Community discussions

 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5673
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:16 pm

How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.
 
spacemind
Member Candidate
Member Candidate
Posts: 107
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:22 pm

I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.

The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.
Normis,

Securely ? I only have winbox access opened to WAN and with different port than default one.

We can have an upgrade menu where we can choose if we want the critical, (extreme critical in this case) upgrades done in auto mode. That option can be disabled by default.

This would solve critical vulnerability issues, upgrade, reboot and notify client. I know that some updates are buggy and we will have problems, but in my opinion i prefer to have an upgrade with some bugs even if a hotspot/pppoe server stops working with 5000 clients than have router hacked....

thanks.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23494
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:24 pm

Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.
No answer to your question? How to write posts
 
spacemind
Member Candidate
Member Candidate
Posts: 107
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:32 pm

How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?

A simple menu were you can choose if you want to do the critical updates and reboot is enough for that, network admins do whatever they think is better, but end customers should be protected, Mikrotik sells thousands of unis to end customers, not only for companies.

anyway this conversation will not help in the future, a new feature sugestion will do the work.

thanks for your comments guys :)
 
spacemind
Member Candidate
Member Candidate
Posts: 107
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:38 pm

Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.
That´s why i choosed Mikrotik since 2001, to use it without worries, i am not a Sys Admin, i just show to clients and friends the best affordable equippment on market with the best software to manage it and i´m happy to have Mikrotik.

Firewall rules can be changed if there is an upgrade menu :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23494
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:47 pm

You can already do it.

In system scheduler, add new entry that does this every 24 hours or whenever:
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade
No answer to your question? How to write posts
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 816
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 4:37 pm

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?
I think that I wouldn't want my 160.000€ car to stop whenever it feels like it should update itself, while I am in a rush to get my pregnant wife or my hurt child to the hospital.
 
OhJeez
just joined
Posts: 4
Joined: Sun Apr 09, 2017 9:31 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 5:57 am

Automatic upgrade should be the default and is quickly becoming best practice.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23494
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 9:25 am

See above configuration line. It can't be default, because I don't know at what time you don't need any internet.
No answer to your question? How to write posts
 
eddieb
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 9:43 am

NEVER make updates automatic !
We want to control the moment of update and rebooting devices.
The way it is done now is sufficient, announcements thru mailing and on this forum is fine.
 
sid5632
Member Candidate
Member Candidate
Posts: 253
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 8:29 pm

Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
 
User avatar
Karas
just joined
Posts: 4
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 9:52 am

Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
Srsly tho, I agree, it should be up to the Network Admin to decide when updates should take place, not rely on someone else to decide when the network will go offline.
Especially when some releases have come out buggy at times, which is why its often better to wait a couple of days for forum/community feedback and/or test the release yourself before implementing.

@OhJeez - try controlling a network with hundreds of Mikrotik devices on it, and have someone else decide when upgrades should take place instead of you.
And then have the upgrade be to a buggy release.
Have fun,
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 816
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 10:27 am

I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.

Another example is Dropbox. It upgrades whenever it feels like it. No notification, no mention of it anywhere.
It's borderline backdoor/malware behavior.
 
sid5632
Member Candidate
Member Candidate
Posts: 253
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 8:54 pm

I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.
It is indeed Micro$oft I meant.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5673
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:07 am

Even your "beloved" Microsoft does not force reboots. You choose when to reboot the PC.
 
andriys
Forum Guru
Forum Guru
Posts: 1045
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:16 am

Even your "beloved" Microsoft does not force reboots.
In Windows 10 it does, actually.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5673
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:18 am

No it does not, unless you scheduled automatic restarts.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 180
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 12:41 pm

In some cases Windows 10 forces user to restart computer not letting to do anything else. It's almost the same, except if user wants to sit and look at smth like "You must restart Your computer to finish important update" forever.
It's offtopic, imho. Mikrotik should not change upgrade to automatic by default, period. But if upgrade process would check firewall rules for unsafe entries on every upgrade, and warn the user afterwards (in log, on terminal, dialog box like after config reset), it would be helpful for inexperienced users.
---
Karlis
 
andriys
Forum Guru
Forum Guru
Posts: 1045
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 12:58 pm

No it does not, unless you scheduled automatic restarts.
It's getting a bit off-topic, but still. The default behavior of Windows 10 is to always install updates automatically as soon as they become available, and then force automatic reboot somewhen outside of a (somewhat) configurable "activity period". You can configure this activity period (with limitations), but that's it. Nothing else can be changed/configured unless you are using Pro or Enterprise edition, and even then you need to know how to use policy editor and what policy to tweak in order to prevent automatic updates to happen without user consent.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5673
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 1:40 pm

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 180
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 2:34 pm

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
Everything outside default protection rules. It should be only warning, nothing else.
---
Karlis
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 816
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 2:46 pm

Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?
 
mkx
Forum Veteran
Forum Veteran
Posts: 757
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:14 pm

Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?
No, not everybody. Only those who care enough to check their router from time to time. Those that don't care even to upgrade ancient unsafe ROS versions won't be bothered about it.

I find red-coloured log entry about CPU not running at default frequency (even if downclocked so it should be harmless to hardware) annoying as well, but I have to live with it.
BR,
Metod
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 816
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:23 pm

So, us, professional users of ROS, that use it every day, should have to get stupid warnings, because of dummy users that mess up their firewall and never even bother to login to their routers ever again.

Who exactly will this message be for then?

Please. Stop trying to convert RouterOS to a 'DummyOS'. If you need wizards, bells and whistles to the likes of Netgear and D-Link, then by all means. Get a D-Link.

RouterOS is a system for power users and professionals. Not for dummy users.

Do you expect Cisco to put warnings and auto update features? You know that when pay thousands of dollars for a Cisco, you have to know what you are doing to use it. You don't expect Cisco to babysit you in case you mess up your configuration.

Why should RouterOS be any different? Because it's cheap?
 
mkx
Forum Veteran
Forum Veteran
Posts: 757
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:27 pm

So, us, professional users of ROS, ...
See how your own position is skewing your point of view? :wink:

Seriously: even being myself a "home user" by all standards I'm with you on this.
BR,
Metod
 
WestTexas
just joined
Posts: 6
Joined: Sun Apr 01, 2018 4:31 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 9:09 am

I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?
 
mkx
Forum Veteran
Forum Veteran
Posts: 757
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 10:24 am

Verify that uploaded npk file is intended for correct platform.

Check the list of installed packages. If there's a package listed more than once, upgrade won't succeed and the only remedy is to perform netinstall.
BR,
Metod
 
WestTexas
just joined
Posts: 6
Joined: Sun Apr 01, 2018 4:31 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 5:43 pm

Thanks mkx
It's the right version, and has been placed on several unaffected routers and installed normally.
No errors, just shows 'router rebooted' in the log and the file remains.
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Veteran
Forum Veteran
Posts: 757
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 6:07 pm

There are two wireless packages installed. Try to uninstall wireless-cm2 (this might not be possible if it's part of bundle).
Other than that, I'd try to upgrade first to 6.40.9 (you might be able to perform that without downloading package, change package channel to bugfix only) ... that's the last version with old "master port" configuration. Then upgrade to 6.42.x to have upgrade process translate "master port" to "new bridge". After that upgrade to 6.43.2. And don't forget to upgrade firmware at every step (/system routerboard upgrade).
BR,
Metod
 
spacemind
Member Candidate
Member Candidate
Posts: 107
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 8:30 pm

I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?
Hi,

I have faced same issue, the solutions is:

Netinstall all afected devices 6.43.2 with no default configuration and configure everything from scratch...

After i discovered a few afected routers i first turned off all remote access, winbox, telnet... uploaded 6.42.3 file, rebooted but no upgrade was done, so my solution is below and i got everything worked except a few boards where the LTE card stopped to work even after upgrade and reboot. (Had to buy new lte routers to replace for those minipci e cards)


Best regards
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 237
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 01, 2018 11:36 am

WestTexas:
In theory, if you can't upgrade the routers at all, just make sure they can't be accessed from untrusted networks. The vulnerability is only an issue if it can be accessed in the first place.
For example make them only accept WinBox connections from your specific public IP range. Or make all routers have a SSTP tunnel for maintenance access.

It is still recommended to upgrade to the newer RouterOS version, but you can at least eliminate the threat of this vulnerability by just improving your firewall to prevent access from untrusted networks.

PS: Be sure to scrub the routers for any mischievous configuration or scripts.
I wish my FTP was FTL.
 
ssbaksa
just joined
Posts: 22
Joined: Tue Oct 20, 2015 10:38 am

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 8:55 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
 
pe1chl
Forum Guru
Forum Guru
Posts: 4797
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:20 am

Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4797
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:30 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
But then you don't understand what "default" means?
Default does not mean it is happening all the time. It is a setting that is automatically made and is useful for many, but
can be changed by individual users with different requirements.

I am all for a default automatic upgrade, but it should use a separate release channel so that routers are not blindly following the
stable or even long-term channels. We all know that every 6.xx version is immediately followed up with 6.xx.1 and 6.xx.2 to fix
major mishaps, and automatic upgrade should not suffer from that, or users will disable it just to have less issues.
Automatic upgrade should install a version that is known to be reliable (has been online for at least a month without showstopping
issues, with the exception of one well-tested and localized fix for a vulnerability) and its version should only change when major
problems have been found like recently.

It prevents the current situation where there will be 100.000 vulnerable routers on internet for at least a decade, and we will
read those alarming security notices from yet another group who have found yet another exploit every month.

You with your 24/7/365 up are of course watching the security situation and act accordingly. But the average user isn't,
and default automatic upgrade is a good solution for that.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23494
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:33 am

pe1ch, do you think this script in a scheduler rule would be a good idea? the scheduler time could be determined by the user (or disabled):
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
we could add this into our iOS/Android application wizard mode.
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23494
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:52 am

Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
I think this already exists:

1. upgrade to latest
2. system reset

This will load the new default config and the user will just need to re-create his PPPoE client
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4797
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 12:32 pm

Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
 
briefwum
just joined
Posts: 1
Joined: Sun Oct 07, 2018 10:48 am

Re: Winbox vulnerability: please upgrade

Wed Oct 10, 2018 6:28 pm

Thanks for the link.

Who is online

Users browsing this forum: eworm and 9 guests