Community discussions

MikroTik App
 
User avatar
ahmedramze
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Security bug Report

Sat Feb 24, 2024 5:42 pm

Hello All.

Since Mikrotik removed Winbox from Dude packages , and add the command in tools menu and copy file into dude folder. by mistake the Winbox.exe name was Winbox64.exe and I found big surprise.

YOU CAN SHOW ADMIN OR ANY USER PASSWORD STORED IN DUDE.

just add any wrong command using tools with ip + user + password.
111.exe [Device.FirstAddress] [Device.UserName] "[Device.Password]"

then see below attached.
:?
Screenshot 2024-02-24 at 18.33.32.png

please Mikrotik there is some request.
use encryption for tools or any other password API request.
add winbox on dude setup folder and update it automatically from host machine.
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26376
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security bug Report

Mon Feb 26, 2024 10:39 am

Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.
 
User avatar
ahmedramze
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: Security bug Report

Mon Feb 26, 2024 2:38 pm

Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.
Hello Normis.
Thanks for replay.

I have multiple admins and each on different password but same access level , this show password of Device in Dude not the user pass.

for example I use dudeuser/XXXX password for all routers and we put it one time when device added.
other users (admins) they are only for Dude server but they need access tools to ping Winbox ssh etc.




what I request to improve Dude
1-Encrypt any stored password.
2-Make user list (when we add new device or auto discovery) use specific user or from list just for devices. like SNMP profile.
3-add Winbox to dude tools.

Thanks
 
infabo
Long time Member
Long time Member
Posts: 676
Joined: Thu Nov 12, 2020 12:07 pm

Re: Security bug Report

Mon Feb 26, 2024 7:29 pm

Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.
Famous last words.
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 617
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Security bug Report

Mon Feb 26, 2024 8:52 pm

Even if the password would be encrypted, looks like we may have an issue if one of the administrators, which added one of the devices, will change their password.

In that case, we may consider to use a generic user for devices credentials.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26376
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security bug Report

Tue Feb 27, 2024 8:38 am

If passwords would be encrypted, you still would have to give all your admins the decryption password. For all devices.
So you should maybe use a password manager app with different access levels for different people.

Who is online

Users browsing this forum: Bing [Bot] and 24 guests