Normis,I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.
The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.Securely ? I only have winbox access opened to WAN and with different port than default one.
How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?
Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.
That´s why i choosed Mikrotik since 2001, to use it without worries, i am not a Sys Admin, i just show to clients and friends the best affordable equippment on market with the best software to manage it and i´m happy to have Mikrotik.So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.Securely ? I only have winbox access opened to WAN and with different port than default one.
Also, how could we upgrade it, if you have a firewall.
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
I think that I wouldn't want my 160.000€ car to stop whenever it feels like it should update itself, while I am in a rush to get my pregnant wife or my hurt child to the hospital.Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?
No, it should not.Automatic upgrade should be the default
Only if you're using the Micro$oft definition of 'best', which really means worst.and is quickly becoming best practice.
I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades.No, it should not.Automatic upgrade should be the defaultOnly if you're using the Micro$oft definition of 'best', which really means worst.and is quickly becoming best practice.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades.
It is indeed Micro$oft I meant.I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.
In Windows 10 it does, actually.Even your "beloved" Microsoft does not force reboots.
It's getting a bit off-topic, but still. The default behavior of Windows 10 is to always install updates automatically as soon as they become available, and then force automatic reboot somewhen outside of a (somewhat) configurable "activity period". You can configure this activity period (with limitations), but that's it. Nothing else can be changed/configured unless you are using Pro or Enterprise edition, and even then you need to know how to use policy editor and what policy to tweak in order to prevent automatic updates to happen without user consent.No it does not, unless you scheduled automatic restarts.
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?would check firewall rules for unsafe entries on every upgrade
Everything outside default protection rules. It should be only warning, nothing else.What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?would check firewall rules for unsafe entries on every upgrade
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?Everything outside default protection rules. It should be only warning, nothing else.
No, not everybody. Only those who care enough to check their router from time to time. Those that don't care even to upgrade ancient unsafe ROS versions won't be bothered about it.So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?Everything outside default protection rules. It should be only warning, nothing else.
See how your own position is skewing your point of view?So, us, professional users of ROS, ...
Hi,I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.
Any suggesions?
This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
But then you don't understand what "default" means?This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
we could add this into our iOS/Android application wizard mode./system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
I think this already exists:Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)
The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
Thanks for the link.This vulnerablity is from 6.28. I try it:
https://github.com/BigNerd95/WinboxExploit
https://github.com/BasuCert/WinboxPoC
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.Have you netinstalled?
You should not allow remote connection to the router admin interface from the entire internet. That is just asking for trouble. The default firewall does not allow that, please do not remove that rule.Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.Have you netinstalled?
Just to confirm the (hopefully) obvious, you did use a different password afterwards, right?Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.Have you netinstalled?
+1 for dedicated release channel for security fixes and auto upgrade option menu to enable/disable.Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
What is your take here!
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.
Happy networking,
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.
Happy networking,
Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, for it to be useful it HAS TO BE enabled by default!No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.
Just to be sure, I would like to say, that by " should be in default configuration" I don't mean "it should be default value". Yes, default value (when you erase configuration) should be "off", in "default configuration" (the factory default when you turn on the device for the first time) it imho should be "on".No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.
Happy networking,
Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.
Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.
Br,
Sasa
if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
I will do so when I reset the router in order to gain access back to it ...Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.
Best regards: CsXen
You can use VPN for remote access. It's simple and then WAN can be easily filtered...Hi.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP'sif you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
I have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
I secured the router perfectly closing every single anty door! Filtering and blocking the mac address of the attacker didn't do anything! Where is mikrotik from that!You can use VPN for remote access. It's simple and then WAN can be easily filtered...Hi.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP'sif you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
And? Can you share it with us? Or with support@mikrotik.comI have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
I will mask the users and mac address and post the log!And? Can you share it with us? Or with support@mikrotik.comI have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
Date Time Message TextAnd? Can you share it with us? Or with support@mikrotik.comI have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
Um, quick question.I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
Is this the first time this router has been hacked?With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print
/system shutdown
y
Thanks for your time replying with all the above! Yes I was missing the mac access and when I wanted to take over and set them to none he trapped me and kicked me out. Anyway the ether9 is the LAN to the ISP for microwave link with inter branching! When he realized that I was aware of the situation he started resetting every single router on the ISP side almost 30 mikrotik APs with ROS versions below 6.40 ...Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.
Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)Code: Select all/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
Unfortunately, it wasn't the 1st time. I was cleaning after him every time but he kept getting back in through that mac-telnet and again mac-winbox. Absolutely Casper! Until yesterday where I decided for the 1st time to install a remote syslog! From that syslog I was able to trace his prints, and started to fight back and clean all what he did ... The funny thing is that while mac-telnet whatever you do the log will not catch it!!! I was expecting to see some commands but nothing! I never knew thisIs this the first time this router has been hacked?With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Have you done netinstall and added config from scratch?
Didn't bother to look! This mac was another routerboard switch connected to the interbranching. Probably he natted the port from a pc or winbox enabled os to the machine with this mac to get a different mac other than real one! MysteriousCan you identify the MAC address (mac vendor)?
Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?
Have you crossed checked with your own machines and ensured it isn't a local device?
Noway I am a specialist, I use MacOS and is very clean. 0 chance for a keylogger.you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger alsoCode: Select all11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
I was so far from that location, and when I wanted to act badly he was faster anyway thank God things went OK this morning and I rescued everything having a very difficult and stressful time.Hey caresss
As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.
The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:Code: Select all/interface list member print /interface list member remove [find list~"^mac" interface="WAN"] /interface list member print
I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:Code: Select all/system shutdown y
I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall
You can e-mail support@mikrotik.com and they might have more/better suggestions.
By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
Based on my experience with MikroTik and MOAB where I have been asked to remotely install the service many of the router firewall's are miss-configured.The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/
Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
Can any confirm this, or its just brag?The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Thanks, for these information, some mine device (setuped on 18 dic) fw vers 6.42.10 had this "attack".It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.
Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.
Steps to be taken:
- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html
Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
So why would your link be down? Clients connect to whatever frequency the SSID has set. And if you indeed have some very special purpose here, why did you set regulatory country ?@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.
I can's speak for his situation but it is not really uncommon that a link goes down when one side changes frequency, e.g. becauseSo why would your link be down?
Check if the update changed your master-slave settings to bridge. Thats the #1 thing I saw taking out routers who upgraded from below 6.40.8 to above it. Fixing the bridges and moving IP/DHCP-Server/Filter-Rules to use the new bridge interface got things going again.I upgraded my router and it stopped working...
Check the architecture of the router, make sure you are using the correct file.im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50Check the architecture of the router, make sure you are using the correct file.im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Need more information to be able to help you. What and how are you updating? From what version to shat version? Again how are you doing it?
Screen shot of the logs after reboot Nope, it did not upgrade to 6.43.8 or the 6.44betaAnything in log just after reboot?
Did it upgrade to current (6.43.8 ) in the step 2?
Can you post the list of installed packages?
THANKS a LOT! it worked and its updated.The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.
Tnx, I know, but it will be cool i we can do that Socks access entry move with update when router are miles away...@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.
If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xDDarman, how do you think an update will know what socks entries are legitimate and what are not?
Better idea: if the router is setup incorrectly/insecurely, brick it.If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xDDarman, how do you think an update will know what socks entries are legitimate and what are not?
Hi anyone had read this ?
https://medium.com/tenable-techblog/mik ... d46398bf24
https://medium.com/tenable-techblog/mak ... 0705459bc6
Would you be able to share that system?I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
Basically my routers have a script version number, they then have a schedulered script that make them contact a web-server at regular interval to check if a file with the next script version number exist. If a file with the next script version number exist, it downloads it and executes it.Would you be able to share that system? :)I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
That is not correct! On every router except the CCR the default has been (at least for a very long time) to block all input from internet by default.Essentially the most general most important dilemma about most commonly (well, over the ultra-modern two years or anything to that effect) vulnerabilities in ROS is that main default settings did not sincerely shut all WAN access to RB.
Is enough only by upgrading the OS to safe version or MUST BE do netinstall?It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.
Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.
Steps to be taken:
- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html
Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
As stated multiple times in this thread, and other places on the forum. If you want to be 100% sure that your router is not infested with some Lovecraftian horror, netinstall it.Is enough only by upgrading the OS to safe version or MUST BE do netinstall?
Automatic upgrade with reboot will never become best practice in non-HA clusters.Automatic upgrade should be the default and is quickly becoming best practice.
That's not what I call "best practice"Well, why not, as long as I can turn it off and I'm not left out with setting "active hours".
You are not going to tell us that those 200.000 - 400.000 compromised MikroTik routers form a HA cluster, do you?Automatic upgrade with reboot will never become best practice in non-HA clusters.Automatic upgrade should be the default and is quickly becoming best practice.
I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).I think the point was that unlike with HA solutions, where you can take out some part and everything else will still work, unexpected reboots of lone routers would be annoying to users. Plus MikroTik would need extremely good quality control, because small mistake could result in thousands of inoperable routers, which would not amuse users either.
What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years. They would have to minimize the number of preinstalled versions somehow (to make testing easier), but with new hardware coming out all the time, I don't know how.It should only be updated when security vulnerabilities have been found and fixed, ...
Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).
I have not clearly stated (and I am not really sure) if they should make a minor release to fix security issues for every major release out in the field.What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years.It should only be updated when security vulnerabilities have been found and fixed, ...
There could be a default firewall where user can add things, and an "expert" mode where they can redesign the whole firewall when desired.Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.
Bugfix version 6.38.7 should be vulnerable to the exploit, assuming firewall or service doesn't block IP access and MAC-WinBox-Server is running for MAC access.Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks!
No, because this is just a list of bookmarked connection parameters and the winbox does not have an actual connection to these devices until you select and open it.It is possible to show the column Version in the Tabsheet Managed?