Community discussions

MikroTik App
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:16 pm

How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:22 pm

I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.

The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.
Normis,

Securely ? I only have winbox access opened to WAN and with different port than default one.

We can have an upgrade menu where we can choose if we want the critical, (extreme critical in this case) upgrades done in auto mode. That option can be disabled by default.

This would solve critical vulnerability issues, upgrade, reboot and notify client. I know that some updates are buggy and we will have problems, but in my opinion i prefer to have an upgrade with some bugs even if a hotspot/pppoe server stops working with 5000 clients than have router hacked....

thanks.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:24 pm

Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.
No answer to your question? How to write posts
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:32 pm

How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?

Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?

A simple menu were you can choose if you want to do the critical updates and reboot is enough for that, network admins do whatever they think is better, but end customers should be protected, Mikrotik sells thousands of unis to end customers, not only for companies.

anyway this conversation will not help in the future, a new feature sugestion will do the work.

thanks for your comments guys :)
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:38 pm

Securely ? I only have winbox access opened to WAN and with different port than default one.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.
Also, how could we upgrade it, if you have a firewall.
That´s why i choosed Mikrotik since 2001, to use it without worries, i am not a Sys Admin, i just show to clients and friends the best affordable equippment on market with the best software to manage it and i´m happy to have Mikrotik.

Firewall rules can be changed if there is an upgrade menu :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:47 pm

You can already do it.

In system scheduler, add new entry that does this every 24 hours or whenever:
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade
No answer to your question? How to write posts
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1021
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 4:37 pm

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?
I think that I wouldn't want my 160.000€ car to stop whenever it feels like it should update itself, while I am in a rush to get my pregnant wife or my hurt child to the hospital.
 
OhJeez
just joined
Posts: 4
Joined: Sun Apr 09, 2017 9:31 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 5:57 am

Automatic upgrade should be the default and is quickly becoming best practice.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 9:25 am

See above configuration line. It can't be default, because I don't know at what time you don't need any internet.
No answer to your question? How to write posts
 
eddieb
Member Candidate
Member Candidate
Posts: 176
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 9:43 am

NEVER make updates automatic !
We want to control the moment of update and rebooting devices.
The way it is done now is sufficient, announcements thru mailing and on this forum is fine.
Running 6.47.2 (stable) on :
CCR1009-8G-1S (2x ipsec/l2tp site-to-site, ipsec/l2tp roadwarrior, dhcpd, dns), CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT (10pc), RB931-2nD, RB951, RB750GL ,RB2011UAS-RM, RB750Gr3 running dude
 
sid5632
Member
Member
Posts: 420
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 18, 2018 8:29 pm

Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
 
User avatar
Karas
just joined
Posts: 9
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 9:52 am

Automatic upgrade should be the default
No, it should not.
and is quickly becoming best practice.
Only if you're using the Micro$oft definition of 'best', which really means worst.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
Srsly tho, I agree, it should be up to the Network Admin to decide when updates should take place, not rely on someone else to decide when the network will go offline.
Especially when some releases have come out buggy at times, which is why its often better to wait a couple of days for forum/community feedback and/or test the release yourself before implementing.

@OhJeez - try controlling a network with hundreds of Mikrotik devices on it, and have someone else decide when upgrades should take place instead of you.
And then have the upgrade be to a buggy release.
Have fun,
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1021
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 10:27 am

I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol:
I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.

Another example is Dropbox. It upgrades whenever it feels like it. No notification, no mention of it anywhere.
It's borderline backdoor/malware behavior.
 
sid5632
Member
Member
Posts: 420
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 19, 2018 8:54 pm

I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.
It is indeed Micro$oft I meant.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:07 am

Even your "beloved" Microsoft does not force reboots. You choose when to reboot the PC.
 
andriys
Forum Guru
Forum Guru
Posts: 1354
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:16 am

Even your "beloved" Microsoft does not force reboots.
In Windows 10 it does, actually.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 11:18 am

No it does not, unless you scheduled automatic restarts.
 
User avatar
karlisi
Member
Member
Posts: 327
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 12:41 pm

In some cases Windows 10 forces user to restart computer not letting to do anything else. It's almost the same, except if user wants to sit and look at smth like "You must restart Your computer to finish important update" forever.
It's offtopic, imho. Mikrotik should not change upgrade to automatic by default, period. But if upgrade process would check firewall rules for unsafe entries on every upgrade, and warn the user afterwards (in log, on terminal, dialog box like after config reset), it would be helpful for inexperienced users.
---
Karlis
 
andriys
Forum Guru
Forum Guru
Posts: 1354
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 12:58 pm

No it does not, unless you scheduled automatic restarts.
It's getting a bit off-topic, but still. The default behavior of Windows 10 is to always install updates automatically as soon as they become available, and then force automatic reboot somewhen outside of a (somewhat) configurable "activity period". You can configure this activity period (with limitations), but that's it. Nothing else can be changed/configured unless you are using Pro or Enterprise edition, and even then you need to know how to use policy editor and what policy to tweak in order to prevent automatic updates to happen without user consent.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6107
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 1:40 pm

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
 
User avatar
karlisi
Member
Member
Posts: 327
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 2:34 pm

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
Everything outside default protection rules. It should be only warning, nothing else.
---
Karlis
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1021
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 2:46 pm

Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?
 
mkx
Forum Guru
Forum Guru
Posts: 4593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:14 pm

Everything outside default protection rules. It should be only warning, nothing else.
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?
No, not everybody. Only those who care enough to check their router from time to time. Those that don't care even to upgrade ancient unsafe ROS versions won't be bothered about it.

I find red-coloured log entry about CPU not running at default frequency (even if downclocked so it should be harmless to hardware) annoying as well, but I have to live with it.
BR,
Metod
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1021
Joined: Tue Oct 11, 2005 4:53 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:23 pm

So, us, professional users of ROS, that use it every day, should have to get stupid warnings, because of dummy users that mess up their firewall and never even bother to login to their routers ever again.

Who exactly will this message be for then?

Please. Stop trying to convert RouterOS to a 'DummyOS'. If you need wizards, bells and whistles to the likes of Netgear and D-Link, then by all means. Get a D-Link.

RouterOS is a system for power users and professionals. Not for dummy users.

Do you expect Cisco to put warnings and auto update features? You know that when pay thousands of dollars for a Cisco, you have to know what you are doing to use it. You don't expect Cisco to babysit you in case you mess up your configuration.

Why should RouterOS be any different? Because it's cheap?
 
mkx
Forum Guru
Forum Guru
Posts: 4593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 20, 2018 3:27 pm

So, us, professional users of ROS, ...
See how your own position is skewing your point of view? :wink:

Seriously: even being myself a "home user" by all standards I'm with you on this.
BR,
Metod
 
WestTexas
just joined
Posts: 6
Joined: Sun Apr 01, 2018 4:31 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 9:09 am

I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?
 
mkx
Forum Guru
Forum Guru
Posts: 4593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 10:24 am

Verify that uploaded npk file is intended for correct platform.

Check the list of installed packages. If there's a package listed more than once, upgrade won't succeed and the only remedy is to perform netinstall.
BR,
Metod
 
WestTexas
just joined
Posts: 6
Joined: Sun Apr 01, 2018 4:31 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 5:43 pm

Thanks mkx
It's the right version, and has been placed on several unaffected routers and installed normally.
No errors, just shows 'router rebooted' in the log and the file remains.
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 4593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 6:07 pm

There are two wireless packages installed. Try to uninstall wireless-cm2 (this might not be possible if it's part of bundle).
Other than that, I'd try to upgrade first to 6.40.9 (you might be able to perform that without downloading package, change package channel to bugfix only) ... that's the last version with old "master port" configuration. Then upgrade to 6.42.x to have upgrade process translate "master port" to "new bridge". After that upgrade to 6.43.2. And don't forget to upgrade firmware at every step (/system routerboard upgrade).
BR,
Metod
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Sun Sep 30, 2018 8:30 pm

I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.

Any suggesions?
Hi,

I have faced same issue, the solutions is:

Netinstall all afected devices 6.43.2 with no default configuration and configure everything from scratch...

After i discovered a few afected routers i first turned off all remote access, winbox, telnet... uploaded 6.42.3 file, rebooted but no upgrade was done, so my solution is below and i got everything worked except a few boards where the LTE card stopped to work even after upgrade and reboot. (Had to buy new lte routers to replace for those minipci e cards)


Best regards
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 01, 2018 11:36 am

WestTexas:
In theory, if you can't upgrade the routers at all, just make sure they can't be accessed from untrusted networks. The vulnerability is only an issue if it can be accessed in the first place.
For example make them only accept WinBox connections from your specific public IP range. Or make all routers have a SSTP tunnel for maintenance access.

It is still recommended to upgrade to the newer RouterOS version, but you can at least eliminate the threat of this vulnerability by just improving your firewall to prevent access from untrusted networks.

PS: Be sure to scrub the routers for any mischievous configuration or scripts.
I wish my FTP was FTL.
 
ssbaksa
newbie
Posts: 31
Joined: Tue Oct 20, 2015 10:38 am

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 8:55 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:20 am

Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:30 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
But then you don't understand what "default" means?
Default does not mean it is happening all the time. It is a setting that is automatically made and is useful for many, but
can be changed by individual users with different requirements.

I am all for a default automatic upgrade, but it should use a separate release channel so that routers are not blindly following the
stable or even long-term channels. We all know that every 6.xx version is immediately followed up with 6.xx.1 and 6.xx.2 to fix
major mishaps, and automatic upgrade should not suffer from that, or users will disable it just to have less issues.
Automatic upgrade should install a version that is known to be reliable (has been online for at least a month without showstopping
issues, with the exception of one well-tested and localized fix for a vulnerability) and its version should only change when major
problems have been found like recently.

It prevents the current situation where there will be 100.000 vulnerable routers on internet for at least a decade, and we will
read those alarming security notices from yet another group who have found yet another exploit every month.

You with your 24/7/365 up are of course watching the security situation and act accordingly. But the average user isn't,
and default automatic upgrade is a good solution for that.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:33 am

pe1ch, do you think this script in a scheduler rule would be a good idea? the scheduler time could be determined by the user (or disabled):
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
we could add this into our iOS/Android application wizard mode.
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 11:52 am

Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)

The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
I think this already exists:

1. upgrade to latest
2. system reset

This will load the new default config and the user will just need to re-create his PPPoE client
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Oct 09, 2018 12:32 pm

Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
 
briefwum
just joined
Posts: 1
Joined: Sun Oct 07, 2018 10:48 am

Re: Winbox vulnerability: please upgrade

Wed Oct 10, 2018 6:28 pm

Thanks for the link.
 
usmany
Member Candidate
Member Candidate
Posts: 144
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 4:47 pm

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.

What is your take here!
Last edited by usmany on Mon Oct 15, 2018 4:55 pm, edited 2 times in total.
When the world turn back on you, you turn your back on the world...
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1845
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 4:51 pm

Have you netinstalled?
Real admins use real keyboards.
 
usmany
Member Candidate
Member Candidate
Posts: 144
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 4:58 pm

Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
When the world turn back on you, you turn your back on the world...
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 5:25 pm

Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
You should not allow remote connection to the router admin interface from the entire internet. That is just asking for trouble. The default firewall does not allow that, please do not remove that rule.
 
User avatar
Karas
just joined
Posts: 9
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 5:52 pm

Have you netinstalled?
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.
Just to confirm the (hopefully) obvious, you did use a different password afterwards, right?
And as pe1chl said, did you block the remote access?
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 11:21 pm

Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
+1 for dedicated release channel for security fixes and auto upgrade option menu to enable/disable.
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 15, 2018 11:28 pm

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.

What is your take here!

Finally someone had same problems like me lol...

The only way that i had to solve this was:

1- Netinstall
2- Remove default configuration
3- Manually configure everything and voilá!
4- disable ip/services that you will not be using (ftp, telnet....)
(DO NOT USE SAME USERNAME/PASSWORD FOR WINBOX)

already done it in 150+ devices ...
 
Kraken2k
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: Winbox vulnerability: please upgrade

Mon Oct 22, 2018 12:26 pm

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
 
ssbaksa
newbie
Posts: 31
Joined: Tue Oct 20, 2015 10:38 am

Re: Winbox vulnerability: please upgrade

Mon Oct 22, 2018 3:06 pm

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.

Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.

Br,
Sasa
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Oct 22, 2018 3:51 pm

No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.
No, for it to be useful it HAS TO BE enabled by default!
Note that it is not targeted to system engineers/admins.
They can turn off such an option when they (think that they) know better.
But for the average home user a router is a buy-install-and-forget device and it has to be auto-updating or else it won't be updated ever.
Note that I do not advocate a situation where each router is following the release of every new version.
This auto-update should use a dedicated release channel that is only used to distribute critical fixes or well-tested new versions.
(the latter only to avoid situations where auto-updating systems are forced to make a big version jump in case a critical fix is made)
 
handlefman
just joined
Posts: 4
Joined: Thu Oct 25, 2018 4:16 pm

Re: Winbox vulnerability: please upgrade

Sat Oct 27, 2018 6:21 pm

Hello Mikrotik Community
I updated the router when I saw the news, but did not update the password. Now I can't hack my router to get access to it, what are the ideas?

current firmware version on hacked router 6.42.7

Can someone tell me the IP white address, which is registered on the hacked address for access to the router? (so that I could recreate the test environment for access)


please help me.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Sat Oct 27, 2018 6:50 pm

Just use netinstall to re-install and reset it and use your export or backup (from before it was hacked!) to reconfigure it.
Alternatively just reconfigure it manually.
 
Kraken2k
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: Winbox vulnerability: please upgrade

Mon Oct 29, 2018 11:14 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.

Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.

Br,
Sasa
Just to be sure, I would like to say, that by " should be in default configuration" I don't mean "it should be default value". Yes, default value (when you erase configuration) should be "off", in "default configuration" (the factory default when you turn on the device for the first time) it imho should be "on".

The reason is simple: if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network - this is is the way how to partially fix this kind of behavior (as it happens, and you cannot do anything about it). It's similar thing to default configuration that forbids the logon from WAN port. If you reset the configuration (which is what we usually do after RoS/firmware update), the option for autoupdate will be set to "off" and you can configure it by yourself as you want.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Mon Nov 05, 2018 11:00 pm

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network

Well... our good old RB532A's gets no security updates, because MT retired the MIPSLE branch. Not backporting any security update.
And the latests release (6.33.4) is vulnerable... so we backrolled to 6.27, which is virtually not vulnerable.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's.
And we have no funds to change the hardware, because they works on charity based on some very remote site.
What to do ? Should I blame MT for they ignorance ? Or just pray and hope, that no vulnerability will be found in the old 6.27 ?

Best regards: CsXen
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Mon Nov 05, 2018 11:45 pm

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable and tonight I was playing with the hacker by closing every single door to access my router. He was kind enough not to directly change my password and kick me out ... He was just playing with some mangle rules and using my gateway to increase the traffic through whatever he needs making my WAN graph full all the time.

Regardless of all, I locked all ip services and changed the default ports to something way so far from the original. Created a syslog dedicated to this mikrotik RB2011UiAS where I wanted to see what was going. Initially, the hacker was using my username to gain access again and to unbind the winbox and telnet from locking them to internet IP and not keeping them.

I realized that and rapidly deleted all users and created a totally new crazy user with a hard to guess password. In a sudden I was still in mikrotik session, tracing the log I saw him got in again through mac-telnet he scans what's changed and logs on back from winbox :| "Casper". (while using telnet nothing is logged it is the first time I know this!)

After that, I dropped all the ways for him to access the router-board ... added his mac-address which appeared in mikrotik's log to filter rules "input,forward,output" dropping everything possible from his way ... For a sudden after countable minutes and I was still inside the mikrotik session, the router rebooted and I got kicked out! He did it this time and changed the password I knew that from the Syslog!!!!! It was logged because he ran to change the pass prior to entering and kicking him out and prior to changing the log location so I had the chance to read what happened while I was kicked out.

Unfortunately, it seems I have no chance except resetting the router but I am truly so highly disappointed from Mikrotik which I used its hardware/software personally for almost 14 years without a headache ... By this vulnerability which is still active my reliance on Mikrotik is 0 and I will be replacing all my companies firewalls/routers to something more which is rigid.

Sorry guys but we no longer have trust in your stuff.

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
Last edited by caresss on Tue Nov 06, 2018 12:19 am, edited 1 time in total.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:05 am

Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2320
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:08 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
LAN, FTTx, Wireless. ISP operator
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:11 am

Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen
I will do so when I reset the router in order to gain access back to it ...
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2320
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:11 am

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...
LAN, FTTx, Wireless. ISP operator
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:13 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:15 am

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...
I secured the router perfectly closing every single anty door! Filtering and blocking the mac address of the attacker didn't do anything! Where is mikrotik from that!
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2320
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:18 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
LAN, FTTx, Wireless. ISP operator
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:20 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
I will mask the users and mac address and post the log!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:55 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
Date Time Message Text
#Password changed and I cannot access the router anymore!
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#It seems he rebooted the router and I was unable to login as you see a failure below!
11/5/18 22:38:08 system,error,critical login failure for user NewUserCreated from 192.168.my.ip via winbox
11/5/18 22:37:52 interface,info ether5 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether3 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether1 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether9 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether8 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether7-WAN link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether4 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether2-WAN link up (speed 100M, full duplex)
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
11/5/18 22:36:56 system,info user NewUserCreated changed by NewUserCreated
11/5/18 22:32:56 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:32:10 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:32:08 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:29:55 interface,info ether9up (speed 100M, full duplex)
11/5/18 22:29:53 system,info device changed by NewUserCreated
11/5/18 22:29:45 system,info filter rule changed by NewUserCreated
11/5/18 22:29:15 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:29:10 system,info filter rule added by NewUserCreated
11/5/18 22:29:09 system,info filter rule added by NewUserCreated
11/5/18 22:29:07 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:22:47 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:22:21 system,info device changed by NewUserCreated
#This is the interface he was attacking from. I trusted the mikrotik filter more than disabling the interface BUT he was faster this time to change the newuserpass keeping me out!
11/5/18 22:22:21 interface,info ether9 link down
11/5/18 22:18:01 system,info arp entry changed by NewUserCreated
11/5/18 22:09:11 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:07:22 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:03:30 system,info mangle rule removed by NewUserCreated
11/5/18 22:03:25 system,info mangle rule removed by NewUserCreated
11/5/18 22:00:47 system,info,account user NewUserCreated logged in from 192.168.my.ip via winbox
11/5/18 21:59:49 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
#This tells that I lost hope with everything and I had no other chance other than adding a filter rule to block his mac-address from input,forward,output!BUT nothing worked!
11/5/18 21:59:15 system,info filter rule added by NewUserCreated
11/5/18 21:59:03 system,info filter rule added by NewUserCreated
11/5/18 21:58:49 system,info filter rule added by NewUserCreated
#I can't believe it howcome he knew rapidly the exact newly created user!
11/5/18 21:56:36 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#After I cleaned fully my mikrotik he tried to login with the old deleted user as you can see below!
11/5/18 21:55:58 system,error,critical login failure for user OldDeletedUser from ??:3B:??:22:??:AC via mac-telnet
11/5/18 21:54:18 system,info address changed by NewUserCreated
11/5/18 21:54:14 system,info address changed by NewUserCreated
11/5/18 21:54:09 system,info address changed by NewUserCreated
11/5/18 21:54:05 system,info address changed by NewUserCreated
11/5/18 21:54:00 system,info address changed by NewUserCreated
11/5/18 21:53:44 system,info address changed by NewUserCreated
11/5/18 21:53:41 system,info address changed by NewUserCreated
11/5/18 21:53:12 system,info address added by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:52:55 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:51:21 system,info nat rule changed by NewUserCreated
11/5/18 21:50:20 system,info address changed by NewUserCreated
11/5/18 21:50:06 system,info route changed by NewUserCreated
11/5/18 21:50:03 system,info route changed by NewUserCreated
11/5/18 21:49:32 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 21:49:14 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 21:47:47 system,info address changed by NewUserCreated
11/5/18 21:46:42 system,info route changed by NewUserCreated
11/5/18 21:44:30 system,info nat rule changed by NewUserCreated
11/5/18 21:44:29 system,info nat rule changed by NewUserCreated
11/5/18 21:43:13 system,info nat rule changed by NewUserCreated

I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 729
Joined: Fri Nov 10, 2017 8:19 am

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 2:07 am

Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
 
User avatar
Karas
just joined
Posts: 9
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 9:09 am

I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
Um, quick question.
Isnt this hacker on your local network?
All the IPs Im seeing are local (unless I skipped over something), and logging in via mac-telnet...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1804
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:02 am

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
td32
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Nov 18, 2016 5:55 am

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:41 am

you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
 
nescafe2002
Long time Member
Long time Member
Posts: 689
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:59 am

Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 11:21 am

Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y

I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
I wish my FTP was FTL.
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:42 pm

Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
Thanks for your time replying with all the above! Yes I was missing the mac access and when I wanted to take over and set them to none he trapped me and kicked me out. Anyway the ether9 is the LAN to the ISP for microwave link with inter branching! When he realized that I was aware of the situation he started resetting every single router on the ISP side almost 30 mikrotik APs with ROS versions below 6.40 ...

The story ended up netinstalling the main backbone which he attacked and restoring all the mikrotik APs after he reset them all and locking everything even the mac side with the latest OS. He wasn't that smart but it was the OS fault. Anyway thank God all is back to normal now after dealing with almost 80 routers and switches. Absolutely pain in the neck and applause for Mikrotik over that :))

We were born to learn so every day is a new school day in this new techie era!
Have a calm eve...
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:54 pm

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?
Unfortunately, it wasn't the 1st time. I was cleaning after him every time but he kept getting back in through that mac-telnet and again mac-winbox. Absolutely Casper! Until yesterday where I decided for the 1st time to install a remote syslog! From that syslog I was able to trace his prints, and started to fight back and clean all what he did ... The funny thing is that while mac-telnet whatever you do the log will not catch it!!! I was expecting to see some commands but nothing! I never knew this :)

An advice, don't take things with carelessness and absolutely install syslog because it is very essential for everything and especially security which comes 1st.
But I confirm 10000% that I updated the ROS to 6.34.4 and it was absolutely clean with totally new user and very long and complicated pass ... It took him seconds to guess the user and logon with it! I was so sure he was out, no scripts, no packet sniffing config, no php file in files nothing and absolutely nothing so he can guess the user. In seconds he guessed it!!! That truly frightened me and I gave up somehow knowing that whatever I will do he will keep coming back. Happened what happened and the lesson learned.

I believe he sniffed the packets between the latest winbox session from my side and the routerboard. There's still somehow a hidden vulnerability!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:58 pm

Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?
Didn't bother to look! This mac was another routerboard switch connected to the interbranching. Probably he natted the port from a pc or winbox enabled os to the machine with this mac to get a different mac other than real one! Mysterious :)
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:59 pm

you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
Noway :) I am a specialist, I use MacOS and is very clean. 0 chance for a keylogger.
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 7:01 pm

Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y


I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
I was so far from that location, and when I wanted to act badly he was faster :) anyway thank God things went OK this morning and I rescued everything having a very difficult and stressful time.

I'll keep you posted guys if anything new will come up regarding this mysterious issue :)
 
msatter
Forum Guru
Forum Guru
Posts: 1872
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 12:49 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta35 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
mozerd
Member
Member
Posts: 449
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 1:35 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
Based on my experience with MikroTik and MOAB where I have been asked to remotely install the service many of the router firewall's are miss-configured.
The Value proposition that is MikroTik is such that it is very popular because MikroTik is POWERFUL, extensible and inexpensive. Very unfortunately a lot of these configurations are managed by people who have NO idea what they are doing applying the worst possible firewall disciplines one can imagine --- so its not at all surprising that a LOT get hacked.

IMO, MikroTik have provided the basic guidelines to effectively secure the router -- but when the undisciplined admin wants to expand on that capability they break the effective security model and get into trouble enabling the bad guys to invade their territory,
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1804
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 2:22 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Can any confirm this, or its just brag?
Has anyone seen a MT that has gotten an access list added to prevent external access?
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
ognjen
newbie
Posts: 35
Joined: Wed Nov 15, 2017 10:31 am
Location: Serbia

Re: Winbox vulnerability: please upgrade

Mon Dec 24, 2018 10:17 pm

Hello,

after a year I came to a hotel that I once heard as a network engineer and I saw the following:

Image

RouterOS before upgrade 6.40.3.
So.. everyone can be attacker and victim!
Be careful - Upgrade RouterOS!
Be careful with MikroTik Firewall because you can cut the line [yourself - MikroTik] :shock:
Image
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Tue Dec 25, 2018 11:10 am

That is exactly why such advises will not work as long as there is not some form of auto-upgrade...
You get a request from a hotel to install a WiFi, you install and configure equipment uptodate at that time, and you leave.
At that point there is not some hotel desk clerk reading the forum every day and acting upon topics like this.
So the router is left unmanaged. Why would you hire expensive service from a network admin to babysit a $100-$200 box?
And risks like this are the result.
So for an installation like that there should be some menu setting that makes it auto-update to some special release channel
that only gets the important and well-tested updates. (you do not want it to track "stable" or even "long-term" and install
a new version every couple of weeks when that is not required to fix problems, as it always induces a risk of failures)
 
User avatar
ognjen
newbie
Posts: 35
Joined: Wed Nov 15, 2017 10:31 am
Location: Serbia

Re: Winbox vulnerability: please upgrade

Tue Dec 25, 2018 10:10 pm

@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down :shock: )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.
Be careful with MikroTik Firewall because you can cut the line [yourself - MikroTik] :shock:
Image
 
deanMKD1
Member
Member
Posts: 361
Joined: Fri Dec 12, 2014 12:06 am
Location: Macedonia
Contact:

Re: Winbox vulnerability: please upgrade

Wed Dec 26, 2018 2:42 pm

Dont have noticed nothing serious in 6.43.4 stable. Winbox port opened still.
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 941
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Fri Dec 28, 2018 4:46 am

When Mikrotik got rid of master slave... A BLIND update could really "screw some s__t up" on may configurations. And auto update would have resulted in disasterous results. That's what change logs are for, and why you read them before you hit UPDATE.

An unmanaged device gets hacked after the install???
Well it sucks for the person doing cleanup... Until they realize... "THE UNIT WAS UNMANAGED". If the system was set and forget or on break fix... This is a break... Time to fix.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
m4t7e0
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jun 09, 2015 12:17 am
Contact:

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 1:30 pm

It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
Thanks, for these information, some mine device (setuped on 18 dic) fw vers 6.42.10 had this "attack".
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 1:53 pm

@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down :shock: )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.
So why would your link be down? Clients connect to whatever frequency the SSID has set. And if you indeed have some very special purpose here, why did you set regulatory country ?
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 2:20 pm

So why would your link be down?
I can's speak for his situation but it is not really uncommon that a link goes down when one side changes frequency, e.g. because
that frequency has interference at the other side, is not in the other side's allowed channel list (e.g. it is an outdoor AP that has the
proper indoor/outdoor setting), or because the selected frequency has a lower allowed EIRP and thus the power is reduced.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Thu Jan 03, 2019 2:24 pm

he already upgraded the router, which requires a reboot and link is down anyway (until it's restored in a minute).
power is only reduced if an indoor frequency is selected, which should not happen (frequency list knows outdoor from indoor)
No answer to your question? How to write posts
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 941
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 2:04 pm

I upgraded my router and it stopped working...
Check if the update changed your master-slave settings to bridge. Thats the #1 thing I saw taking out routers who upgraded from below 6.40.8 to above it. Fixing the bridges and moving IP/DHCP-Server/Filter-Rules to use the new bridge interface got things going again.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:00 pm

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:04 pm

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Check the architecture of the router, make sure you are using the correct file.

Need more information to be able to help you. What and how are you updating? From what version to what version? Again how are you doing it?
Last edited by Deantwo on Thu Jan 17, 2019 4:18 pm, edited 1 time in total.
I wish my FTP was FTL.
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:50 pm

i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50

1. System>Routerboard>upgrade
then manual reboot
2. System>Package>check for updates> current>downkoad&install
it downloads thenrebiots automatically
3. System>Package>check for updates> release candidate> download and install, then it auto reboots
4.quickset>check for updates>current or release candidate>doenload and install>auto reboot
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:52 pm

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Check the architecture of the router, make sure you are using the correct file.

Need more information to be able to help you. What and how are you updating? From what version to shat version? Again how are you doing it?
i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50

1. System>Routerboard>upgrade
then manual reboot
2. System>Package>check for updates> current>downkoad&install
it downloads thenrebiots automatically
3. System>Package>check for updates> release candidate> download and install, then it auto reboots
4.quickset>check for updates>current or release candidate>doenload and install>auto reboot
 
mkx
Forum Guru
Forum Guru
Posts: 4593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 5:55 pm

Anything in log just after reboot?

Did it upgrade to current (6.43.8 ) in the step 2?

Can you post the list of installed packages?
BR,
Metod
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 6:22 pm

Anything in log just after reboot?

Did it upgrade to current (6.43.8 ) in the step 2?

Can you post the list of installed packages?
Screen shot of the logs after reboot
logs.jpg
Nope, it did not upgrade to 6.43.8 or the 6.44beta

Packages installed
packages.jpg
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 4593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 6:31 pm

The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.
BR,
Metod
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 7:32 pm

tha ks.. let me try your suggestion
 
weixvenum
newbie
Posts: 28
Joined: Tue Jan 30, 2018 9:50 am

Re: Winbox vulnerability: please upgrade

Sat Jan 05, 2019 9:33 pm

The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.
THANKS a LOT! it worked and its updated.
 
Darman
just joined
Posts: 3
Joined: Mon Jan 28, 2019 12:27 am

Re: Winbox vulnerability: please upgrade

Mon Jan 28, 2019 11:45 pm

Did somebody notice, afther that vulnerability ther are thousands entrys in IP-Socks-Access, and when you try to access IP Socks router stuck at 100% cpu, even IP socks are disabled.
Is there any chanse that Mikrotik make an upgrade version that will automaticly remowe that socks access entry?
 
whatever
Member Candidate
Member Candidate
Posts: 163
Joined: Thu Jun 21, 2018 9:29 pm

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 9:36 am

@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.
 
Darman
just joined
Posts: 3
Joined: Mon Jan 28, 2019 12:27 am

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 10:24 am

@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.
Tnx, I know, but it will be cool i we can do that Socks access entry move with update when router are miles away...
 
andriys
Forum Guru
Forum Guru
Posts: 1354
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 10:28 am

Darman, how do you think an update will know what socks entries are legitimate and what are not?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8464
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 10:53 am

Darman, how do you think an update will know what socks entries are legitimate and what are not?
If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Jan 29, 2019 1:16 pm

Darman, how do you think an update will know what socks entries are legitimate and what are not?
If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD
Better idea: if the router is setup incorrectly/insecurely, brick it.

But really, none of that is MikroTik's problem to solve.
It is the technician's responsibility to:
  • Make sure they don't make the router insecure when they remove the default configuration.
  • Make sure they can access the router remotely, and doing so doesn't make it accessible by others. For example through VPN or with an IP whitelist.
  • Make sure they have a plan for how to upgrade routers remotely.
In the worst case scenario you tell the personal onsite to unplug the router until you can reach the location and fix the router directly. And then you promise your boss/customer/whatever that you fixed it and this won't happen again because you are implementing a plan on how to deal with it better from now on.

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
I wish my FTP was FTL.
 
bawolek
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Thu Mar 29, 2007 3:33 pm
Location: Poland/Wroclaw

Re: Winbox vulnerability: please upgrade

Mon Feb 25, 2019 6:05 pm

 
msatter
Forum Guru
Forum Guru
Posts: 1872
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Feb 25, 2019 6:25 pm

One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta35 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
bawolek
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Thu Mar 29, 2007 3:33 pm
Location: Poland/Wroclaw

Re: Winbox vulnerability: please upgrade

Mon Feb 25, 2019 8:11 pm

Yes, I missed this thread - thanks for this link !
 
upnort
newbie
Posts: 49
Joined: Wed Aug 15, 2018 2:03 am

Re: Winbox vulnerability: please upgrade

Sun Mar 03, 2019 8:35 pm

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
Would you be able to share that system? :)
 
KeiraPullen
just joined
Posts: 1
Joined: Thu Feb 28, 2019 12:11 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 04, 2019 1:42 pm

Essentially the most general most important dilemma about most commonly (well, over the ultra-modern two years or anything to that effect) vulnerabilities in ROS is that main default settings did not sincerely shut all WAN access to RB. After today pakistani talk shows which a tremendous phase of consumers (beside unobtrusive number of professionals and for no quandary all execs) do not refresh ROS on the whole. Besides, whatever the method that they do, they expect that is sufficient, yet now we have an understanding of that ancient FW units don't seem to be amazing attractive.
Last edited by KeiraPullen on Tue Mar 26, 2019 1:13 pm, edited 1 time in total.
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 04, 2019 2:24 pm

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
Would you be able to share that system? :)
Basically my routers have a script version number, they then have a schedulered script that make them contact a web-server at regular interval to check if a file with the next script version number exist. If a file with the next script version number exist, it downloads it and executes it.

All I had to do when the crap hit the fan, was make a new script file with all the necessary changes and an added scheduler to download the newest RouterOS long-term version at midnight. I then uploaded that script file to the web-server with the next version number.

Kinda funny because this is the same system I saw the hackers were using in the few examples of their scripts I saw.
Last edited by Deantwo on Mon Mar 04, 2019 2:42 pm, edited 4 times in total.
I wish my FTP was FTL.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 04, 2019 2:27 pm

Essentially the most general most important dilemma about most commonly (well, over the ultra-modern two years or anything to that effect) vulnerabilities in ROS is that main default settings did not sincerely shut all WAN access to RB.
That is not correct! On every router except the CCR the default has been (at least for a very long time) to block all input from internet by default.
Unfortunately it was done in such a way that it stopped working when another interface, like a PPPoE client, was added for internet access.
However that has been fixed a few versions ago.

The real problem is users that follow YouTube advise instead of MikroTik documentation. On YouTube there are a couple of users who distribute videos with completely incorrect procedures.
(probably not malice but just lack of knowledge on their part)
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: Winbox vulnerability: please upgrade

Tue Mar 12, 2019 4:19 pm

It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
Is enough only by upgrading the OS to safe version or MUST BE do netinstall?

thx
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1845
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Tue Mar 12, 2019 4:25 pm

It is always safer to netinstall as it formats device.
Real admins use real keyboards.
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Mar 12, 2019 5:25 pm

Is enough only by upgrading the OS to safe version or MUST BE do netinstall?
As stated multiple times in this thread, and other places on the forum. If you want to be 100% sure that your router is not infested with some Lovecraftian horror, netinstall it.
If your router hasn't been attacked, probed, or accessed in anyway, you might be ok with just upgrading to latest long-term version and changing your passwords. The problem is that you'll have no idea if you were exploited, so always better to be safe than sorry.

That said, implementing a more secure firewall with VPN, IP whitelist and/or port-knocking for secure remote management access is always a good idea.
I wish my FTP was FTL.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8464
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 2:35 pm

Automatic upgrade should be the default and is quickly becoming best practice.
Automatic upgrade with reboot will never become best practice in non-HA clusters.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Sob
Forum Guru
Forum Guru
Posts: 5877
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 4:58 pm

Well, why not, as long as I can turn it off and I'm not left out with setting "active hours". ;) But I don't think MikroTik will go for it, it's just too risky.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8464
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 5:36 pm

Well, why not, as long as I can turn it off and I'm not left out with setting "active hours". ;)
That's not what I call "best practice" ;)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 6:17 pm

Automatic upgrade should be the default and is quickly becoming best practice.
Automatic upgrade with reboot will never become best practice in non-HA clusters.
You are not going to tell us that those 200.000 - 400.000 compromised MikroTik routers form a HA cluster, do you?
 
Sob
Forum Guru
Forum Guru
Posts: 5877
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 7:25 pm

I think the point was that unlike with HA solutions, where you can take out some part and everything else will still work, unexpected reboots of lone routers would be annoying to users. Plus MikroTik would need extremely good quality control, because small mistake could result in thousands of inoperable routers, which would not amuse users either.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5057
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 8:00 pm

Shocking, in the middle of the busy trading day, the DOW shut down unexpectedly, as the routers running the show rebooted like spontaneous combustion.
The IT admins were quite confused until they realized that automatic firmware upgrades had been applied simultaneously to both main and HA routers.
Oops.
The 4 billion dollar loss is apparently being paid by Hannah25, through a debt payment scheme that will last approx 100 generations of the family.
Just hired by the DOW to take over their IT operations is Chewbaka (phonetic spelling ;-P) who predicted the event would occur over 3 months earlier.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
nescafe2002
Long time Member
Long time Member
Posts: 689
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 9:15 pm

:)

And Hannah25 is not even a real person, just a spam bot copying this post ( viewtopic.php?t=137572&start=200#p686945 ) and coming back later to edit in some spam links.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 10:33 pm

I think the point was that unlike with HA solutions, where you can take out some part and everything else will still work, unexpected reboots of lone routers would be annoying to users. Plus MikroTik would need extremely good quality control, because small mistake could result in thousands of inoperable routers, which would not amuse users either.
I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).

MikroTik should only put well tested releases on that channel and only when an issue has been found that makes it important to update.
So it should not be just another "stable" or "long-term" channel that receives updates at will. It should only be updated when security vulnerabilities have been found and fixed, and for reasons like described above it should not be released immediately but only after that same version has been out on the stable and/or long-term channel for long enough to know that there will be no such problems.

This mechanism is only there to make sure that those users (probably the majority of home users) that never check for new versions still receive those important updates.
And for those that think that they know better, the mechanism can be turned off.

Sometimes I think that this already has been silently implemented. I observe that some of my routers "regularly" connect to upgrade.mikrotik.com and retrieve the file that contains the latest version. Then they do nothing. But maybe a special message can be put in that file that instructs the router to upgrade.
 
Sob
Forum Guru
Forum Guru
Posts: 5877
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox vulnerability: please upgrade

Sun Mar 17, 2019 10:48 pm

It should only be updated when security vulnerabilities have been found and fixed, ...
What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years. They would have to minimize the number of preinstalled versions somehow (to make testing easier), but with new hardware coming out all the time, I don't know how.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 18, 2019 1:19 am

I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).
Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.

But we will still have smart idiots that will screw that up, and they will go onto making YouTube guides that are wrong, making poor unknowing people vulnerable.

There is no good solution, and even less a solution that is backward solving. There is no way to remotely fix all the routers that are already vulnerable (without breaking a few laws), so there is no point is using it as a point.

If a new release branch were to be made it would have to be totally separate from RouterOS, since I doubt they would want to release security fixes for each and every RouterOS version in existence.

And no we can't just say "use long-term branch", because even that breaks multiple features and brings bugs with every major release. Best example currently is how long-term v6.42 changes Netwatch execution permissions, but the fix for it isn't until v6.43 and still requires manual fixing.
I wish my FTP was FTL.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 18, 2019 11:19 am

It should only be updated when security vulnerabilities have been found and fixed, ...
What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years.
I have not clearly stated (and I am not really sure) if they should make a minor release to fix security issues for every major release out in the field.
While that would reduce the risk of update problems it would increase the amount of maintenance work.
Of course when routers with very old RouterOS are now update to "stable" or even "bug-fix" versions they could encounter issues with migration of
old configuration like "switch masterport -> bridge with hardware accel" or "new IPsec configuration".
So it could be considered to have a security update version separately for versions before those major releases.

Leaving this unsolved for so long of course has contributed to the problem. Not solving it now will only make it more difficult.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Mar 18, 2019 11:21 am

Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.
There could be a default firewall where user can add things, and an "expert" mode where they can redesign the whole firewall when desired.

But that does not help against stupid YouTube videos that instruct beginners to to the wrong thing.
 
glibao
just joined
Posts: 3
Joined: Thu Dec 04, 2014 8:15 pm

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 3:47 pm

Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks!
 
User avatar
Deantwo
Member
Member
Posts: 315
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 4:07 pm

Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks!
Bugfix version 6.38.7 should be vulnerable to the exploit, assuming firewall or service doesn't block IP access and MAC-WinBox-Server is running for MAC access.
If you can't get into it at all, you might have to cut your loses and netinstall it right away. Because you'll want to netinstall it either way, it is only a question of rather or not you can save some of your configuration.
I wish my FTP was FTL.
 
glibao
just joined
Posts: 3
Joined: Thu Dec 04, 2014 8:15 pm

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 5:36 pm

Is there no way to extract the router configuration? or any other exploit I can try ?.
Thank you
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 973
Joined: Fri May 26, 2006 1:25 am

Re: Winbox vulnerability: please upgrade

Wed May 22, 2019 9:09 pm

AFAIK there is no way to extract your config wo an admin password, others (more familiar with netinstall) might chime in otherwise (netinstall has that save config button/checkbox, but i think it requires your password first). You have to consider, MT does not want to make it so that someone with even physical access to your MT can pull your config somehow (else anyone locally could grab your valuable config + vpn creds/certs or other creds, possibly wo the remote admin even knowing as they may only see the MT reboot- so this is a good thing!)

I can say that we had a customers MT that was exploited several months ago (a MT we did not control, but rather local IT did) so they physically brought the MT to us to see what was wrong with their router (lol). Out of curiosity i tried the various exploits myself, to then grab the hackers new password they had set.

to do this, We used a recent release of Kali OS and was able to pull the password via the Mac/layer2 exploit (i think it was a python script).
(you may want to try that again with KALI os, as the scripts may fail silently if they are missing some pkg or other dependency on your host os, possibly)

if it helps, here was the user/password they had used/created on this MT:

service
service42

user1
motoroll3r

fad
fad

(those worked for us to get into winbox, or maybe try those passwords above, with use admin). good luck recovering your config. even though you prob. should recreate the config from scratch anyway.

edit: also if you are trying the tcp/winbox exploit, you may want to first portscan the device, as i think in some cases they changed the winbox port (and/or restricted it to their own ip range)
:beep :beep :beep
 
glibao
just joined
Posts: 3
Joined: Thu Dec 04, 2014 8:15 pm

Re: Winbox vulnerability: please upgrade

Thu May 23, 2019 1:42 am

Thank you very much for your explanation, I'm going to try what he says, I've tried the port with nmap and still use the original winbox.
On MAC (layer2) I have already tried the python script and it does not work either, they may have updated some package) and.Thank you
 
ollit
just joined
Posts: 23
Joined: Tue May 23, 2017 3:14 pm

Re: Winbox vulnerability: please upgrade

Mon Jul 15, 2019 1:07 pm

It is possible to show the column Version in the Tabsheet Managed?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6889
Joined: Mon Jun 08, 2015 12:09 pm

Re: Winbox vulnerability: please upgrade

Mon Jul 15, 2019 2:03 pm

It is possible to show the column Version in the Tabsheet Managed?
No, because this is just a list of bookmarked connection parameters and the winbox does not have an actual connection to these devices until you select and open it.
Depending on the topology of your network you can sometimes get such information by connecting to some central router and then select IP->Neighbors.
This shows the names and versions of all surrounding routers that have "discovery" enabled on the link. This is actual information.

Who is online

Users browsing this forum: No registered users and 10 guests