Community discussions

 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5699
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:16 pm

How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.
 
spacemind
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:22 pm

I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.

The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.
Normis,

Securely ? I only have winbox access opened to WAN and with different port than default one.

We can have an upgrade menu where we can choose if we want the critical, (extreme critical in this case) upgrades done in auto mode. That option can be disabled by default.

This would solve critical vulnerability issues, upgrade, reboot and notify client. I know that some updates are buggy and we will have problems, but in my opinion i prefer to have an upgrade with some bugs even if a hotspot/pppoe server stops working with 5000 clients than have router hacked....

thanks.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:24 pm

Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.
No answer to your question? How to write posts
 
spacemind
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:32 pm

How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?

A simple menu were you can choose if you want to do the critical updates and reboot is enough for that, network admins do whatever they think is better, but end customers should be protected, Mikrotik sells thousands of unis to end customers, not only for companies.

anyway this conversation will not help in the future, a new feature sugestion will do the work.

thanks for your comments guys :)
 
spacemind
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:38 pm

Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.
That´s why i choosed Mikrotik since 2001, to use it without worries, i am not a Sys Admin, i just show to clients and friends the best affordable equippment on market with the best software to manage it and i´m happy to have Mikrotik.

Firewall rules can be changed if there is an upgrade menu :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:47 pm

You can already do it.

In system scheduler, add new entry that does this every 24 hours or whenever:
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade
No answer to your question? How to write posts
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 827
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 4:37 pm

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?
I think that I wouldn't want my 160.000€ car to stop whenever it feels like it should update itself, while I am in a rush to get my pregnant wife or my hurt child to the hospital.
 
OhJeez
just joined
Posts: 4
Joined: Sun Apr 09, 2017 9:31 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 5:57 am

Automatic upgrade should be the default and is quickly becoming best practice.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 9:25 am

See above configuration line. It can't be default, because I don't know at what time you don't need any internet.
No answer to your question? How to write posts
 
eddieb
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 9:43 am

NEVER make updates automatic !
We want to control the moment of update and rebooting devices.
The way it is done now is sufficient, announcements thru mailing and on this forum is fine.
 
sid5632
Member Candidate
Member Candidate
Posts: 277
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 8:29 pm

Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
 
User avatar
Karas
just joined
Posts: 7
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 9:52 am

Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
Srsly tho, I agree, it should be up to the Network Admin to decide when updates should take place, not rely on someone else to decide when the network will go offline.
Especially when some releases have come out buggy at times, which is why its often better to wait a couple of days for forum/community feedback and/or test the release yourself before implementing.

@OhJeez - try controlling a network with hundreds of Mikrotik devices on it, and have someone else decide when upgrades should take place instead of you.
And then have the upgrade be to a buggy release.
Have fun,
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 827
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 10:27 am

I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.

Another example is Dropbox. It upgrades whenever it feels like it. No notification, no mention of it anywhere.
It's borderline backdoor/malware behavior.
 
sid5632
Member Candidate
Member Candidate
Posts: 277
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 8:54 pm

I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.
It is indeed Micro$oft I meant.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5699
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:07 am

Even your "beloved" Microsoft does not force reboots. You choose when to reboot the PC.
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:16 am

Even your "beloved" Microsoft does not force reboots.
In Windows 10 it does, actually.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5699
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:18 am

No it does not, unless you scheduled automatic restarts.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 195
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 12:41 pm

In some cases Windows 10 forces user to restart computer not letting to do anything else. It's almost the same, except if user wants to sit and look at smth like "You must restart Your computer to finish important update" forever.
It's offtopic, imho. Mikrotik should not change upgrade to automatic by default, period. But if upgrade process would check firewall rules for unsafe entries on every upgrade, and warn the user afterwards (in log, on terminal, dialog box like after config reset), it would be helpful for inexperienced users.
---
Karlis
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 12:58 pm

No it does not, unless you scheduled automatic restarts.
It's getting a bit off-topic, but still. The default behavior of Windows 10 is to always install updates automatically as soon as they become available, and then force automatic reboot somewhen outside of a (somewhat) configurable "activity period". You can configure this activity period (with limitations), but that's it. Nothing else can be changed/configured unless you are using Pro or Enterprise edition, and even then you need to know how to use policy editor and what policy to tweak in order to prevent automatic updates to happen without user consent.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5699
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 1:40 pm

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 195
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 2:34 pm

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
Everything outside default protection rules. It should be only warning, nothing else.
---
Karlis
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 827
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 2:46 pm

Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?
 
mkx
Forum Guru
Forum Guru
Posts: 1019
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:14 pm

Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?
No, not everybody. Only those who care enough to check their router from time to time. Those that don't care even to upgrade ancient unsafe ROS versions won't be bothered about it.

I find red-coloured log entry about CPU not running at default frequency (even if downclocked so it should be harmless to hardware) annoying as well, but I have to live with it.
BR,
Metod
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 827
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:23 pm

So, us, professional users of ROS, that use it every day, should have to get stupid warnings, because of dummy users that mess up their firewall and never even bother to login to their routers ever again.

Who exactly will this message be for then?

Please. Stop trying to convert RouterOS to a 'DummyOS'. If you need wizards, bells and whistles to the likes of Netgear and D-Link, then by all means. Get a D-Link.

RouterOS is a system for power users and professionals. Not for dummy users.

Do you expect Cisco to put warnings and auto update features? You know that when pay thousands of dollars for a Cisco, you have to know what you are doing to use it. You don't expect Cisco to babysit you in case you mess up your configuration.

Why should RouterOS be any different? Because it's cheap?
 
mkx
Forum Guru
Forum Guru
Posts: 1019
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:27 pm

So, us, professional users of ROS, ...
See how your own position is skewing your point of view? :wink:

Seriously: even being myself a "home user" by all standards I'm with you on this.
BR,
Metod
 
WestTexas
just joined
Posts: 6
Joined: Sun Apr 01, 2018 4:31 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 9:09 am

I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?
 
mkx
Forum Guru
Forum Guru
Posts: 1019
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 10:24 am

Verify that uploaded npk file is intended for correct platform.

Check the list of installed packages. If there's a package listed more than once, upgrade won't succeed and the only remedy is to perform netinstall.
BR,
Metod
 
WestTexas
just joined
Posts: 6
Joined: Sun Apr 01, 2018 4:31 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 5:43 pm

Thanks mkx
It's the right version, and has been placed on several unaffected routers and installed normally.
No errors, just shows 'router rebooted' in the log and the file remains.
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 1019
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 6:07 pm

There are two wireless packages installed. Try to uninstall wireless-cm2 (this might not be possible if it's part of bundle).
Other than that, I'd try to upgrade first to 6.40.9 (you might be able to perform that without downloading package, change package channel to bugfix only) ... that's the last version with old "master port" configuration. Then upgrade to 6.42.x to have upgrade process translate "master port" to "new bridge". After that upgrade to 6.43.2. And don't forget to upgrade firmware at every step (/system routerboard upgrade).
BR,
Metod
 
spacemind
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 8:30 pm

I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?
Hi,

I have faced same issue, the solutions is:

Netinstall all afected devices 6.43.2 with no default configuration and configure everything from scratch...

After i discovered a few afected routers i first turned off all remote access, winbox, telnet... uploaded 6.42.3 file, rebooted but no upgrade was done, so my solution is below and i got everything worked except a few boards where the LTE card stopped to work even after upgrade and reboot. (Had to buy new lte routers to replace for those minipci e cards)


Best regards
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 246
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 01, 2018 11:36 am

WestTexas:
In theory, if you can't upgrade the routers at all, just make sure they can't be accessed from untrusted networks. The vulnerability is only an issue if it can be accessed in the first place.
For example make them only accept WinBox connections from your specific public IP range. Or make all routers have a SSTP tunnel for maintenance access.

It is still recommended to upgrade to the newer RouterOS version, but you can at least eliminate the threat of this vulnerability by just improving your firewall to prevent access from untrusted networks.

PS: Be sure to scrub the routers for any mischievous configuration or scripts.
I wish my FTP was FTL.
 
ssbaksa
newbie
Posts: 25
Joined: Tue Oct 20, 2015 10:38 am

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 8:55 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:20 am

Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:30 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
But then you don't understand what "default" means?
Default does not mean it is happening all the time. It is a setting that is automatically made and is useful for many, but
can be changed by individual users with different requirements.

I am all for a default automatic upgrade, but it should use a separate release channel so that routers are not blindly following the
stable or even long-term channels. We all know that every 6.xx version is immediately followed up with 6.xx.1 and 6.xx.2 to fix
major mishaps, and automatic upgrade should not suffer from that, or users will disable it just to have less issues.
Automatic upgrade should install a version that is known to be reliable (has been online for at least a month without showstopping
issues, with the exception of one well-tested and localized fix for a vulnerability) and its version should only change when major
problems have been found like recently.

It prevents the current situation where there will be 100.000 vulnerable routers on internet for at least a decade, and we will
read those alarming security notices from yet another group who have found yet another exploit every month.

You with your 24/7/365 up are of course watching the security situation and act accordingly. But the average user isn't,
and default automatic upgrade is a good solution for that.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:33 am

pe1ch, do you think this script in a scheduler rule would be a good idea? the scheduler time could be determined by the user (or disabled):
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
we could add this into our iOS/Android application wizard mode.
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:52 am

Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
I think this already exists:

1. upgrade to latest
2. system reset

This will load the new default config and the user will just need to re-create his PPPoE client
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 12:32 pm

Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
 
briefwum
just joined
Posts: 1
Joined: Sun Oct 07, 2018 10:48 am

Re: Winbox vulnerability: please upgrade

Wed Oct 10, 2018 6:28 pm

Thanks for the link.
 
usmany
Member Candidate
Member Candidate
Posts: 141
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 4:47 pm

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.

What is your take here!
Last edited by usmany on Mon Oct 15, 2018 4:55 pm, edited 2 times in total.
When the world turn back on you, you turn your back on the world...
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1626
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 4:51 pm

Have you netinstalled?
Real admins use real keyboards.
 
usmany
Member Candidate
Member Candidate
Posts: 141
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 4:58 pm

Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
When the world turn back on you, you turn your back on the world...
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 5:25 pm

Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
You should not allow remote connection to the router admin interface from the entire internet. That is just asking for trouble. The default firewall does not allow that, please do not remove that rule.
 
User avatar
Karas
just joined
Posts: 7
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 5:52 pm

Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
Just to confirm the (hopefully) obvious, you did use a different password afterwards, right?
And as pe1chl said, did you block the remote access?
 
spacemind
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 11:21 pm

Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
+1 for dedicated release channel for security fixes and auto upgrade option menu to enable/disable.
 
spacemind
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 11:28 pm

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.

What is your take here!

Finally someone had same problems like me lol...

The only way that i had to solve this was:

1- Netinstall
2- Remove default configuration
3- Manually configure everything and voilá!
4- disable ip/services that you will not be using (ftp, telnet....)
(DO NOT USE SAME USERNAME/PASSWORD FOR WINBOX)

already done it in 150+ devices ...
 
Kraken2k
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: Winbox vulnerability: please upgrade

Mon Oct 22, 2018 12:26 pm

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
 
ssbaksa
newbie
Posts: 25
Joined: Tue Oct 20, 2015 10:38 am

Re: Winbox vulnerability: please upgrade

Mon Oct 22, 2018 3:06 pm

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.

Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.

Br,
Sasa
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 22, 2018 3:51 pm

No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.
No, for it to be useful it HAS TO BE enabled by default!
Note that it is not targeted to system engineers/admins.
They can turn off such an option when they (think that they) know better.
But for the average home user a router is a buy-install-and-forget device and it has to be auto-updating or else it won't be updated ever.
Note that I do not advocate a situation where each router is following the release of every new version.
This auto-update should use a dedicated release channel that is only used to distribute critical fixes or well-tested new versions.
(the latter only to avoid situations where auto-updating systems are forced to make a big version jump in case a critical fix is made)
 
handlefman
just joined
Posts: 4
Joined: Thu Oct 25, 2018 4:16 pm

Re: Winbox vulnerability: please upgrade

Sat Oct 27, 2018 6:21 pm

Hello Mikrotik Community
I updated the router when I saw the news, but did not update the password. Now I can't hack my router to get access to it, what are the ideas?

current firmware version on hacked router 6.42.7

Can someone tell me the IP white address, which is registered on the hacked address for access to the router? (so that I could recreate the test environment for access)


please help me.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4867
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Sat Oct 27, 2018 6:50 pm

Just use netinstall to re-install and reset it and use your export or backup (from before it was hacked!) to reconfigure it.
Alternatively just reconfigure it manually.

Who is online

Users browsing this forum: dyke, Jotne and 5 guests