Community discussions

MikroTik App
 
dvm
just joined
Topic Author
Posts: 22
Joined: Thu Feb 01, 2018 9:54 am

VPNFilter malware

Wed May 23, 2018 6:03 pm

https://blog.talosintelligence.com/2018 ... ilter.html
While the list may not be complete, the known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.
Comments from MikroTik?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: VPNFilter malware

Wed May 23, 2018 6:12 pm

 
NickOlsen
Member Candidate
Member Candidate
Posts: 131
Joined: Wed Feb 13, 2008 9:30 pm

Re: VPNFilter malware

Wed May 23, 2018 8:07 pm

MRZ, I assume you're indicating this vulnerability was patched in 6.38.5? Can you confirm?
 
mbaute
newbie
Posts: 30
Joined: Fri May 22, 2015 3:54 pm

Re: VPNFilter malware

Thu May 24, 2018 12:52 am

This thread was locked a couple months ago, but what dvm links is from hours ago. Are you positive sure that we're talking about the same threat?
 
aidan
newbie
Posts: 29
Joined: Thu Jun 25, 2015 12:48 am

Re: VPNFilter malware

Thu May 24, 2018 1:12 am

MRZ, I assume you're indicating this vulnerability was patched in 6.38.5? Can you confirm?

The Talos blog indicates they reached out to Mikrotik about the problem, so I'm confident that mrz would be aware of any and all developments related to this exploit.
 
TyBermea
newbie
Posts: 29
Joined: Mon Nov 02, 2015 3:18 am
Contact:

Re: VPNFilter malware

Thu May 24, 2018 4:45 am

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNFilter malware  [SOLVED]

Thu May 24, 2018 8:40 am

Cisco informed us on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including three devices made by MikroTik. We are highly certain that this malware was installed on these devices through a vulnerability in MikroTik RouterOS software, which was already patched by MikroTik in March 2017. Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Let us know if you need more details. Upgrading RouterOS is done by a few clicks and takes only a minute.

To be safe against any kinds of attacks, make sure you secure access to your devices:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Statement discussion topic:
viewtopic.php?f=21&t=134776
 
kazoo106
just joined
Posts: 8
Joined: Tue Sep 06, 2016 11:30 pm

Re: VPNFilter malware

Thu May 24, 2018 7:28 pm

We have a CCR 1036 running 6.40.5 - and has been for some months
Today we got an abuse report for this router
So clearly there is a problem at least up to 6.40.5
Can Mikrotik please respond here?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: VPNFilter malware

Thu May 24, 2018 7:55 pm

We have a CCR 1036 running 6.40.5 - and has been for some months
Today we got an abuse report for this router
So clearly there is a problem at least up to 6.40.5
Can Mikrotik please respond here?

Yes, that is to be expected, there was a vulnerability locked down in 6.40.8

"What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;"
 
pwuk
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Aug 01, 2012 8:51 pm

Re: VPNFilter malware

Thu May 24, 2018 9:33 pm

Yes, that is to be expected, there was a vulnerability locked down in 6.40.8

"What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;"
I wonder how that worked, and what "unsecured" means.

As a rule I tend to have the following config
/ip firewall filter
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface=wan-interface

/tool mac-server
set [ find default=yes ] disabled=yes
add interface=lan-bridge-1
add interface=lan-bridge-2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=lan-bridge-1
add interface=lan-bridge-2
Then add extra input rules if needed (e.g. allow ssh on the wan port from a given management address-list), which I believe secures things enough to not be a major concern if I can't keep a given router uptodate (I've got some in horrendous places that are 3 days travel away at best, really don't like risking bricking them!)

Of course it only takes 1 infected box internally to bypass that. I've locked down access to only specific management address ranges in the past, but have been burnt when I've had routing protocols break, and the only way to get in is to ssh from the next hop, which I neglected to put in the config. I wonder if a "allow TTL=254 on wan" would do the trick as a template.

With those precautions, the risk from zero-day exploits is significantly minimized.

Who is online

Users browsing this forum: Google [Bot] and 74 guests