Community discussions

MikroTik App
 
Kraken2k
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: Winbox vulnerability: please upgrade

Mon Oct 29, 2018 11:14 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.

Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.

Br,
Sasa
Just to be sure, I would like to say, that by " should be in default configuration" I don't mean "it should be default value". Yes, default value (when you erase configuration) should be "off", in "default configuration" (the factory default when you turn on the device for the first time) it imho should be "on".

The reason is simple: if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network - this is is the way how to partially fix this kind of behavior (as it happens, and you cannot do anything about it). It's similar thing to default configuration that forbids the logon from WAN port. If you reset the configuration (which is what we usually do after RoS/firmware update), the option for autoupdate will be set to "off" and you can configure it by yourself as you want.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Mon Nov 05, 2018 11:00 pm

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network

Well... our good old RB532A's gets no security updates, because MT retired the MIPSLE branch. Not backporting any security update.
And the latests release (6.33.4) is vulnerable... so we backrolled to 6.27, which is virtually not vulnerable.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's.
And we have no funds to change the hardware, because they works on charity based on some very remote site.
What to do ? Should I blame MT for they ignorance ? Or just pray and hope, that no vulnerability will be found in the old 6.27 ?

Best regards: CsXen
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Mon Nov 05, 2018 11:45 pm

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable and tonight I was playing with the hacker by closing every single door to access my router. He was kind enough not to directly change my password and kick me out ... He was just playing with some mangle rules and using my gateway to increase the traffic through whatever he needs making my WAN graph full all the time.

Regardless of all, I locked all ip services and changed the default ports to something way so far from the original. Created a syslog dedicated to this mikrotik RB2011UiAS where I wanted to see what was going. Initially, the hacker was using my username to gain access again and to unbind the winbox and telnet from locking them to internet IP and not keeping them.

I realized that and rapidly deleted all users and created a totally new crazy user with a hard to guess password. In a sudden I was still in mikrotik session, tracing the log I saw him got in again through mac-telnet he scans what's changed and logs on back from winbox :| "Casper". (while using telnet nothing is logged it is the first time I know this!)

After that, I dropped all the ways for him to access the router-board ... added his mac-address which appeared in mikrotik's log to filter rules "input,forward,output" dropping everything possible from his way ... For a sudden after countable minutes and I was still inside the mikrotik session, the router rebooted and I got kicked out! He did it this time and changed the password I knew that from the Syslog!!!!! It was logged because he ran to change the pass prior to entering and kicking him out and prior to changing the log location so I had the chance to read what happened while I was kicked out.

Unfortunately, it seems I have no chance except resetting the router but I am truly so highly disappointed from Mikrotik which I used its hardware/software personally for almost 14 years without a headache ... By this vulnerability which is still active my reliance on Mikrotik is 0 and I will be replacing all my companies firewalls/routers to something more which is rigid.

Sorry guys but we no longer have trust in your stuff.

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
Last edited by caresss on Tue Nov 06, 2018 12:19 am, edited 1 time in total.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:05 am

Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2394
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:08 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:11 am

Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen
I will do so when I reset the router in order to gain access back to it ...
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2394
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:11 am

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:13 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:15 am

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...
I secured the router perfectly closing every single anty door! Filtering and blocking the mac address of the attacker didn't do anything! Where is mikrotik from that!
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2394
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:18 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:20 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
I will mask the users and mac address and post the log!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:55 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
Date Time Message Text
#Password changed and I cannot access the router anymore!
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#It seems he rebooted the router and I was unable to login as you see a failure below!
11/5/18 22:38:08 system,error,critical login failure for user NewUserCreated from 192.168.my.ip via winbox
11/5/18 22:37:52 interface,info ether5 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether3 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether1 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether9 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether8 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether7-WAN link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether4 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether2-WAN link up (speed 100M, full duplex)
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
11/5/18 22:36:56 system,info user NewUserCreated changed by NewUserCreated
11/5/18 22:32:56 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:32:10 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:32:08 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:29:55 interface,info ether9up (speed 100M, full duplex)
11/5/18 22:29:53 system,info device changed by NewUserCreated
11/5/18 22:29:45 system,info filter rule changed by NewUserCreated
11/5/18 22:29:15 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:29:10 system,info filter rule added by NewUserCreated
11/5/18 22:29:09 system,info filter rule added by NewUserCreated
11/5/18 22:29:07 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:22:47 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:22:21 system,info device changed by NewUserCreated
#This is the interface he was attacking from. I trusted the mikrotik filter more than disabling the interface BUT he was faster this time to change the newuserpass keeping me out!
11/5/18 22:22:21 interface,info ether9 link down
11/5/18 22:18:01 system,info arp entry changed by NewUserCreated
11/5/18 22:09:11 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:07:22 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:03:30 system,info mangle rule removed by NewUserCreated
11/5/18 22:03:25 system,info mangle rule removed by NewUserCreated
11/5/18 22:00:47 system,info,account user NewUserCreated logged in from 192.168.my.ip via winbox
11/5/18 21:59:49 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
#This tells that I lost hope with everything and I had no other chance other than adding a filter rule to block his mac-address from input,forward,output!BUT nothing worked!
11/5/18 21:59:15 system,info filter rule added by NewUserCreated
11/5/18 21:59:03 system,info filter rule added by NewUserCreated
11/5/18 21:58:49 system,info filter rule added by NewUserCreated
#I can't believe it howcome he knew rapidly the exact newly created user!
11/5/18 21:56:36 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#After I cleaned fully my mikrotik he tried to login with the old deleted user as you can see below!
11/5/18 21:55:58 system,error,critical login failure for user OldDeletedUser from ??:3B:??:22:??:AC via mac-telnet
11/5/18 21:54:18 system,info address changed by NewUserCreated
11/5/18 21:54:14 system,info address changed by NewUserCreated
11/5/18 21:54:09 system,info address changed by NewUserCreated
11/5/18 21:54:05 system,info address changed by NewUserCreated
11/5/18 21:54:00 system,info address changed by NewUserCreated
11/5/18 21:53:44 system,info address changed by NewUserCreated
11/5/18 21:53:41 system,info address changed by NewUserCreated
11/5/18 21:53:12 system,info address added by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:52:55 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:51:21 system,info nat rule changed by NewUserCreated
11/5/18 21:50:20 system,info address changed by NewUserCreated
11/5/18 21:50:06 system,info route changed by NewUserCreated
11/5/18 21:50:03 system,info route changed by NewUserCreated
11/5/18 21:49:32 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 21:49:14 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 21:47:47 system,info address changed by NewUserCreated
11/5/18 21:46:42 system,info route changed by NewUserCreated
11/5/18 21:44:30 system,info nat rule changed by NewUserCreated
11/5/18 21:44:29 system,info nat rule changed by NewUserCreated
11/5/18 21:43:13 system,info nat rule changed by NewUserCreated

I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 2:07 am

Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
 
User avatar
Karas
just joined
Posts: 8
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 9:09 am

I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
Um, quick question.
Isnt this hacker on your local network?
All the IPs Im seeing are local (unless I skipped over something), and logging in via mac-telnet...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:02 am

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?
 
td32
Member Candidate
Member Candidate
Posts: 111
Joined: Fri Nov 18, 2016 5:55 am

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:41 am

you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:59 am

Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 11:21 am

Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y

I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:42 pm

Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
Thanks for your time replying with all the above! Yes I was missing the mac access and when I wanted to take over and set them to none he trapped me and kicked me out. Anyway the ether9 is the LAN to the ISP for microwave link with inter branching! When he realized that I was aware of the situation he started resetting every single router on the ISP side almost 30 mikrotik APs with ROS versions below 6.40 ...

The story ended up netinstalling the main backbone which he attacked and restoring all the mikrotik APs after he reset them all and locking everything even the mac side with the latest OS. He wasn't that smart but it was the OS fault. Anyway thank God all is back to normal now after dealing with almost 80 routers and switches. Absolutely pain in the neck and applause for Mikrotik over that :))

We were born to learn so every day is a new school day in this new techie era!
Have a calm eve...
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:54 pm

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?
Unfortunately, it wasn't the 1st time. I was cleaning after him every time but he kept getting back in through that mac-telnet and again mac-winbox. Absolutely Casper! Until yesterday where I decided for the 1st time to install a remote syslog! From that syslog I was able to trace his prints, and started to fight back and clean all what he did ... The funny thing is that while mac-telnet whatever you do the log will not catch it!!! I was expecting to see some commands but nothing! I never knew this :)

An advice, don't take things with carelessness and absolutely install syslog because it is very essential for everything and especially security which comes 1st.
But I confirm 10000% that I updated the ROS to 6.34.4 and it was absolutely clean with totally new user and very long and complicated pass ... It took him seconds to guess the user and logon with it! I was so sure he was out, no scripts, no packet sniffing config, no php file in files nothing and absolutely nothing so he can guess the user. In seconds he guessed it!!! That truly frightened me and I gave up somehow knowing that whatever I will do he will keep coming back. Happened what happened and the lesson learned.

I believe he sniffed the packets between the latest winbox session from my side and the routerboard. There's still somehow a hidden vulnerability!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:58 pm

Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?
Didn't bother to look! This mac was another routerboard switch connected to the interbranching. Probably he natted the port from a pc or winbox enabled os to the machine with this mac to get a different mac other than real one! Mysterious :)
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:59 pm

you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
Noway :) I am a specialist, I use MacOS and is very clean. 0 chance for a keylogger.
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 7:01 pm

Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y


I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
I was so far from that location, and when I wanted to act badly he was faster :) anyway thank God things went OK this morning and I rescued everything having a very difficult and stressful time.

I'll keep you posted guys if anything new will come up regarding this mysterious issue :)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 12:49 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 1:35 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
Based on my experience with MikroTik and MOAB where I have been asked to remotely install the service many of the router firewall's are miss-configured.
The Value proposition that is MikroTik is such that it is very popular because MikroTik is POWERFUL, extensible and inexpensive. Very unfortunately a lot of these configurations are managed by people who have NO idea what they are doing applying the worst possible firewall disciplines one can imagine --- so its not at all surprising that a LOT get hacked.

IMO, MikroTik have provided the basic guidelines to effectively secure the router -- but when the undisciplined admin wants to expand on that capability they break the effective security model and get into trouble enabling the bad guys to invade their territory,
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 2:22 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Can any confirm this, or its just brag?
Has anyone seen a MT that has gotten an access list added to prevent external access?
 
User avatar
ognjen
newbie
Posts: 35
Joined: Wed Nov 15, 2017 10:31 am
Location: Serbia

Re: Winbox vulnerability: please upgrade

Mon Dec 24, 2018 10:17 pm

Hello,

after a year I came to a hotel that I once heard as a network engineer and I saw the following:

Image

RouterOS before upgrade 6.40.3.
So.. everyone can be attacker and victim!
Be careful - Upgrade RouterOS!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Dec 25, 2018 11:10 am

That is exactly why such advises will not work as long as there is not some form of auto-upgrade...
You get a request from a hotel to install a WiFi, you install and configure equipment uptodate at that time, and you leave.
At that point there is not some hotel desk clerk reading the forum every day and acting upon topics like this.
So the router is left unmanaged. Why would you hire expensive service from a network admin to babysit a $100-$200 box?
And risks like this are the result.
So for an installation like that there should be some menu setting that makes it auto-update to some special release channel
that only gets the important and well-tested updates. (you do not want it to track "stable" or even "long-term" and install
a new version every couple of weeks when that is not required to fix problems, as it always induces a risk of failures)
 
User avatar
ognjen
newbie
Posts: 35
Joined: Wed Nov 15, 2017 10:31 am
Location: Serbia

Re: Winbox vulnerability: please upgrade

Tue Dec 25, 2018 10:10 pm

@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down :shock: )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.
 
deanMKD1
Member
Member
Posts: 366
Joined: Fri Dec 12, 2014 12:06 am
Location: Macedonia
Contact:

Re: Winbox vulnerability: please upgrade

Wed Dec 26, 2018 2:42 pm

Dont have noticed nothing serious in 6.43.4 stable. Winbox port opened still.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Fri Dec 28, 2018 4:46 am

When Mikrotik got rid of master slave... A BLIND update could really "screw some s__t up" on may configurations. And auto update would have resulted in disasterous results. That's what change logs are for, and why you read them before you hit UPDATE.

An unmanaged device gets hacked after the install???
Well it sucks for the person doing cleanup... Until they realize... "THE UNIT WAS UNMANAGED". If the system was set and forget or on break fix... This is a break... Time to fix.
 
User avatar
m4t7e0
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Tue Jun 09, 2015 12:17 am
Contact:

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 1:30 pm

It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
Thanks, for these information, some mine device (setuped on 18 dic) fw vers 6.42.10 had this "attack".
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 1:53 pm

@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down :shock: )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.
So why would your link be down? Clients connect to whatever frequency the SSID has set. And if you indeed have some very special purpose here, why did you set regulatory country ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 2:20 pm

So why would your link be down?
I can's speak for his situation but it is not really uncommon that a link goes down when one side changes frequency, e.g. because
that frequency has interference at the other side, is not in the other side's allowed channel list (e.g. it is an outdoor AP that has the
proper indoor/outdoor setting), or because the selected frequency has a lower allowed EIRP and thus the power is reduced.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 2:24 pm

he already upgraded the router, which requires a reboot and link is down anyway (until it's restored in a minute).
power is only reduced if an indoor frequency is selected, which should not happen (frequency list knows outdoor from indoor)
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 2:04 pm

I upgraded my router and it stopped working...
Check if the update changed your master-slave settings to bridge. Thats the #1 thing I saw taking out routers who upgraded from below 6.40.8 to above it. Fixing the bridges and moving IP/DHCP-Server/Filter-Rules to use the new bridge interface got things going again.
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:00 pm

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:04 pm

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Check the architecture of the router, make sure you are using the correct file.

Need more information to be able to help you. What and how are you updating? From what version to what version? Again how are you doing it?
Last edited by Deantwo on Thu Jan 17, 2019 4:18 pm, edited 1 time in total.
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:50 pm

i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50

1. System>Routerboard>upgrade
then manual reboot
2. System>Package>check for updates> current>downkoad&install
it downloads thenrebiots automatically
3. System>Package>check for updates> release candidate> download and install, then it auto reboots
4.quickset>check for updates>current or release candidate>doenload and install>auto reboot
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:52 pm

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Check the architecture of the router, make sure you are using the correct file.

Need more information to be able to help you. What and how are you updating? From what version to shat version? Again how are you doing it?
i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50

1. System>Routerboard>upgrade
then manual reboot
2. System>Package>check for updates> current>downkoad&install
it downloads thenrebiots automatically
3. System>Package>check for updates> release candidate> download and install, then it auto reboots
4.quickset>check for updates>current or release candidate>doenload and install>auto reboot
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:55 pm

Anything in log just after reboot?

Did it upgrade to current (6.43.8 ) in the step 2?

Can you post the list of installed packages?
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 6:22 pm

Anything in log just after reboot?

Did it upgrade to current (6.43.8 ) in the step 2?

Can you post the list of installed packages?
Screen shot of the logs after reboot
logs.jpg
Nope, it did not upgrade to 6.43.8 or the 6.44beta

Packages installed
packages.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 6:31 pm

The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 7:32 pm

tha ks.. let me try your suggestion
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 9:33 pm

The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.
THANKS a LOT! it worked and its updated.
 
Darman
just joined
Posts: 3
Joined: Mon Jan 28, 2019 12:27 am

Re: Winbox vulnerability: please upgrade

Mon Jan 28, 2019 11:45 pm

Did somebody notice, afther that vulnerability ther are thousands entrys in IP-Socks-Access, and when you try to access IP Socks router stuck at 100% cpu, even IP socks are disabled.
Is there any chanse that Mikrotik make an upgrade version that will automaticly remowe that socks access entry?
 
whatever
Member
Member
Posts: 348
Joined: Thu Jun 21, 2018 9:29 pm

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 9:36 am

@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.
 
Darman
just joined
Posts: 3
Joined: Mon Jan 28, 2019 12:27 am

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 10:24 am

@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.
Tnx, I know, but it will be cool i we can do that Socks access entry move with update when router are miles away...
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 10:28 am

Darman, how do you think an update will know what socks entries are legitimate and what are not?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 10:53 am

Darman, how do you think an update will know what socks entries are legitimate and what are not?
If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 1:16 pm

Darman, how do you think an update will know what socks entries are legitimate and what are not?
If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD
Better idea: if the router is setup incorrectly/insecurely, brick it.

But really, none of that is MikroTik's problem to solve.
It is the technician's responsibility to:
  • Make sure they don't make the router insecure when they remove the default configuration.
  • Make sure they can access the router remotely, and doing so doesn't make it accessible by others. For example through VPN or with an IP whitelist.
  • Make sure they have a plan for how to upgrade routers remotely.
In the worst case scenario you tell the personal onsite to unplug the router until you can reach the location and fix the router directly. And then you promise your boss/customer/whatever that you fixed it and this won't happen again because you are implementing a plan on how to deal with it better from now on.

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
 
bawolek
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Thu Mar 29, 2007 3:33 pm
Location: Poland/Wroclaw

Re: Winbox vulnerability: please upgrade

Mon Feb 25, 2019 6:05 pm

 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Feb 25, 2019 6:25 pm

 
bawolek
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Thu Mar 29, 2007 3:33 pm
Location: Poland/Wroclaw

Re: Winbox vulnerability: please upgrade

Mon Feb 25, 2019 8:11 pm

Yes, I missed this thread - thanks for this link !
 
upnort
newbie
Posts: 49
Joined: Wed Aug 15, 2018 2:03 am

Re: Winbox vulnerability: please upgrade

Sun Mar 03, 2019 8:35 pm

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
Would you be able to share that system? :)
 
KeiraPullen
just joined
Posts: 1
Joined: Thu Feb 28, 2019 12:11 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 04, 2019 1:42 pm

Essentially the most general most important dilemma about most commonly (well, over the ultra-modern two years or anything to that effect) vulnerabilities in ROS is that main default settings did not sincerely shut all WAN access to RB. After today pakistani talk shows which a tremendous phase of consumers (beside unobtrusive number of professionals and for no quandary all execs) do not refresh ROS on the whole. Besides, whatever the method that they do, they expect that is sufficient, yet now we have an understanding of that ancient FW units don't seem to be amazing attractive.
Last edited by KeiraPullen on Tue Mar 26, 2019 1:13 pm, edited 1 time in total.
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 04, 2019 2:24 pm

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
Would you be able to share that system? :)
Basically my routers have a script version number, they then have a schedulered script that make them contact a web-server at regular interval to check if a file with the next script version number exist. If a file with the next script version number exist, it downloads it and executes it.

All I had to do when the crap hit the fan, was make a new script file with all the necessary changes and an added scheduler to download the newest RouterOS long-term version at midnight. I then uploaded that script file to the web-server with the next version number.

Kinda funny because this is the same system I saw the hackers were using in the few examples of their scripts I saw.
Last edited by Deantwo on Mon Mar 04, 2019 2:42 pm, edited 4 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 04, 2019 2:27 pm

Essentially the most general most important dilemma about most commonly (well, over the ultra-modern two years or anything to that effect) vulnerabilities in ROS is that main default settings did not sincerely shut all WAN access to RB.
That is not correct! On every router except the CCR the default has been (at least for a very long time) to block all input from internet by default.
Unfortunately it was done in such a way that it stopped working when another interface, like a PPPoE client, was added for internet access.
However that has been fixed a few versions ago.

The real problem is users that follow YouTube advise instead of MikroTik documentation. On YouTube there are a couple of users who distribute videos with completely incorrect procedures.
(probably not malice but just lack of knowledge on their part)
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: Winbox vulnerability: please upgrade

Tue Mar 12, 2019 4:19 pm

It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
Is enough only by upgrading the OS to safe version or MUST BE do netinstall?

thx
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Tue Mar 12, 2019 4:25 pm

It is always safer to netinstall as it formats device.
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Mar 12, 2019 5:25 pm

Is enough only by upgrading the OS to safe version or MUST BE do netinstall?
As stated multiple times in this thread, and other places on the forum. If you want to be 100% sure that your router is not infested with some Lovecraftian horror, netinstall it.
If your router hasn't been attacked, probed, or accessed in anyway, you might be ok with just upgrading to latest long-term version and changing your passwords. The problem is that you'll have no idea if you were exploited, so always better to be safe than sorry.

That said, implementing a more secure firewall with VPN, IP whitelist and/or port-knocking for secure remote management access is always a good idea.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 2:35 pm

Automatic upgrade should be the default and is quickly becoming best practice.
Automatic upgrade with reboot will never become best practice in non-HA clusters.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 4:58 pm

Well, why not, as long as I can turn it off and I'm not left out with setting "active hours". ;) But I don't think MikroTik will go for it, it's just too risky.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 5:36 pm

Well, why not, as long as I can turn it off and I'm not left out with setting "active hours". ;)
That's not what I call "best practice" ;)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 6:17 pm

Automatic upgrade should be the default and is quickly becoming best practice.
Automatic upgrade with reboot will never become best practice in non-HA clusters.
You are not going to tell us that those 200.000 - 400.000 compromised MikroTik routers form a HA cluster, do you?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 7:25 pm

I think the point was that unlike with HA solutions, where you can take out some part and everything else will still work, unexpected reboots of lone routers would be annoying to users. Plus MikroTik would need extremely good quality control, because small mistake could result in thousands of inoperable routers, which would not amuse users either.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 8:00 pm

Shocking, in the middle of the busy trading day, the DOW shut down unexpectedly, as the routers running the show rebooted like spontaneous combustion.
The IT admins were quite confused until they realized that automatic firmware upgrades had been applied simultaneously to both main and HA routers.
Oops.
The 4 billion dollar loss is apparently being paid by Hannah25, through a debt payment scheme that will last approx 100 generations of the family.
Just hired by the DOW to take over their IT operations is Chewbaka (phonetic spelling ;-P) who predicted the event would occur over 3 months earlier.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 9:15 pm

:)

And Hannah25 is not even a real person, just a spam bot copying this post ( viewtopic.php?t=137572&start=200#p686945 ) and coming back later to edit in some spam links.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 10:33 pm

I think the point was that unlike with HA solutions, where you can take out some part and everything else will still work, unexpected reboots of lone routers would be annoying to users. Plus MikroTik would need extremely good quality control, because small mistake could result in thousands of inoperable routers, which would not amuse users either.
I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).

MikroTik should only put well tested releases on that channel and only when an issue has been found that makes it important to update.
So it should not be just another "stable" or "long-term" channel that receives updates at will. It should only be updated when security vulnerabilities have been found and fixed, and for reasons like described above it should not be released immediately but only after that same version has been out on the stable and/or long-term channel for long enough to know that there will be no such problems.

This mechanism is only there to make sure that those users (probably the majority of home users) that never check for new versions still receive those important updates.
And for those that think that they know better, the mechanism can be turned off.

Sometimes I think that this already has been silently implemented. I observe that some of my routers "regularly" connect to upgrade.mikrotik.com and retrieve the file that contains the latest version. Then they do nothing. But maybe a special message can be put in that file that instructs the router to upgrade.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 10:48 pm

It should only be updated when security vulnerabilities have been found and fixed, ...
What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years. They would have to minimize the number of preinstalled versions somehow (to make testing easier), but with new hardware coming out all the time, I don't know how.
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 18, 2019 1:19 am

I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).
Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.

But we will still have smart idiots that will screw that up, and they will go onto making YouTube guides that are wrong, making poor unknowing people vulnerable.

There is no good solution, and even less a solution that is backward solving. There is no way to remotely fix all the routers that are already vulnerable (without breaking a few laws), so there is no point is using it as a point.

If a new release branch were to be made it would have to be totally separate from RouterOS, since I doubt they would want to release security fixes for each and every RouterOS version in existence.

And no we can't just say "use long-term branch", because even that breaks multiple features and brings bugs with every major release. Best example currently is how long-term v6.42 changes Netwatch execution permissions, but the fix for it isn't until v6.43 and still requires manual fixing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 18, 2019 11:19 am

It should only be updated when security vulnerabilities have been found and fixed, ...
What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years.
I have not clearly stated (and I am not really sure) if they should make a minor release to fix security issues for every major release out in the field.
While that would reduce the risk of update problems it would increase the amount of maintenance work.
Of course when routers with very old RouterOS are now update to "stable" or even "bug-fix" versions they could encounter issues with migration of
old configuration like "switch masterport -> bridge with hardware accel" or "new IPsec configuration".
So it could be considered to have a security update version separately for versions before those major releases.

Leaving this unsolved for so long of course has contributed to the problem. Not solving it now will only make it more difficult.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 18, 2019 11:21 am

Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.
There could be a default firewall where user can add things, and an "expert" mode where they can redesign the whole firewall when desired.

But that does not help against stupid YouTube videos that instruct beginners to to the wrong thing.
 
glibao
just joined
Posts: 5
Joined: Thu Dec 04, 2014 8:15 pm

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 3:47 pm

Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks!
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 4:07 pm

Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks!
Bugfix version 6.38.7 should be vulnerable to the exploit, assuming firewall or service doesn't block IP access and MAC-WinBox-Server is running for MAC access.
If you can't get into it at all, you might have to cut your loses and netinstall it right away. Because you'll want to netinstall it either way, it is only a question of rather or not you can save some of your configuration.
 
glibao
just joined
Posts: 5
Joined: Thu Dec 04, 2014 8:15 pm

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 5:36 pm

Is there no way to extract the router configuration? or any other exploit I can try ?.
Thank you
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 9:09 pm

AFAIK there is no way to extract your config wo an admin password, others (more familiar with netinstall) might chime in otherwise (netinstall has that save config button/checkbox, but i think it requires your password first). You have to consider, MT does not want to make it so that someone with even physical access to your MT can pull your config somehow (else anyone locally could grab your valuable config + vpn creds/certs or other creds, possibly wo the remote admin even knowing as they may only see the MT reboot- so this is a good thing!)

I can say that we had a customers MT that was exploited several months ago (a MT we did not control, but rather local IT did) so they physically brought the MT to us to see what was wrong with their router (lol). Out of curiosity i tried the various exploits myself, to then grab the hackers new password they had set.

to do this, We used a recent release of Kali OS and was able to pull the password via the Mac/layer2 exploit (i think it was a python script).
(you may want to try that again with KALI os, as the scripts may fail silently if they are missing some pkg or other dependency on your host os, possibly)

if it helps, here was the user/password they had used/created on this MT:

service
service42

user1
motoroll3r

fad
fad

(those worked for us to get into winbox, or maybe try those passwords above, with use admin). good luck recovering your config. even though you prob. should recreate the config from scratch anyway.

edit: also if you are trying the tcp/winbox exploit, you may want to first portscan the device, as i think in some cases they changed the winbox port (and/or restricted it to their own ip range)
 
glibao
just joined
Posts: 5
Joined: Thu Dec 04, 2014 8:15 pm

Re: Winbox vulnerability: please upgrade

Thu May 23, 2019 1:42 am

Thank you very much for your explanation, I'm going to try what he says, I've tried the port with nmap and still use the original winbox.
On MAC (layer2) I have already tried the python script and it does not work either, they may have updated some package) and.Thank you
 
ollit
newbie
Posts: 25
Joined: Tue May 23, 2017 3:14 pm

Re: Winbox vulnerability: please upgrade

Mon Jul 15, 2019 1:07 pm

It is possible to show the column Version in the Tabsheet Managed?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Jul 15, 2019 2:03 pm

It is possible to show the column Version in the Tabsheet Managed?
No, because this is just a list of bookmarked connection parameters and the winbox does not have an actual connection to these devices until you select and open it.
Depending on the topology of your network you can sometimes get such information by connecting to some central router and then select IP->Neighbors.
This shows the names and versions of all surrounding routers that have "discovery" enabled on the link. This is actual information.

Who is online

Users browsing this forum: hova888 and 13 guests