Community discussions

 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Advisory: Vulnerability exploiting the Winbox port [SOLVED]

Mon Apr 23, 2018 1:05 pm

Edit: 18.04.25
Please upgrade to MikroTik RouterOS 6.40.8 [bugfix] or 6.42.1 [current], the issue was addressed and fixed there,
https://mikrotik.com/download

We have discovered a new RouterOS vulnerability affecting all RouterOS versions since v6.29.

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.

Versions affected: 6.29 to 6.43rc3 (included). Updated versions in all release chains coming ASAP. Edit: v6.42.1 and v6.43rc4 have been released!

Am I affected? Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks, assume that you are affected and upgrade + change password + add firewall. The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses.

What do do: 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP -> Services" menu to specify "Allowed From" addresses. Include your LAN, and the public IP that you will be accessing the device from. 2) Change your passwords.

What to expect in the coming hours/days: Updated RouterOS versions coming ASAP. RouterOS user database security will be hardened, and deciphering will no longer be possible in the same manner.

EXAMPLE how to protect yourself:
Screen Shot 2018-04-23 at 13.01.48.png
You do not have the required permissions to view the files attached to this post.
No answer to your question? How to write posts
 
msatter
Forum Veteran
Forum Veteran
Posts: 710
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:17 pm

WOW. That is really scary.

Maybe having port-knocking needed for connection and then lifetime as long as established. Also implement this in Winbox and the Android APP.

Web interface is a no no from external.

A unique TCP/UDP port sequence printed on the router label is needed to reach that router from external. This sequence can be changed by the admin but can be not disabled.

Once logged in, with Winbox, the admin can regenerate a new sequence in the router for the Winbox profile for that specific account. This new sequence is visible in the router and in the profile in Winbox. This can also be forced totally hidden so that a reset of the router is needed to go back to the sequence on the router label.
A new sequence is enforced from the next time connecting.

A problem with sequence portknocking is, that ports also can be used by the router. One way is not to use different ports but different times in the sequence for the packets.

Maybe easier is to have port 8291 as attention port for knocking and any knock on a port from the same source IP is not for normal firewall processing but for gaining access.

Example: TCP-8291 UDP-1234 TCP-8291 TCP-2341......
Last edited by msatter on Mon Apr 23, 2018 2:16 pm, edited 5 times in total.
RB750Gr3 small, lean and fast. Running RouterOS 6.43RC11 and Winbox 3.13.
 
raffav
Member Candidate
Member Candidate
Posts: 232
Joined: Wed Oct 24, 2012 4:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:20 pm

Change the service port can resolve the problem?
The problem with allow from is that not always we have static ip address
Suggestions could be that field accept dns names, or allow to read from addressing list

Sent from my XT1580 using Tapatalk

 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1012
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:23 pm

I use firewall rules which will kick an IP address if login fails after three attempts. Will this method be sufficient to be protected from this vulnerability?

By the way, thank you for letting us know about it.
-Toni-
Don't crash the ambulance, whatever you do
 
lamclennan
just joined
Posts: 15
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:25 pm

I use firewall rules which will kick an IP address if login fails after three attempts. Will this method be sufficient to be protected from this vulnerability?
Does not appear so looking at the other posts. One failed attempt was in the logs...
Last edited by lamclennan on Mon Apr 23, 2018 1:29 pm, edited 1 time in total.
 
R1CH
Member
Member
Posts: 471
Joined: Sun Oct 01, 2006 11:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:26 pm

This is really scary. Can you explain how this happened in a more technical manner? Why is authentication not the first thing that is required before downloading files etc is possible? Why is the user database even made available over the winbox port prior to establishment of an authenticated connection?

All these security bugs appearing lately in Mikrotik daemons are really shaking my trust in RouterOS. It's clear that a lot of Mikrotik code is not hardened against exploit attempts. What steps are Mikrotik taking to ensure this doesn't continue to happen? Have you considered hiring an external company to do a security audit of your code? This really can't keep happening.

EDIT: Please don't tell me this is related to the old 2012 exploit that lets you request files before login...
Last edited by R1CH on Mon Apr 23, 2018 1:31 pm, edited 1 time in total.
 
ivicask
Member Candidate
Member Candidate
Posts: 167
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:28 pm

So is this it https://www.securityweek.com/remotely-e ... s-routeros ?

As its over month old post..
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1012
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:30 pm

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.
They gain access on a file within the router, right? What kind of information is stored in there?
-Toni-
Don't crash the ambulance, whatever you do
 
R1CH
Member
Member
Posts: 471
Joined: Sun Oct 01, 2006 11:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:31 pm

So is this it https://www.securityweek.com/remotely-e ... s-routeros ?

As its over month old post..
No, that's a different vulnerability in the SMB service.
 
DanFoster
just joined
Posts: 4
Joined: Tue Mar 11, 2014 2:30 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:34 pm

Is this vulnerability exploitable if the Winbox service is not running?
 
mbrtonpye
newbie
Posts: 27
Joined: Tue Dec 03, 2013 4:43 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:37 pm

@raffav If you are not using static IP's, use something like DYNDNS to set up aliases. Then, resolve the aliases in a script which will give you the IP addresses of the remote stations which are permitted access. Add these to the list of allowed IP's (Available From field in picture) and you have solved the problem.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2069
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:38 pm

As an alternative, possibly easier, use the "IP -> Services" menu to specify "Allowed From" addresses. Include your LAN, and the public IP that you will be accessing the device from.[/b]
Normis, it seems this not help.
On Czech forum is user which have winbox in IP services allowed only for his private range and is hacked :-(
https://ispforum.cz/viewtopic.php?p=228863#p228863
LAN, FTTx, Wireless. ISP operator based on ROS.
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:39 pm

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.
They gain access on a file within the router, right? What kind of information is stored in there?
You don't know what is stored in the system user database file ???? :lol:
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1012
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:41 pm

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.
They gain access on a file within the router, right? What kind of information is stored in there?
You don't know what is stored in the system user database file ???? :lol:
No, do you? I f so let me know
-Toni-
Don't crash the ambulance, whatever you do
 
MikroRouter
just joined
Posts: 2
Joined: Wed Nov 02, 2011 11:00 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:43 pm

The security issues are happening too frequent on MikroTik recently...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:45 pm


No, do you? I f so let me know
the file contains RouterOS system usernames and passwords.
No answer to your question? How to write posts
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:47 pm

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.
They gain access on a file within the router, right? What kind of information is stored in there?
You don't know what is stored in the system user database file ???? :lol:
No, do you? I f so let me know
well, if I had to do some thinking, the system user database file contains the database with users and their password......
 
squeeze
Member Candidate
Member Candidate
Posts: 106
Joined: Thu Mar 22, 2018 7:53 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:48 pm

So is this it https://www.securityweek.com/remotely-e ... s-routeros ?

As its over month old post..
That is a completely different vulnerability that relates only to the SMB service, which by default is not even enabled (hence why you didn't hear much about this vulnerability).

This new one is a far scarier one. Somehow an attacker is not only able to remotely download the user database file, which bypasses all normal user authentication methods, but on top of that are trivially - within a couple of seconds - able to use the strongest of passwords to then log into the router using the Winbox port.

This implies at minimum that the user database file not only contains actual passwords (instead of hashes) but keeps those passwords in the clear or very close to it. Both practices are almost unheard of in modern security practices!

This means no matter what version of RouterOS, you are uncommonly at risk for the above reason.

While we await the vulnerability fix and basic RouterOS hardening, it is recommended to allow no direct public access to any external services on a RouterOS device, unless it is either IP-filtered or uses port knocking.

After the hardened RouterOS, all passwords should be changed as a basic security precaution, since any past compromise of the router (known or unknown) and by anyone, including insiders, means they may have access to all of the passwords.
Last edited by squeeze on Mon Apr 23, 2018 2:04 pm, edited 3 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:48 pm

On Czech forum is user which have winbox in IP services allowed only for his private range and is hacked :-(
https://ispforum.cz/viewtopic.php?p=228863#p228863
It's possible the attack came from his LAN
No answer to your question? How to write posts
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1722
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:54 pm

The security issues are happening too frequent on MikroTik recently...
It is just that with Mikrotik's increasing popularity, hackers are now targeting RouterOS. Exploits exist on all equipment, just look at Cisco and Fortinet if you want an example...
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 1:56 pm

On Czech forum is user which have winbox in IP services allowed only for his private range and is hacked :-(
https://ispforum.cz/viewtopic.php?p=228863#p228863
It's possible the attack came from his LAN
I would also tend to agree. If you firewall all services on your WAN unless it comes from trusted IP's/ranges, then it would be very difficult to hack the tik from the WAN
I always firewall everything incoming to the tik and only allow access from specific ranges/ip's
 
pe1chl
Forum Guru
Forum Guru
Posts: 4207
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:00 pm

It's possible the attack came from his LAN
It looks like the exploit is again of the "worm" type so if there is one leak into the LAN it can infect other MikroTik devices from the inside.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2069
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:05 pm

On Czech forum is user which have winbox in IP services allowed only for his private range and is hacked :-(
https://ispforum.cz/viewtopic.php?p=228863#p228863
It's possible the attack came from his LAN
It is possible, but unlikely. All attacks have IP 103.1.221.39.
His screen attack - https://ispforum.cz/download/file.php?id=7933
More info send to support@mikrotik.com

it looks like a wan attack and IP services does not protect the login
LAN, FTTx, Wireless. ISP operator based on ROS.
 
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 102
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:12 pm

What do do: 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP -> Services" menu to specify "Allowed From" addresses. Include your LAN, and the public IP that you will be accessing the device from. 2) Change your passwords.
In addition to what was written :
set first in firewall filter "Drop port scanners rules" like this https://wiki.mikrotik.com/wiki/Drop_port_scanners but drop the scanners with RAW and finaly change the number of service port too !
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:15 pm


it looks like a wan attack and IP services does not protect the login
Supout.rif will be useful, thanks. The Screenshot doesn't show if the "allowed from" was correctly set.
No answer to your question? How to write posts
 
dada
Member Candidate
Member Candidate
Posts: 238
Joined: Tue Feb 21, 2006 1:44 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:20 pm

On Czech forum is user which have winbox in IP services allowed only for his private range and is hacked :-(
https://ispforum.cz/viewtopic.php?p=228863#p228863
It's possible the attack came from his LAN
Hi Normis,

the Czech case contained the same IP in the log like the others I have seen yet. The IP is 103.1.221.39 (some network from Taiwan). Either someone tries to test some proof of concept (and runs the attack from only one station) or the IP in the log is faked one and the attack source was different IP. Maybe the attack vector causes the IP source is logged improperly? I have analysed data for last days and I can say that there was no communication with the IP 103.1.221.0/24 and our network (big amount of public IPs so I would expect a scan should hit us)...

Normis, could you explain if it is possible that the logged IP is not the real one? Or confirm that it really is the source of the attack?

Screenshot from Czech forum:
https://ispforum.cz/download/file.php?id=7933
 
squeeze
Member Candidate
Member Candidate
Posts: 106
Joined: Thu Mar 22, 2018 7:53 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:22 pm

If the Winbox server is the one doing the IP filtering, then an IP Services "Available From" restriction may not prevent the attacker from using the exploit against the Winbox server because the vulnerability is in the Winbox server ...

To be safe for now, only put IP restrictions on the IP Firewall itself.
Last edited by squeeze on Mon Apr 23, 2018 2:27 pm, edited 5 times in total.
 
User avatar
erebusodora
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon Jan 23, 2012 3:46 pm
Location: Bulgaria

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:23 pm

How do we know if our router is infected what are the symptoms for this vulnerability ???
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:26 pm

How do we know if our router is infected what are the symptoms for this vulnerability ???
Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks, assume that you are affected and upgrade + change password + add firewall. The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses.
No answer to your question? How to write posts
 
ivicask
Member Candidate
Member Candidate
Posts: 167
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:34 pm

What do do: 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP -> Services" menu to specify "Allowed From" addresses. Include your LAN, and the public IP that you will be accessing the device from. 2) Change your passwords.
In addition to what was written :
set first in firewall filter "Drop port scanners rules" like this https://wiki.mikrotik.com/wiki/Drop_port_scanners but drop the scanners with RAW and finaly change the number of service port too !
This doesnt seam to work for me very good, i set the rules on top of my firewall list, also blocked via RAW but for example if i run port scanner from http://en.dnstools.ch/port-scan.html, it works and blocks access to it immediately as it runs.

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it..

Try for your self.
 
User avatar
NathanA
Long time Member
Long time Member
Posts: 695
Joined: Tue Aug 03, 2004 9:01 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:37 pm

It has loooooong been known that ROS stores passwords using reversible encryption instead of hashes, and I'm surprised it has taken this long for this to get changed: http://manio.skyboo.net/mikrotik/

On the other hand, when you are the one that set the password and you can't log in to your own router, even though you could just reset to defaults or Netinstall to fix it, it's sometimes nice to be able to recover it so that the question of "what on EARTH could I have possibly set the password to?" doesn't constantly nag you. :lol:

-- Nathan
 
pe1chl
Forum Guru
Forum Guru
Posts: 4207
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:37 pm

To be safe for now, only put IP restrictions on the IP Firewall itself.
We can only imagine what problems there will be when a vulnerability in the firewall is found...
And at the rate that they are found lately, how long will that take?
 
pe1chl
Forum Guru
Forum Guru
Posts: 4207
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:40 pm

On the other hand, when you are the one that set the password and you can't log in to your own router, even though you could just reset to defaults or Netinstall to fix it, it's sometimes nice to be able to recover it so that the question of "what on EARTH could I have possibly set the password to?" doesn't constantly nag you. :lol:
Remember that normis has told us time after time that it is not possible to recover a password from a MikroTik device, you would have to reset and netinstall it.
Was that really true? Or is what is now called a "vulnerability" in fact really a backdoor to retrieve the passwords from a seized device?
It is a bit too obvious that you can download the user database, something you normally cannot even do from winbox as an authenticated user, over the winbox port, without being authenticated.
 
grusu
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:43 pm

What do do: 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP -> Services" menu to specify "Allowed From" addresses. Include your LAN, and the public IP that you will be accessing the device from. 2) Change your passwords.
In addition to what was written :
set first in firewall filter "Drop port scanners rules" like this https://wiki.mikrotik.com/wiki/Drop_port_scanners but drop the scanners with RAW and finaly change the number of service port too !
This doesnt seam to work for me very good, i set the rules on top of my firewall list, also blocked via RAW but for example if i run port scanner from http://en.dnstools.ch/port-scan.html, it works and blocks access to it immediately as it runs.

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it..

Try for your self.
I try and my router block scan instantly.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:45 pm

RouterOS doesn't have backdoors. This is a bug that was introduced in 6.29.

The fact that password encryption was considered "weak" is not news. The file was previously hard to get. We are also improving the encryption of the user password file now.
No answer to your question? How to write posts
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1159
Joined: Sat Jun 06, 2009 4:54 am
Location: Brisbane, Australia
Contact:

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:45 pm

Here's a simple port-knocking firewall + address list for anyone who wants to implement it in the interim for access to the default winbox port (8291)

First add any custom IP address ranges (known safe networks) you need like so:
/ip firewall address-list add address=123.123.123.123 list=Winbox_Admin comment="Custom";
Then paste the following - make sure to update the port knocking rules to something random that you can remember.. the easiest way is to hit these sequentially using a web-browser if you're coming from a new IP address and need access.
:do {
:if ([:len [/ip firewall address-list find list=Winbox_Admin]] < 3 ) do={
/ip firewall address-list remove [find list=Winbox_Admin comment=Private_Default];
:put "Creating Winbox_Admin List";
:log warning "Creating Winbox_Admin List";
/ip firewall address-list add address=192.168.0.0/16 list=Winbox_Admin comment="Private_Default";
/ip firewall address-list add address=10.0.0.0/8 list=Winbox_Admin comment="Private_Default";
/ip firewall address-list add address=172.16.0.0/12 list=Winbox_Admin comment="Private_Default";
} else={:put "Winbox_Admin List Exists";};

:if ([:len [/ip firewall filter find comment~"CUSTOM: WINBOX"]] < 4) do={
/ip firewall filter remove [find comment~"CUSTOM: WINBOX"];
:put "Creating Winbox_Admin Filters";
:log warning "Creating Winbox_Admin Filters";
/ip firewall filter add action=add-src-to-address-list address-list=Winbox_Admin address-list-timeout=1w chain=input comment="CUSTOM: WINBOX PK Stage 3" dst-port=333 protocol=tcp src-address-list=portknock_2 place-before=1;
/ip firewall filter add action=add-src-to-address-list address-list=portknock_2 address-list-timeout=1m chain=input comment="CUSTOM: WINBOX PK Stage 2" dst-port=222 protocol=tcp src-address-list=portknock_1 place-before=1;
/ip firewall filter add action=add-src-to-address-list address-list=portknock_1 address-list-timeout=1m chain=input comment="CUSTOM: WINBOX PK Stage 1" dst-port=111 protocol=tcp place-before=1;
/ip firewall filter add action=drop chain=input comment="CUSTOM: WINBOX Drop Traffic to Winbox Port where src-address-list!=Winbox_Admin" dst-port=8291 protocol=tcp src-address-list=!Winbox_Admin place-before=1;
} else={:put "Winbox_Admin Filter Exists";};
:put "Done";
:log warning "Added Winbox Port Security";
};
A set of private addresses are added by default so you don't get locked out of your router from internally.
brightwifi.com | mikrotik-routeros.com | MTCNA,MTCWE.MTCTCE | Give karma where due
 
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 102
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:50 pm

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it..
Try for your self.
OK, try this :
ip fi fi add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
 
wispmikrotik
newbie
Posts: 32
Joined: Tue Apr 25, 2017 10:43 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 2:59 pm

We have discovered a new RouterOS vulnerability affecting all RouterOS versions since v6.29.

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.

Versions affected: 6.29 to 6.43rc3 (included). Updated versions in all release chains coming ASAP.

Am I affected? Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks, assume that you are affected and upgrade + change password + add firewall. The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses.

What do do: 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP -> Services" menu to specify "Allowed From" addresses. Include your LAN, and the public IP that you will be accessing the device from. 2) Change your passwords.

What to expect in the coming hours/days: Updated RouterOS versions coming ASAP. RouterOS user database security will be hardened, and deciphering will no longer be possible in the same manner.

EXAMPLE how to protect yourself:

Screen Shot 2018-04-23 at 13.01.48.png
Change:
We have discovered a new RouterOS vulnerability affecting all RouterOS versions since v6.29.
By:
We have discovered, thanks to our customers, a new RouterOS vulnerability that affects all versions of RouterOS since v6.29.

Do you have a problem with the ssh daemon?
import to store: 1
STORE /nova/store/ssh-forwarding: openIdx failed: 2 No such file or directory
password:
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:02 pm

On the other hand, when you are the one that set the password and you can't log in to your own router, even though you could just reset to defaults or Netinstall to fix it, it's sometimes nice to be able to recover it so that the question of "what on EARTH could I have possibly set the password to?" doesn't constantly nag you. :lol:
Remember that normis has told us time after time that it is not possible to recover a password from a MikroTik device, you would have to reset and netinstall it.
Was that really true? Or is what is now called a "vulnerability" in fact really a backdoor to retrieve the passwords from a seized device?
It is a bit too obvious that you can download the user database, something you normally cannot even do from winbox as an authenticated user, over the winbox port, without being authenticated.
Even with the later versions or ROS, you can download a backup, restore it on a virtual machine running same software version, downgrade to an earlier software version, take a new backup and feed that to the reverse engineer tool which will spew out the passwords for every user in the database.
This has been known for quite a few years. In part it is why they implemented the restore password, but if you downgrade to a version which does not require a password for the backup you're all set for recovery.
It would mean that you need to have access to the device, but with bugs like this one, that could become very trivial in the near future
 
ivicask
Member Candidate
Member Candidate
Posts: 167
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:03 pm

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it..
Try for your self.
OK, try this :
ip fi fi add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
Actualy i just realized i does work good in theory, but this site alternates ip address, so it took me 3-4 runs to block all 3 IPs and now it returns zero ports and blocks it properly.

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.
 
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 102
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:12 pm

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.
Scan this 93.155.148.98 - my IP address and tell me the open ports please!
 
ivicask
Member Candidate
Member Candidate
Posts: 167
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:17 pm

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.
Scan this 93.155.148.98 - my IP address and tell me the open ports please!
It shows none now, but is this site already on your block list?Try clearing the blocked ip list before running it.Also, try actually for test put some port open like 80, i have that one and it shows it as open when i run this scan for 3 times, and firewall rule catches 3 different ip addresses from this site scaner. After that it blocks scan and shows all ports CLOSED.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4207
Joined: Mon Jun 08, 2015 12:09 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:18 pm

Even with the later versions or ROS, you can download a backup, restore it on a virtual machine running same software version
As a user without insight in the internals, you can download a backup only from a router when you know the password already, right?
What is happening here is downloading files from a router without the password. Over a port that normally doesn't even allow downloading those files.
I find it hard to believe that this is simply "a bug". There must be base functionality of downloading, and the bug is only that it can be done without authentication.
But the downloading functionality shouldn't even be there in the first place, in the model of "we keep all internals secret and the user can only use the config interfaces and API".
To me, it sounds more like a debugging feature accidentally left enabled, or a requirement from law enforcement they are not allowed to tell us about.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:19 pm

It is a bug though, very specific check was broken for a very specific feature.
I don't want to give ideas to other people, as the fixed versions are not out yet, and it will take a while until most people upgrade.
This is why I don't want to give too many details away.
No answer to your question? How to write posts
 
anav
Member
Member
Posts: 398
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:26 pm

Concur this is a serious issue and glad Mikrotik is addressing it promptly. However it appears, (not 100% sure) that the failure by an admin to ensure WINBOX is not accessible from the outside is what allows this exploit to be used. Most experienced admins would use vpn to access the router and then muck about. It would be folks like me, ordinary users, or perhaps lazy admins that would attempt to use Winbox to gain remote access. My own personal feelings on the matter is that we should be using rolling code devices with Winbox for external access (home owner) and you experienced chaps can use VPN. ;-) I only intend to use WINBOX internally in the current scheme.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:28 pm

Concur this is a serious issue and glad Mikrotik is addressing it promptly. However it appears, (not 100% sure) that the failure by an admin to ensure WINBOX is not accessible from the outside is what allows this exploit to be used. Most experienced admins would use vpn to access the router and then muck about. It would be folks like me, ordinary users, or perhaps lazy admins that would attempt to use Winbox to gain remote access. My own personal feelings on the matter is that we should be using rolling code devices with Winbox for external access (home owner) and you experienced chaps can use VPN. ;-) I only intend to use WINBOX internally in the current scheme.
You are right. RouterBOARD devices come with default configuration that is immune to this kind of attack. The vulnerability can only be exploited, if you specifically opened Winbox to untrusted networks.
No answer to your question? How to write posts
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:30 pm

Even with the later versions or ROS, you can download a backup, restore it on a virtual machine running same software version
As a user without insight in the internals, you can download a backup only from a router when you know the password already, right?
What is happening here is downloading files from a router without the password. Over a port that normally doesn't even allow downloading those files.
I find it hard to believe that this is simply "a bug". There must be base functionality of downloading, and the bug is only that it can be done without authentication.
But the downloading functionality shouldn't even be there in the first place, in the model of "we keep all internals secret and the user can only use the config interfaces and API".
To me, it sounds more like a debugging feature accidentally left enabled, or a requirement from law enforcement they are not allowed to tell us about.

As a user without insight in the internals, you can download a backup only from a router when you know the password already, right?
What is happening here is downloading files from a router without the password. Over a port that normally doesn't even allow downloading those files.
I find it hard to believe that this is simply "a bug". There must be base functionality of downloading, and the bug is only that it can be done without authentication.
But the downloading functionality shouldn't even be there in the first place, in the model of "we keep all internals secret and the user can only use the config interfaces and API".
To me, it sounds more like a debugging feature accidentally left enabled, or a requirement from law enforcement they are not allowed to tell us about.
[/quote]
that is indeed with having access to the router, but as I said, "but with bugs like this one, that could become very trivial in the near future".
 
squeeze
Member Candidate
Member Candidate
Posts: 106
Joined: Thu Mar 22, 2018 7:53 pm

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:31 pm


What is happening here is downloading files from a router without the password. Over a port that normally doesn't even allow downloading those files.
I find it hard to believe that this is simply "a bug". There must be base functionality of downloading, and the bug is only that it can be done without authentication.
But the downloading functionality shouldn't even be there in the first place, in the model of "we keep all internals secret and the user can only use the config interfaces and API".
To me, it sounds more like a debugging feature accidentally left enabled, or a requirement from law enforcement they are not allowed to tell us about.

Don't attribute to malice what can be easily explained by incompetence. Even a basic buffer overflow or injection bug can allow full control of any networked device on the planet remotely. Security is hard.

Also, like normis said, it would be irresponsible for the manufacturer themselves to release further details of the exploit without a fix, especially when they themselves only discovered it from their customers a few days ago (who btw, they have unusually not acknowledged).

The only problem here is a startling lack of defense in depth for security in the very core of RouterOS. The normal security assumption is that outer layers of security can always be penetrated, so further layers need to be present, and are normally even stronger. Instead of a good onion, Mikrotik have a coconut - great outer protection, but once you're in, you're IN.
Last edited by squeeze on Mon Apr 23, 2018 3:34 pm, edited 2 times in total.
 
VipITBE
just joined
Posts: 12
Joined: Tue Apr 02, 2013 10:40 am

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:32 pm

Concur this is a serious issue and glad Mikrotik is addressing it promptly. However it appears, (not 100% sure) that the failure by an admin to ensure WINBOX is not accessible from the outside is what allows this exploit to be used. Most experienced admins would use vpn to access the router and then muck about. It would be folks like me, ordinary users, or perhaps lazy admins that would attempt to use Winbox to gain remote access. My own personal feelings on the matter is that we should be using rolling code devices with Winbox for external access (home owner) and you experienced chaps can use VPN. ;-) I only intend to use WINBOX internally in the current scheme.
You are right. RouterBOARD devices come with default configuration that is immune to this kind of attack. The vulnerability can only be exploited, if you specifically opened Winbox to untrusted networks.
or if you started your config from an old ROS version. Upgrades don't put new firewall rules in place, so if one had an old config that did not include these security measures and just upgraded, they would still be vulnerable
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23069
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Advisory: Vulnerability exploiting the Winbox port

Mon Apr 23, 2018 3:34 pm

That is true, yes.
We have a nice article on how to make your device secure, I suggest everyone read it, as it contains most of the basics:

https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
No answer to your question? How to write posts

Who is online

Users browsing this forum: krajnalic and 3 guests