Community discussions

MUM Europe 2020
 
silversword
newbie
Topic Author
Posts: 43
Joined: Tue Jul 23, 2013 3:36 pm

RB1100AHx4 Dude Edition insecure by default

Thu Apr 25, 2019 11:26 pm

I plugged WAN into internet, and within 60 seconds of initializing the internet connection with DHCP the firewall was bot compromised. Disabled ID: admin rights, and new ID of router was created with full control.

Had to Factory reset with button, disconnect internet cable lookup and manually create the default block rules and THEN plug in internet to port 1.

Ridiculous that's the default config. NO default config should ever allow access from port 1/WAN when the default ID: admin has a blank password.

Quicksets only enter "Ethernet" is same config, no other Quicksets available

How many other Mikrotik devices are insecure by default? No wonder Mikrotik is getting a reputation as a worm router.
 
td32
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Nov 18, 2016 5:55 am

Re: RB1100AHx4 Dude Edition insecure by default

Thu Apr 25, 2019 11:29 pm

doubt this was on default config.
On default config wan port drops all input traffic
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: RB1100AHx4 Dude Edition insecure by default

Thu Apr 25, 2019 11:42 pm

The bigger routers (the ones made to small business and up) don't have a "WAN port". Take a look: they are just numbered ports (eth1, eth2 and so on).

That's because they are routers made to be used in a professional environment. Where You can't say which one (which two, which five?) port(s) will get an internet link.They come without firewall by design. It would only get in the way, anyway.

The smaller ones, made to the SOHO market, (five or less ports, small format, usually white plastic) come with firewall, and a WAN designated port.
 
silversword
newbie
Topic Author
Posts: 43
Joined: Tue Jul 23, 2013 3:36 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 12:00 am

doubt this was on default config.

As I said, tested again after compromised and manual button reset the default config with ver 6.44.2 firmware does it.

The bigger routers (the ones made to small business and up) don't have a "WAN port". Take a look: they are just numbered ports (eth1, eth2 and so on).

True, not labeled as WAN...but since the config does have Port 1 with DHCP client port it's acting as one.

Hey, I know what Mikrotik devices can do, but if I were Mikrotik I wouldn't want the number of results here to keep increasing:
https://www.google.com/search?source=hp ... ompromised
 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Thu Oct 26, 2017 11:18 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 2:46 am

This is your fault, as no device should be placed into Internet before configuration.
It's the same as I uploading a example sketch to a Arduino and putting it to run 24hs in the WAN natted, it's bad.
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:22 am

The bigger routers (the ones made to small business and up) don't have a "WAN port". Take a look: they are just numbered ports (eth1, eth2 and so on).


True, not labeled as WAN...but since the config does have Port 1 with DHCP client port it's acting as one.

Hey, I know what Mikrotik devices can do, but if I were Mikrotik I wouldn't want the number of results here to keep increasing:
https://www.google.com/search?source=hp ... ompromised
They have a DHCP client just to make easier the first access. No router should be exposed to the internet without proper configuration.

These compromised units are victims of an attack that was patched almost a full year before. And even then: You'd have to allow winbox access from the internet. A bad idea on a good day.

So, sorry. You exposed an unprotected and unpatched router to the internet - without even knowing what kind of firewall/login it had. That one is on you.
 
silversword
newbie
Topic Author
Posts: 43
Joined: Tue Jul 23, 2013 3:36 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 2:49 pm

No router should be exposed to the internet without proper configuration.

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:

# jan/02/1970 00:03:18 by RouterOS 6.44.2
# software id = 20C3-04CF
#
# model = RB1100Dx4
# serial number = 
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.

#ImOut
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:20 pm

No router should be exposed to the internet without proper configuration.

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:

# jan/02/1970 00:03:18 by RouterOS 6.44.2
# software id = 20C3-04CF
#
# model = RB1100Dx4
# serial number = 
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.

#ImOut
Well honestly part of the reason there are so many worm infected devices out there are because of things like this. People buying an enterprise level router and then treating it like a Netgear Nighthawk Gaming Pro router and just assuming it's OK. Did you not update your ROS version? Did you not do anything to configure a router such as this?

Admin's failing to update, protect or manage their routers properly is not the fault of the vendor. It's the fault of the user. You know during this past year when everyone was losing their crap about all these issues MT was having, I didn't. Many of us didn't, you know why? We manage and keep our routers updated and secured.
 
User avatar
krisjanisj
MikroTik Support
MikroTik Support
Posts: 63
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:24 pm

As shown in our wiki (more specifically here(the IP Only part)) nor RB1100, nor CCR, nor CRS series of Routers/switches are meant to be plug-and-play and has only IP for first-time connectivity. They will need to be configured by the end-user before usage, unlike our home-use router lineup (as mentioned by @Paternot), that has firewall rules and other security measures applied beforehand.
We even have a wiki page dedicated on how to apply basic firewall rules and other security so this doesn't happen.
* Wager of "The Holy War" against users who don't paste their config/export/print into [code][/code] blocks
* Avid coffee consumer
* Provider of stupid solutions for simple problems
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:28 pm

As shown in our wiki (more specifically here) RB1100, nor CCR, nor CRS series of Routers/switches are meant to be plug-and-play and has only IP for first-time connectivity. They will need to be configured by the end-user before usage, unlike our home-use router lineup (as mentioned by @Paternot), that has firewall rules and other security measures applied beforehand.
We even have a wiki page dedicated on how to apply basic firewall rules and other security so this doesn't happen.
Reading manuals or documentation for how things work is for suckers. Your stuff should just know what I need and do it.
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:52 pm

No router should be exposed to the internet without proper configuration.

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:

# jan/02/1970 00:03:18 by RouterOS 6.44.2
# software id = 20C3-04CF
#
# model = RB1100Dx4
# serial number = 
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.

#ImOut
Well, I'm not the one saying the router should be protected from myself. I'm not the one that bought a professional product and treated it like a consumer garbage. Own your mistake, learn from it and become a better professional. That's how it works.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 4:25 pm

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:
......
If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.
Your statement is as valid as this:
Producers of Zonda, Ferrari and Lamborghini are car manufacturers making the "reputation" of low quality dangerous cars responsible for
so many accidents all around the world as default tires allow to travel too fast.
Real admins use real keyboards.

Who is online

Users browsing this forum: No registered users and 96 guests