now notice the same behaviour in another topic. Better ban that user.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Sep 05, 2018 10:58 am

:-)
 
usx
newbie
Posts: 26
Joined: Sun Oct 27, 2013 7:30 pm

Re: Security announcement blog

Wed Sep 12, 2018 12:53 am

That blog is so freaking awesome!

BUGFIX UPDATE 6.40.9 RELEASED -- https://blog.mikrotik.com/software/bugf ... eased.html

Well, that was the first and last blog entry about a release...

We really need an email subscription list for all new releases/bugfixes/secvulns. Is that really so hard to do??? Isn't security the core of your business???

I used to get some emails from you guys about new releases, but then from one day to another they ceased to be sent out / reach me.

RouterOS v6.34 RC (The Dude and CHR) from 12/9/2015 was the last one which I received.

BTW, today you got a lot of bad reputation at Security Now from Steve Gibson. Rightly so!
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Security announcement blog

Wed Sep 12, 2018 9:03 am

Hi. I looked into some of our routers log... and found some strange activity.
aug/25 17:52:12 system,info verified routeros-mipsbe-6.42.7.npk
aug/25 17:52:12 system,info installed routeros-mipsbe-6.42.7
aug/25 17:52:12 system,info router rebooted
[...]
aug/25 18:16:47 system,info script removed by admin
aug/25 18:17:07 system,info script removed from scheduler by admin
[...]
(passwords changed here)
[...]
sep/01 22:07:44 firewall,info ---WinBox port--- input: in:ether1 out:(unknown 0), src-mac 6c:9c:ed:34:bb:71, proto TCP (SYN), 5.101.6.170:56680-> xxx.xxx.xxx.xxx:8291, len 40
[...]
sep/10 00:36:04 firewall,info ---WinBox port--- input: in:ether1 out:(unknown 0), src-mac 6c:9c:ed:34:bb:71, proto TCP (SYN), 5.101.6.170:53804->xxx.xxx.xxx.xxx:8291, len 40
[...]
sep/10 01:53:20 firewall,info ---WinBox port--- input: in:ether1 out:(unknown 0), src-mac 6c:9c:ed:34:bb:71, proto TCP (SYN), 5.101.6.170:50515->xxx.xxx.xxx.xxx:8291, len 40
[...]
sep/10 10:53:08 firewall,info ---WinBox port--- input: in:ether1 out:(unknown 0), src-mac 6c:9c:ed:34:bb:71, proto TCP (SYN), 5.101.6.170:50832->xxx.xxx.xxx.xxx:8291, len 60
[...]
sep/11 07:02:10 system,info,account user test logged in from 5.101.6.170 via api
sep/11 07:02:10 system,error,critical login failure for user admin from 5.101.6.170 via api
sep/11 07:02:11 system,info,account user test logged out from 5.101.6.170 via api
[...]
sep/11 15:42:48 system,info,account user test logged in from 5.101.6.170 via api
sep/11 15:42:49 system,error,critical login failure for user admin from 5.101.6.170 via api
sep/11 15:42:50 system,info,account user test logged out from 5.101.6.170 via api

I logged only the NEW connections.
So, what did I forgot ? Or have we another backdoor in 6.42.7 somewhere to steal passwords (which is looong and hard to bruteforce I think).

Best regards: CsXen
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Security announcement blog

Wed Sep 12, 2018 9:12 am

Did the user 'test' already exist? Did you change the password of user 'test' or only 'admin'? What rights does user 'test' have?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Sep 12, 2018 9:43 am

BUGFIX UPDATE 6.40.9 RELEASED -- https://blog.mikrotik.com/software/bugf ... eased.html

Well, that was the first and last blog entry about a release...
What other releases did you expect? There have been no other releases!
 
usx
newbie
Posts: 26
Joined: Sun Oct 27, 2013 7:30 pm

Re: Security announcement blog

Wed Sep 12, 2018 12:44 pm

What other releases did you expect? There have been no other releases!
6.43 for Stable and 6.44beta6 for Testing. I'm on the stable channel because I got automatically inserted into it. Don't you see the flaw? Aren't those releases as well? Or are we Stable and Testing users not special enough, like those fancy Long-term ones?

7 devices are on Stable because I never changed their setting. The last one if it i bought this year.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Sep 12, 2018 12:53 pm

Why would you put every beta release on a security announcement blog?
Please subscribe to the releases RSS or Email list, those exists for 10 years or more.

The blog is for long-term stable releases and security announcements or other monumenally important things, not every nightly build release.
 
usx
newbie
Posts: 26
Joined: Sun Oct 27, 2013 7:30 pm

Re: Security announcement blog

Thu Sep 13, 2018 5:24 pm

Email list
Now we're talking. I was subscribed to it until it stopped sending me emails, without me unsubscribing. Where can I find that list? That solves the complete issue. I just thought they've dropped the list.

Is it this one? https://mikrotik.com/client/ecom_notify.php
I got that link from my last email from 2015, but removed the unregn query string parameter.

I can't find any "official" link to the URL I mentioned above. It appears to be part of the "Account" section, but I have no account on the mikrotik.com website (only on the forum).

Oh jesus christ. It's in big red at the bottom of the page... I'm a genius... as in stable genius...
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Security announcement blog

Fri Sep 14, 2018 10:09 am

Did the user 'test' already exist?
Yes, it exists (not "test", I changed the name to "test" for anonymizing purposes).
Did you change the password of user 'test' or only 'admin'?
Yes, every user has changed password.
What rights does user 'test' have?
Fortunately only "login", "read" and "reboot"... probably this is the reason, that intruder can not made any alterings in the config.

Best regards: CsXen
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Fri Sep 14, 2018 11:45 am

Email list
Now we're talking. I was subscribed to it until it stopped sending me emails, without me unsubscribing. Where can I find that list? That solves the complete issue. I just thought they've dropped the list.

Is it this one? https://mikrotik.com/client/ecom_notify.php
I got that link from my last email from 2015, but removed the unregn query string parameter.

I can't find any "official" link to the URL I mentioned above. It appears to be part of the "Account" section, but I have no account on the mikrotik.com website (only on the forum).

Oh jesus christ. It's in big red at the bottom of the page... I'm a genius... as in stable genius...
I subscribed to both and I got the same e-mail with an other link to confirm. I used dedicated e-mail addresses so I will know which one is used.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Fri Sep 14, 2018 11:47 am

We also have RSS for those that use it. Both in the Blog and also for releases.
 
ssaki
just joined
Posts: 3
Joined: Wed Nov 08, 2017 12:40 pm

Re: Security announcement blog

Mon Oct 08, 2018 7:37 am

 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Mon Oct 08, 2018 10:09 am

Thankfully those CVEs appear to be fixed in 6.40.9 and 6.42.7.

Good to see that MikroTik is taking RouterOS security seriously with those CVEs. Meanwhile, I'm still waiting for MikroTik to confirm when Ticket#2018041622003823 (unauthenticated remote crash, does not require any management interface to be open to the attacker) will be fixed.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Mon Oct 08, 2018 11:08 am

...Meanwhile, I'm still waiting for MikroTik to confirm when Ticket#2018041622003823 (unauthenticated remote crash, does not require any management interface to be open to the attacker) will be fixed.
I have no idea what vulnerability is it about and to be honest, I don't want to know. However, if what you say is true, then there is such issue for almost half year? Sounds almost unbelievable.
Did you get any reply since you reported it?
Can it be prevented with firewall?
Maybe you need to publish it to generate some pressure...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Mon Oct 08, 2018 11:29 am

That ticket talks about packet flood over IPv6, I think. I did not read the whole ticket, there are many emails. Ticket number is from the first mail.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Wed Oct 10, 2018 6:38 am

Thats why I asked Maznu to give bit clearer description. I may not be a blind fanboy but I still believe you guys are doing your best and I find it hard to believe you would leave real reported vulnerability without reaction.
If it is just flood attack which overwhelms router and cause restart due to for example watchdog timer which can't get ping reply, then I wouldn't call it vulnerability.
He does not need to share detailed info if he is concerned that it is real threat. However if he blame you for missing reponse, he might share a bit...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Oct 10, 2018 9:26 am

Yes, it is exactly that. Denial of service from some type of IPv6 packet flood, where router runs out of resources. It was answered, that we accept this as a bug, but we would not call it a vulnerability, because there are many ways how to exhaust resources of any device.
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: Security announcement blog

Wed Oct 10, 2018 10:03 pm

Talking about IPv6 attacks. Get https://github.com/vanhauser-thc/thc-ipv6 and try it in your subnet with different options while some clients will immediately have 100% of cpu usage. And you cannot block all of those attacks on even modern switching hardware.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 10:23 am

Yes, it is exactly that. Denial of service from some type of IPv6 packet flood, where router runs out of resources. It was answered, that we accept this as a bug, but we would not call it a vulnerability, because there are many ways how to exhaust resources of any device.
If I send IPv6 packets at a gigabit across a gigabit-capable router with the same src+dst addresses, everything is fine. Your routers route packets just fine.

But if I send IPv6 packets at a gigabit across the same router — but the packets have DIFFERENT DST addresses — then the router crashes.

NOTE: This is NOT IPv6 neighbour exhaustion — the router being "attacked" does not need to be directly connected to the DST addresses. It is caused by the router *transitting* those packets. It took many emails for your team to realise this, because they were deflecting this as "resource exhaustion" caused by IPv6 ND. Your team finally accepted that this is a problem for routers in between the SRC and DST subnets.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 10:30 am

Can it be prevented with firewall?
It can be firewalled by not routing any IPv6. But if you have a RouterOS device anywhere in the path between one subnet and another subnet, even if not directly connected to that router, and it is forwarding IPv6 packets, it is vulnerable to being crashed.
Maybe you need to publish it to generate some pressure...
I'm starting to believe that this is the only way forward, sadly.

A router should be able to *route* packets. It should not crash just because lots of different addresses were used. The quickest way to demonstrate/test the vulnerability is to use a "flooding tool" — but we see organisations are starting to scan IPv6 address space, which if done quickly enough, will cause a crash for an IPv6 transit provider.

I don't believe IPv6 ND should crash RouterOS either — that's also a denial of service security issue in my mind. But the ticket I refer to affects all RouterOS devices between the source and destination, regardless of whether the attacker or target subnet are directly connected to the victim router.

Several forum members have been involved in this discovery: viewtopic.php?f=2&t=125841&p=654538

Please, MikroTik, consider this to be a denial of service vulnerability.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 10:36 am

Here is the original message I sent to support on 2018-04-16:
I have just run a trial with two MikroTik devices, all running latest release candidate.

RaspberryPi ---- hAP ac2 ---- hEX

On the raspberry pi, eth0 = 2a01:9e02:0:4242:xxxx:xxxx:xxxx:xxxx/64 (autoconf address, doesn't matter)

On the hAPac2, bridge = 2a01:9e02:0:4242::1/64

On the hAPac2, ether2 = 2a01:9e02:0:1::2/64
On the hEX, ether2 = 2a01:9e02:0:1::1/64

On the hEX, target (a bridge) = 2a01:9e02:0:666::666/64

There are static routes on the hAPac2 and hEX so that 2a01:9e02:0:666::/64 and 2a01:9e02:0:4242::/64 can route to each other.

If I run this on the Raspberry Pi:

XXXREDACTEDXXX 2a01:9e02:0:666::/64

Then the hAPac2 crashes. This is a problem, because I have used TTL-exceeded packets (cannot be firewalled), and I have crashed a router which is transiting the packets. The target of the ICMP flood, 2a01:9e02:0:666::/64, is not directly connected to the router which crashed. A supout is attached.



This is a remote denial of service attack against RouterOS. I believe MikroTik should get a CVE, and fix this urgently.
Last edited by maznu on Sat Mar 30, 2019 2:20 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Fri Oct 12, 2018 11:14 am

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
When you are facing such attacks on the local network, you are in trouble. Especially when you have a small router which does not have gigabytes of RAM.
The issue is: when there would be some limit set that makes the router not crash, it would then be possible to claim the attack leads to denial-of-service, as
an attacker that fills up the capacity to the limit will deny further legitimate traffic from other users. So that is not really a solution, and a crash may in fact
be better as then the router starts with a clean slate after the crash so at least the normal users have service again.

It is a well-known problem which is worse in IPv6 because of the larger address space, but can be present in IPv4 as well.
It is just a fact that it is difficult to defend against all possible cases of wrongdoers.

When you get such attacks from the internet side, you can at least do firewalling that drops unwanted incoming connections, preferably in the raw table.
For example, you can use an address list with a firewall rule that adds the source address of any traffic going to internet with a timeout of say 4h, and
that address list also holds the static addresses of any systems you want to be reachable from outside. Then on the internet interface you immediately
drop all traffic not towards members of that address list (in the raw table). This makes it impossible to saturate the router by sending to many random
destination addresses local to the router or further in the network.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 11:27 am

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
Happens with IPv6 set to NOTRACK. It's not tracking causing this.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Fri Oct 12, 2018 12:19 pm

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
Happens with IPv6 set to NOTRACK. It's not tracking causing this.
So it is ND (also indicated by the name of the tool).
You will not be affected when you block the incoming traffic on your internet interface so it is not routed towards the interface where ND is happening.
ND is like ARP. It is used to find the hardware address corresponding to the IPv6 address. Transit routers to not use it. (but they could use tracking)
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 12:55 pm

So it is ND (also indicated by the name of the tool).
No, you're doing exactly the same thing MikroTik support did — that is, not reading the addresses that are being targetted. Despite using a tool for ND crashing, it is not ND which is causing the problem — it's just an easy to find tool which will send ICMPv6 packets to lots of different destination addresses.

MikroTik Support eventually read my emails properly, after a week of back-and-forth, and acknowledged this problem:
I can confirm the problem, in one case forwarding of ipv6 traffic eats all the memory. There is also another case when kernel is crashing, but also can be related to low memory.
We will look into this problem.
Last edited by maznu on Fri Oct 12, 2018 2:37 pm, edited 1 time in total.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 1:23 pm

ND is like ARP. It is used to find the hardware address corresponding to the IPv6 address. Transit routers to not use it. (but they could use tracking)
To refer you back to my post, and why ND is not to blame (despite using an "ND exhaustion tool"):
RaspberryPi ---- hAP ac2 ---- hEX

If I run this on the Raspberry Pi:

XXXREDACTEDXXX 2a01:9e02:0:666::/64

Then the hAPac2 crashes.
The question I had for MikroTik was: why is the hAP ac2 crashing? The target subnet is connected to the hEX. The hEX is doing ND, the hAP ac2 is not doing ND. Yes, the hEX crashes (it should not — the IPv6 neighbor table should not grow without bound!). But the hAP ac2 also crashes, and for a different reason to ND exhaustion. Guess what? CCRs used for transit also crash. That means a customer of an ISP running MikroTik routers as their BGP edge can use the ND exhaustion tool (targeting a subnet "out on the Internet") and crash their own ISP's MikroTiks.
Last edited by maznu on Fri Mar 29, 2019 8:32 am, edited 1 time in total.
 
GregC
just joined
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Security announcement blog

Fri Oct 12, 2018 3:28 pm

While we are on the topic of security and forgive me if this has been addressed before.
Someone hacks the router as it happened in the resent past or perhaps they find another hole in the future. Why is it that if we forget the username and/or password there is no way to see it or export it? This is good, and is very secure and that is the way it should be.
This takes me to the real question of this post. If I have VPN enabled and someone access the router, export the configuration, they can see the /ppp secret information and ipsec-secret.
For example:
/ppp secret
add name=myusername password=mypassword profile=VPN
Is there are reason why this has to be this way? If there is a better way please let me know. Thank you!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Fri Oct 12, 2018 4:47 pm

Not "someone access the router". When "some user" logs in to the router they cannot see this info. They have to be an administrator to see it.
The reason why this data is stored in plaintext is that it has to be available in plaintext for the protocols it is used for (IPsec, xCHAPx).
So you cannot store a hash value of those values.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Fri Oct 12, 2018 4:50 pm

I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different.
 
GregC
just joined
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Security announcement blog

Sat Oct 13, 2018 12:49 am

Not "someone access the router". When "some user" logs in to the router they cannot see this info. They have to be an administrator to see it.
The reason why this data is stored in plaintext is that it has to be available in plaintext for the protocols it is used for (IPsec, xCHAPx).
So you cannot store a hash value of those values.
@pe1chl thank you for your response.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Sat Oct 13, 2018 10:27 am

I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different.
This is an out-of-the-box configuration, plus IPv6, NOTRACK, and some static routes.

MikroTik confirmed to me back in March that they have reproduced this issue. I'm just hoping that they treat it as what it is — a remote, unauthenticated denial-of-service — and fix it soon.
 
usx
newbie
Posts: 26
Joined: Sun Oct 27, 2013 7:30 pm

Re: Security announcement blog

Tue Nov 20, 2018 12:48 am

Fri Sep 14, 2018 9:45 am
Email list
Now we're talking. I was subscribed to it until it stopped sending me emails, without me unsubscribing. Where can I find that list? That solves the complete issue. I just thought they've dropped the list.

Is it this one? https://mikrotik.com/client/ecom_notify.php
I got that link from my last email from 2015, but removed the unregn query string parameter.

I can't find any "official" link to the URL I mentioned above. It appears to be part of the "Account" section, but I have no account on the mikrotik.com website (only on the forum).

Oh jesus christ. It's in big red at the bottom of the page... I'm a genius... as in stable genius...

Sooo, a long time later... I haven't received any notification of Release 6.43.3 and Release 6.43.4.

Does that mailing list even work???
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Tue Nov 20, 2018 2:29 am

Interesting.. I found myself unsubscribed from everything, including security info
 
raudpolt
just joined
Posts: 2
Joined: Thu Oct 18, 2018 11:11 am

Re: Security announcement blog

Wed Nov 21, 2018 9:32 am

My usual routine is to check log files every morning and today I got some intrusion attempts. Winbox is not at the default port and is protected but still.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Security announcement blog

Wed Nov 21, 2018 11:03 pm

This tells me that you should close it 100% from outside and use VPN.
Last edited by Jotne on Thu Nov 22, 2018 2:14 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Security announcement blog

Thu Nov 22, 2018 8:33 am

This tells me that you should close it 100% and use VPN.
Complete closure does not prevent attackers from trying though ...
 
raudpolt
just joined
Posts: 2
Joined: Thu Oct 18, 2018 11:11 am

Re: Security announcement blog

Thu Nov 22, 2018 7:44 pm

This tells me that you should close it 100% from outside and use VPN.
Actually it is closed by the book, every possible measure taken. Cannot be 100% sure off course. This IP is known circulating in honeypots and its in every possible scam database, however this bot specifically works as a winbox scanner. By the way, the default port is changed also. Something to think about for those who think they secured their winbox.
 
GregC
just joined
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Security announcement blog

Fri Nov 23, 2018 1:40 am

I have a CCR1036-12G-4S router that I finally got to the location to update from version 6.40.3. I’ll guess that I’ve been lucky that it may have not been hacked with the exception of these lines:

/ip firewall layer7-protocol
add name=WB regexp="/\\.\\./\\.\\.\?/"

/ip firewall filter
add action=tarpit chain=input comment=WB protocol=tcp src-address-list=BANIP

/ip firewall mangle
add action=add-src-to-address-list address-list=BANIP address-list-timeout=none-dynamic chain=input comment=WB dst-port=8291 layer7-protocol=WB protocol=tcp

/system package update
set channel=development

Should I worry about this? Was it a good Samaritan from Mikrotik that did this? Or am I wrong about this? As I search this forum all I find is lines with the comment=WB. I vaguely remember reading that someone was doing this, but can’t recall the details – thanks.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Security announcement blog

Thu Nov 29, 2018 10:45 pm

Here you se why you should upgrade.
This is our company firewall last 24 hour. 65000 hits on port 8291, mostly from Iran (50 different IP in Iran)
And its on top of our list of port tried to enter.
.
8291Winbox.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Morphlingg
just joined
Posts: 3
Joined: Tue Jul 16, 2019 6:28 pm
Location: Washington
Contact:

Re: Security announcement blog

Tue Jul 16, 2019 6:38 pm

Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
can you see if this works now?
Yes it is

Who is online

Users browsing this forum: BillyVan, Hassan512, holvoetn, Ralfu and 18 guests