Community discussions

 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Security announcement blog

Thu Jul 26, 2018 8:04 am

We have made a blog, where we will publish the most important announcements regarding security and other topics.
Bookmark this link for Security related news:

https://blog.mikrotik.com/security/

Here is the RSS feed link:
https://blog.mikrotik.com/rss/?cat=security
No answer to your question? How to write posts
 
jarda
Forum Guru
Forum Guru
Posts: 7472
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Thu Jul 26, 2018 9:56 am

Very good idea. Thank you for that.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Jul 26, 2018 10:22 am

Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Thu Jul 26, 2018 11:16 am

Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
can you see if this works now?
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Jul 26, 2018 11:37 am

Yes, now it works OK
 
R1CH
Long time Member
Long time Member
Posts: 639
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Thu Jul 26, 2018 1:21 pm

Is there a way to sign up for email announcements of new articles too?
 
User avatar
amt
Member
Member
Posts: 402
Joined: Fri Jan 16, 2015 2:05 pm

Re: Security announcement blog

Thu Jul 26, 2018 3:40 pm

Is there a way to sign up for email announcements of new articles too?
+1
 
User avatar
nichky
Member
Member
Posts: 385
Joined: Tue Jun 23, 2015 2:35 pm

Re: Security announcement blog

Thu Jul 26, 2018 11:48 pm

That works
FxUxRx
Struga/Macedonia
 
DummyPLUG
newbie
Posts: 35
Joined: Wed Jan 03, 2018 10:17 am

Re: Security announcement blog

Fri Jul 27, 2018 2:35 pm

Is there a way to sign up for email announcements of new articles too?
+1
RSS is good, but will be nice to have some mailing list for security announcement and firmware update
 
jarda
Forum Guru
Forum Guru
Posts: 7472
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Fri Jul 27, 2018 3:00 pm

It also depends on when new articles will be published there, if half of year after the security incident or when. In such case there is no need to send email notifications.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Fri Jul 27, 2018 3:10 pm

Did we publish forum posts half year after discovered issues? Jarda, what are you talking about.
Also, there are numerous IFTTT recipes to do things when RSS gets a new article: https://ifttt.com/applets/YnbGBZDy-send ... s?term=rss
You can even have your Hue lights flash red :)
No answer to your question? How to write posts
 
User avatar
vecernik87
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Fri Jul 27, 2018 3:23 pm

I received email (urgent security advisory) for the web port vulnerability because I have a user account on mikrotik homepage. As far as I know, the winbox port vulnerability didn't get similar warning email. However, I received email about newly released 6.42.1 and 6.40.8 which fixed this vulnerability (and it was clearly stated in changelog) so everyone who reads these emails should know about it instantly.

@normis: I am sure Jarda is refering to the web port issue. Despite the fact it was fixed during March 2017, there was not much coverage, so even year after, massive amount of devices was vulnerable. Due to that, It make sense to send email (despite the fact it is already too late) once the vulnerability gets misused extensively.
Personally, I perceive it as a Mikrotik failure that there was not "urgent security advisory" email about winbox port vulnerability. I am aware that everyone is responsible for their device and I know well that with correctly set up firewall, vulnerability would be protected. However spreading the word (even negative one) is important part of the business and crucial to build trust between manufacturer and customers. I believe many people would appreciate if Mikrotik PR department takes lesson from it and sends the email next time.
Meanwhile, I will hold fingers crossed that it will take loooong time until next vulnerability appears :)
 
jarda
Forum Guru
Forum Guru
Posts: 7472
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Fri Jul 27, 2018 4:22 pm

Normis, I am talking about the blog only. Of course I know that the info was published fastly on the forum. But the blog is new now and from this perspective the info already provided there is really old at the moment. Actually I am fine with the forum announcements for such cases, so even though I appreciate the blog, it moreless seems to me that it is a way to duplicate the source of information. Wiki manual page section would work the same too.
Don't beat me for the opinion, maybe it was misunderstood because of its condensed form... My bad. Sorry for that.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5659
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Security announcement blog

Fri Jul 27, 2018 7:07 pm

Blog didn't exist at all when those vulnerabilities appeared.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2964
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Security announcement blog

Sun Jul 29, 2018 12:27 pm

We have made a blog, where we will publish the most important announcements regarding security and other topics.
Bookmark this link for Security related news:

https://blog.mikrotik.com/security/

Here is the RSS feed link:
https://blog.mikrotik.com/rss/?cat=security
Great!!! Killer idea!
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
Hicinko
just joined
Posts: 1
Joined: Tue Jul 31, 2018 2:39 pm

Re: Security announcement blog

Tue Jul 31, 2018 2:42 pm

Thanks for sharing.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1762
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Security announcement blog

Tue Jul 31, 2018 5:06 pm

Thanks Mikrotik guys. This should reduce the amount of panicked calls I get from customers.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
Ixo
just joined
Posts: 22
Joined: Fri Dec 07, 2012 9:43 pm

Re: Security announcement blog

Tue Jul 31, 2018 9:33 pm

I am furious angry!
My router had admin disabled and most of the services such as SSH/Telnet etc. The username I used was a long name and the password had 16 chars. I had a proper configuration on firewall, lots of scripts etc. YET...
Today I went on Google and got the CAPTCHA. I knew right of the bat that something is not good.

Logged to Mikrotik. First I spotted that most of FW rules were gone, then SOCKS enabled! Scripts are gone except some mikrotik.php thing. First thing... plug out internet cable.

After panic was over, went on LTE Internet to see what is going on. In 2 minutes I find that Mikrotik got compromised. I mean seriously?!

OK I think... many systems have security bugs. In fact this is the first one I have ever had through a Mikrotik. But what made me super angry wasnt't that there was a bug but Your replies to people saying "You should keep up to date" or "You should check our announcements" --EOT.

If the issue is there since April and you have my bloody email as I am registered on this forum, why I have not received an email saying "We have found a security vulnerability, so please update your Router OS immediately"? Seriously, why? I mean my IP worked as free SOCKS tunnel for god knows how long and god knows what went through it.

I just don't login to a router OS every day to check if everything is fine. You should not expect people to do that, you should not expect people to keep the router OS up to date (for many reasons e.g. the RouterBoard sits on the mast high up in the mountains and you simply don't do upgrade unless you are psychically there in case of something goes wrong), you should not expect people to look at your BLOG all of the time. It should be on your cards to let your customers know about such events.

EDIT: Please add newsletter widget to this "BLOG". I don't use RSS feeds.
 
jarda
Forum Guru
Forum Guru
Posts: 7472
Joined: Mon Oct 22, 2012 4:46 pm

Re: Security announcement blog

Tue Jul 31, 2018 10:13 pm

That's effective idea. All registered users (anywhere in the mikrotik, not only on the forum...) should receive a notification in such emergency case! Otherwise the blog is nothing more than a post in the right section of the forum...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 8:44 am

I'm sorry you have not received that email, because we did send it on March 30, with specifically the content you asked for.
EDIT: Please add newsletter widget to this "BLOG". I don't use RSS feeds.
Please clarify what you mean by that.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Aug 01, 2018 10:45 am

People apparently like to get a mail message (a push mechanism) instead of using RSS (a pull mechanism), but of
course the disadvantage is that a database of mail addresses would have to be kept. Of course MikroTik already
have two databases: the valid users for login on the main webpage (where you can manage licenses etc, and also
used to send the newsletter) and the valid users logging in on the Forum.
Adding a third one just to send security announcements coud be a bit overkill when they are already sent to the
other two lists. However,
- I think they are sent only to that webpage list, not to the Forum list
- They should be sent much sooner than was done the first time.

Important security fixes should get the attention of the admins once they are available, not when an exploit is
seen in the wild. Anyway, you will find that now that MikroTIk is on the radar of the malvolents, those times
will be very close together anyway.
(there are people who examine security updates to see what exactly was fixed and quickly write exploits for them
to use the time window between release of the updates and installation by the majority of users)
 
User avatar
vecernik87
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Wed Aug 01, 2018 11:22 am

@peichl: Great summary! I find myself in total agreement with your post. However, one point might be added:
- emails should be sent EVERYTIME there is serious security issue.
(I am refering to the fact that winbox port vulnerability - end of april - was not emailed)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 11:24 am

Doesn't that contradict with the other point made?
there are people who examine security updates to see what exactly was fixed and quickly write exploits for them
to use the time window between release of the updates and installation by the majority of users
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Aug 01, 2018 11:42 am

I hope you don't mean to suggest "we better keep the updates secret so the hackers don't know about them and don't exploit the vulnerabilities"
because that is not going to work anymore. Especially when there is no auto-update mechanism that would install the update on the majority
of installations before it is analyzed.
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 12:27 pm

Vulnerability confirmed but not fixed sent message, to close or deactivate certain services if those are not secured additional by filtering.

Vulnerability confirmed and fixed, sent message. Go public and publish in blog.

Vulnerability not confirmed send message to a small and closed group to have a look at it, if it is indeed a vulnerability ask advise to have temporary effective filtering/services.

If it is alredy public communicate that you are investigating it. Message this to all the known users.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 12:36 pm

I know very well that some people are never fully satisfied, but please also try and appreciate the progress in this regard.
MikroTik did send an email to everyone in March 30, MikroTik did use forum/socialmedia also. MikroTik did fix it within a few hours of finding out. There is a changelog now where one version contains more lines than all of the v4 versions had together. There is also a blog now.
No answer to your question? How to write posts
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 12:48 pm

I did not get an e-mail.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 12:50 pm

Make sure you have not opted-out in your mikrotik.com account.
No answer to your question? How to write posts
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 1:32 pm

I don't have a Mikrotik.com account.

The forum does contain also e-mail addresses and many you can combine it with a GDPR information message to inviste also subscribing to security bulletins/messages by creating a Mikrotik account.

I am hesitant when I look at the page.

Allow to use my account from netinstall and winbox I don't see any explanation what this means.

Send me information about MikroTik news this should be clearer if you write Send me the MikroTik newsletter

Add a the line that account holders also receive security bulletins. If a GDPR is not yet sent that could be used to inform the current accounts that this is added.

If you want to limit by using accounts put a link close to the general newsletter line that also a security bulletin is available. In the confirmation of creating a account also include the link to the new blog of Mikrotik.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Wed Aug 01, 2018 2:17 pm

I know very well that some people are never fully satisfied, but please also try and appreciate the progress in this regard.
Yes it has certainly improved. It is not so long ago that MikroTik denied the existence of vulnerabilities.
I did get a mail, two I think, on my mikrotik.com registered address and the second time it was at a more suitable point in time.
You could consider using the mail address list of the forum (maybe after subtracting the addresses from the site) to send a
one-time mail summarizing the security situation and referring to methods to get uptodate information.
But of course then there still remains a large group of buyers who never registered on the site, never visited the forum,
and have their router out of sight and never updated. Those are going to be difficult to reach.
It could also be considered to add pointers to this information in other places, like product leaflets in the boxes, product
pages on the website, and other places that people who are not aware of issues could accidentally visit.
I understand there is always a balance between making people aware of sales-unfriendly issues like security and keeping
people informed well, but on the other hand a category of prospective users might actually appreciate it when they are well
informed about the necessary maintenance to keep their device safe.
 
R1CH
Long time Member
Long time Member
Posts: 639
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Wed Aug 01, 2018 2:54 pm

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 2:59 pm

If you don't use RSS, you are welcome to use IFTTT service to get an email/call/alert/HUE blink when the RSS gets an update.
No answer to your question? How to write posts
 
User avatar
pukkita
Trainer
Trainer
Posts: 2964
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Security announcement blog

Wed Aug 01, 2018 3:01 pm

Sure:
Captura de pantalla 2018-08-01 a las 14.00.23.png
You do not have the required permissions to view the files attached to this post.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8039
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Security announcement blog

Wed Aug 01, 2018 3:19 pm

"vulnerability in the www server" and "vulnerability in the winbox server" are different.
Russian-speaking forum: http://forum.mikrotik.by. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 805
Joined: Tue Oct 11, 2005 4:53 pm

Re: Security announcement blog

Wed Aug 01, 2018 3:46 pm

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?
Same here. I only got an e-mail on March 29th about the www vulnerability. Never for the winbox vulnerability.
 
strods
MikroTik Support
MikroTik Support
Posts: 1334
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 3:59 pm

Winbox vulnerability was solved so fast and updated version was released on the same day so we did send out e-mails about new, patched versions released and did not have separate Winbox vulnerability e-mail. That was discussed in forum (in future, similar information also will be discussed in the blog):

Subject:

MikroTik RouterOS 6.40.8 [bugfix] and 6.42.1 [current]

Part of the message:

We have released new RouterOS versions in bugfix and current channels.
...
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
...

Another example that shows how important is to read changelog. That is why we have tried to upgrade it a little bit after few last releases in order to highlight major fixes and improvements.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Wed Aug 01, 2018 4:01 pm

The point is, we try to improve.
Sending out as many emails as we would have to send, takes a very long time. RSS/Twitter is much faster.
No answer to your question? How to write posts
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Wed Aug 01, 2018 5:02 pm

And we are pleased that we find a listening ear at the side of Mikrotik and the improvements made. We are pushing to have more security and we are certainly see significant steps and that is beneficiary for both sides.

Communication has room to improve and RSS is something I used a long long time ago and Twitter....I believe I have account but just to claim the name. My twitter expierence is on the moment not good because 9 out 10 times I want to see a twitter message it shows that I am rate limited so I end up not seeing the twitter message. This probably due that I connect through a VPN service.

E-mail has is old but it aged very well and it gained security and encryption if you want and your can now even chat through it and if someone does not have the APP then it display in you e-mail program.

Back to security e-mails. If you are afraid that it takes long to get hundreds of thousands ;-) of e-mails out then you are right. You can also have a mailing service sent out the mails for you and you must allow in your DNS (SPF) that they can do it. If you do it yourself please use BCC when using lists.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
R1CH
Long time Member
Long time Member
Posts: 639
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Wed Aug 01, 2018 5:03 pm

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
...

Another example that shows how important is to read changelog. That is why we have tried to upgrade it a little bit after few last releases in order to highlight major fixes and improvements.
I would actually use this as an example of a bad changelog entry. It was very unclear, an "unsecured router" could mean an empty / weak admin password. My router was perfectly secure - strong admin password, firewalls for everything except the winbox port. If there was a vulnerability in OpenSSH, would you see a Linux distribution with a changelog that said "ssh - fixed vulnerability that allowed access to an insecure server"? No. The blame would be squarely on OpenSSH itself, not the security of the whole system. There are quite a few examples of users on this forum who in fact did see this changelog entry and ignored upgrading because they thought their router wasn't classified as "unsecured". If winbox was never meant to be exposed to untrusted networks, this is not documented anywhere.

Going forward I'm sure we would all appreciate more candid statements regarding security vulnerabilities. Yes, it isn't fun to admit that there's a bug in that allows exploitation, but network admins deserve to know the full details in order to make informed decisions about how and when to upgrade.
 
rua
just joined
Posts: 6
Joined: Fri Aug 01, 2014 8:53 pm
Location: copenhagen, DK

Re: Security announcement blog

Wed Aug 01, 2018 5:49 pm

I'm sorry you have not received that email, because we did send it on March 30, with specifically the content you asked for.
EDIT: Please add newsletter widget to this "BLOG". I don't use RSS feeds.
Please clarify what you mean by that.
re notifications
i have been on this forum some years - and hurried to sign up for email alerts/announcements.
however - during the years, i have received but a few for news letter announcements - cant say how many, but maybe for every third.
result is that i sign up again several times - well, to be sure :-)

the only security annoncment was received was concerning gdpr policy 25th may

i was never introduced to any harmful intrusion, though.

i check dayly mikrotik.com for news - but would like to be timely updated, in case i should be absent, or missed it.

thank you
 
Modestas
just joined
Posts: 18
Joined: Mon Jul 16, 2012 10:59 am
Location: Vilnius, Lithuania

Re: Security announcement blog

Thu Aug 02, 2018 12:44 am

Doesn't that contradict with the other point made?
there are people who examine security updates to see what exactly was fixed and quickly write exploits for them
to use the time window between release of the updates and installation by the majority of users
It would take certain time to reverse-engineer update and prepare new exploit. Maybe significant time.
I have no doubt that some fancy bears are following this forum and would love to get security bulletins into email. But I think timely alerting regular customers would outweight such risk. Customers will be aware of risks and perhaps will be able to patch known holes.
I would prefer to receive security alerts from vendor arriving sooner than Talos/F5/whatever "sky is falling" articles appear in their social media.

P.S. 2 karma points for the security blog
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5659
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Security announcement blog

Thu Aug 02, 2018 11:46 am

...ignored upgrading because they thought their router wasn't classified as "unsecured"...
Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Aug 02, 2018 12:18 pm

...ignored upgrading because they thought their router wasn't classified as "unsecured"...
Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure.
That is only the situation after it went wrong. In fact I always configured my equipment like that and carried it forward into MikroTik
equipment configuration, but there could be many users who believe that a service listening on an open port and fitted with authentication
is "secure" too. Unless the attacker knows the password they can't get in, right?

Of course others have become victim of that when there turned out to be bugs in the service handling the request
(remember logging in to systems by entering the username -froot instead of root because -f meant "no need to authenticate this login"?)
and now the general stance is that a service cannot be trusted no matter if it does authentication or not, you need to lock the attackers
out of the service before they attempt authentication.

But as you know, there is a very big group of users of your equipment in countries where there apparently is a market for wireless last mile
internet access, technical development in general is a bit back compared to other countries, but there are bright guys with no money who
don't mind to hack the system to get the access they want. The operators usually have little networking and security knowledge and they
deploy more or less default configurations and/or follow guidelines for setup they find on youtube (before consulting your own documentation).
These networks are hacked all the time because the security mechanisms are not well configured, or simply are not up to the task of
really providing security as opposed to holding back some nosey people who have no real interest in cracking the system.

This is partly because of the availability of vulnerabilities like the last two big ones, partly because of naive approach to security,
and some of that is of course part of the standards that are being used. A system like hotspot really cannot withstand any serious attack,
but it is likely not so easy do do much better.
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 02, 2018 12:51 pm

RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
R1CH
Long time Member
Long time Member
Posts: 639
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security announcement blog

Thu Aug 02, 2018 12:56 pm

...ignored upgrading because they thought their router wasn't classified as "unsecured"...
Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure.
So services like OpenVPN and IPsec in Mikrotik are "unsecure" as well? A router that drops all traffic on all interfaces is probably secure, but it also isn't much use to anyone.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security announcement blog

Thu Aug 02, 2018 1:01 pm

"Open to public networks", yes. There is an immediate high risk, unless you implement a good firewall, if you really need to access that OpenVPN server from ANY IP address.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Thu Aug 02, 2018 2:07 pm

For road warrior VPN, it usually is not practical to have a valid peer address list. So those types of services require even more attention from you (and other developers) to keep the secure.
Of course for VPN between two fixed addresses I always have firewall rules that permit only that traffic.
But e.g. for L2TP/IPsec from mobile users it cannot be done.
(especially as there are no script possibilities in the IPsec peer config where you could run a script when an IPsec peering comes up to allow the traffic from that peer's current address)
 
schadom
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: Security announcement blog

Thu Aug 02, 2018 2:23 pm

RSS is good, but will be nice to have some mailing list for security announcement and firmware update
+1 for security announcement mailinglist
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Security announcement blog

Thu Aug 02, 2018 2:40 pm

Posted in an other thread also and I had the idea after discussion with an other member. My ISP will close down my connection when I have a device that misbehave so why not extent this to the router itself.

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version.

If ignored then after two weeks the router only functions when you are initiating an update. After the update all the functions are restored.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 805
Joined: Tue Oct 11, 2005 4:53 pm

Re: Security announcement blog

Thu Aug 02, 2018 3:03 pm

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version.

If ignored then after two weeks the router only functions when you are initiating an update. After the update all the functions are restored.
What a terrible idea :shock:

Who is online

Users browsing this forum: mducharme, Spirch and 10 guests