Why would *anyone* allow access from arbitrary IPs to something that authenticates with nothing more complex than username and password with no rate limiting? Lock it down to source IP or something at least, if not requiring an IPSEC tunnel. I'm genuinely interested, my field's enterprise security and we'd be drawn and quartered if we exposed admin interfaces to the internet. James On Mon, 23 Apr 2018, at 22:14, Mike Everest wrote:
Damn!
Just saw that too - just when we were talking about unknown unknowns too :-l
More reasons to protect those admin interfaces! :-o
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Shane Clay Sent: Monday, 23 April 2018 10:00 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability
Posted by Mikrotik on their forums today... This is probably what you are seeing and why it didn't require a "brute force":
https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
Shane
On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote:
I have a burn-in box - running 6.42 that I neglected to block 8291 on.
My logs show a single failed auth attempt and 1 second later a successful log in.
After that they disabled all the firewall rules, all service ports (except winbox) and then uploaded some files.
This is definitely something different than a brute force...
> On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > Hi Tim, thanks for posting! > > MikroTik themselves made an official announcement about it a few weeks back, > and there has been much discussion about it (even in this list I think?) > > To be honest, I'm amazed that RouterOS has been able to remain inconspicuous > for so long and why this has not happened before now is a total mystery to > me ;-) I regularly present MTCNA certification training a couple of times a > year, and when we get to the topic about securing routerOS admin interfaces > I always make a point of talking about how leaving port 22 open give a > literally 100% chance of taking brute force crack attempts within hours (or > minutes!) of the router getting a public address. In the same breath, I > also mention that it is only a matter of time that those crack attempts > start attempting 'admin/blank' blank credentials too - now I can say it is > already happening! ;-) > > There are two points worth noting about this recent activity: > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > has been widely reported recently > 2) it is here to stay - so YES, lock down the ports (should always be doing > it anyway ;) > > Cheers! > > Mike. > >> -----Original Message----- >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of >> Timothy Neilen >> Sent: Monday, 23 April 2018 4:19 PM >> To: public@talk.mikrotik.com.au >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability >> >> A colleague passed this one to me from the Mikrotik forums >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). >> >> Might be an idea to block access to 20, 80, 8291 externally unless from >> trusted sources if you don't already. >> >> >> TN >> >> >> >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | >> www.answersit.com.au >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au