[BYPASS} Potential external Winbox vulnerability
A colleague passed this one to me from the Mikrotik forums (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). Might be an idea to block access to 20, 80, 8291 externally unless from trusted sources if you don't already. TN Regards,Timothy Neilen - Systems Engineer | +61 7 3123 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | www.answersit.com.au
Hi Tim, thanks for posting! MikroTik themselves made an official announcement about it a few weeks back, and there has been much discussion about it (even in this list I think?) To be honest, I'm amazed that RouterOS has been able to remain inconspicuous for so long and why this has not happened before now is a total mystery to me ;-) I regularly present MTCNA certification training a couple of times a year, and when we get to the topic about securing routerOS admin interfaces I always make a point of talking about how leaving port 22 open give a literally 100% chance of taking brute force crack attempts within hours (or minutes!) of the router getting a public address. In the same breath, I also mention that it is only a matter of time that those crack attempts start attempting 'admin/blank' blank credentials too - now I can say it is already happening! ;-) There are two points worth noting about this recent activity: 1) it is very probably attempts to exploit 'slingshot' vulnerability that has been widely reported recently 2) it is here to stay - so YES, lock down the ports (should always be doing it anyway ;) Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Timothy Neilen Sent: Monday, 23 April 2018 4:19 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability
A colleague passed this one to me from the Mikrotik forums (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438).
Might be an idea to block access to 20, 80, 8291 externally unless from trusted sources if you don't already.
TN
Regards,Timothy Neilen - Systems Engineer | +61 7 3123 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | www.answersit.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I have a burn-in box - running 6.42 that I neglected to block 8291 on. My logs show a single failed auth attempt and 1 second later a successful log in. After that they disabled all the firewall rules, all service ports (except winbox) and then uploaded some files. This is definitely something different than a brute force...
On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote:
Hi Tim, thanks for posting!
MikroTik themselves made an official announcement about it a few weeks back, and there has been much discussion about it (even in this list I think?)
To be honest, I'm amazed that RouterOS has been able to remain inconspicuous for so long and why this has not happened before now is a total mystery to me ;-) I regularly present MTCNA certification training a couple of times a year, and when we get to the topic about securing routerOS admin interfaces I always make a point of talking about how leaving port 22 open give a literally 100% chance of taking brute force crack attempts within hours (or minutes!) of the router getting a public address. In the same breath, I also mention that it is only a matter of time that those crack attempts start attempting 'admin/blank' blank credentials too - now I can say it is already happening! ;-)
There are two points worth noting about this recent activity:
1) it is very probably attempts to exploit 'slingshot' vulnerability that has been widely reported recently 2) it is here to stay - so YES, lock down the ports (should always be doing it anyway ;)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Timothy Neilen Sent: Monday, 23 April 2018 4:19 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability
A colleague passed this one to me from the Mikrotik forums (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438).
Might be an idea to block access to 20, 80, 8291 externally unless from trusted sources if you don't already.
TN
Regards,Timothy Neilen - Systems Engineer | +61 7 3123 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | www.answersit.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Posted by Mikrotik on their forums today... This is probably what you are seeing and why it didn't require a "brute force": https://forum.mikrotik.com/viewtopic.php?f=21&t=133533 Shane On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public-bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote: I have a burn-in box - running 6.42 that I neglected to block 8291 on. My logs show a single failed auth attempt and 1 second later a successful log in. After that they disabled all the firewall rules, all service ports (except winbox) and then uploaded some files. This is definitely something different than a brute force... > On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > Hi Tim, thanks for posting! > > MikroTik themselves made an official announcement about it a few weeks back, > and there has been much discussion about it (even in this list I think?) > > To be honest, I'm amazed that RouterOS has been able to remain inconspicuous > for so long and why this has not happened before now is a total mystery to > me ;-) I regularly present MTCNA certification training a couple of times a > year, and when we get to the topic about securing routerOS admin interfaces > I always make a point of talking about how leaving port 22 open give a > literally 100% chance of taking brute force crack attempts within hours (or > minutes!) of the router getting a public address. In the same breath, I > also mention that it is only a matter of time that those crack attempts > start attempting 'admin/blank' blank credentials too - now I can say it is > already happening! ;-) > > There are two points worth noting about this recent activity: > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > has been widely reported recently > 2) it is here to stay - so YES, lock down the ports (should always be doing > it anyway ;) > > Cheers! > > Mike. > >> -----Original Message----- >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of >> Timothy Neilen >> Sent: Monday, 23 April 2018 4:19 PM >> To: public@talk.mikrotik.com.au >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability >> >> A colleague passed this one to me from the Mikrotik forums >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). >> >> Might be an idea to block access to 20, 80, 8291 externally unless from >> trusted sources if you don't already. >> >> >> TN >> >> >> >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | >> www.answersit.com.au >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Damn! Just saw that too - just when we were talking about unknown unknowns too :-l More reasons to protect those admin interfaces! :-o Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Shane Clay Sent: Monday, 23 April 2018 10:00 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability
Posted by Mikrotik on their forums today... This is probably what you are seeing and why it didn't require a "brute force":
https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
Shane
On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote:
I have a burn-in box - running 6.42 that I neglected to block 8291 on.
My logs show a single failed auth attempt and 1 second later a successful log in.
After that they disabled all the firewall rules, all service ports (except winbox) and then uploaded some files.
This is definitely something different than a brute force...
> On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > Hi Tim, thanks for posting! > > MikroTik themselves made an official announcement about it a few weeks back, > and there has been much discussion about it (even in this list I think?) > > To be honest, I'm amazed that RouterOS has been able to remain inconspicuous > for so long and why this has not happened before now is a total mystery to > me ;-) I regularly present MTCNA certification training a couple of times a > year, and when we get to the topic about securing routerOS admin interfaces > I always make a point of talking about how leaving port 22 open give a > literally 100% chance of taking brute force crack attempts within hours (or > minutes!) of the router getting a public address. In the same breath, I > also mention that it is only a matter of time that those crack attempts > start attempting 'admin/blank' blank credentials too - now I can say it is > already happening! ;-) > > There are two points worth noting about this recent activity: > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > has been widely reported recently > 2) it is here to stay - so YES, lock down the ports (should always be doing > it anyway ;) > > Cheers! > > Mike. > >> -----Original Message----- >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of >> Timothy Neilen >> Sent: Monday, 23 April 2018 4:19 PM >> To: public@talk.mikrotik.com.au >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability >> >> A colleague passed this one to me from the Mikrotik forums >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). >> >> Might be an idea to block access to 20, 80, 8291 externally unless from >> trusted sources if you don't already. >> >> >> TN >> >> >> >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | >> www.answersit.com.au >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Why would *anyone* allow access from arbitrary IPs to something that authenticates with nothing more complex than username and password with no rate limiting? Lock it down to source IP or something at least, if not requiring an IPSEC tunnel. I'm genuinely interested, my field's enterprise security and we'd be drawn and quartered if we exposed admin interfaces to the internet. James On Mon, 23 Apr 2018, at 22:14, Mike Everest wrote:
Damn!
Just saw that too - just when we were talking about unknown unknowns too :-l
More reasons to protect those admin interfaces! :-o
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Shane Clay Sent: Monday, 23 April 2018 10:00 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability
Posted by Mikrotik on their forums today... This is probably what you are seeing and why it didn't require a "brute force":
https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
Shane
On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote:
I have a burn-in box - running 6.42 that I neglected to block 8291 on.
My logs show a single failed auth attempt and 1 second later a successful log in.
After that they disabled all the firewall rules, all service ports (except winbox) and then uploaded some files.
This is definitely something different than a brute force...
> On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > Hi Tim, thanks for posting! > > MikroTik themselves made an official announcement about it a few weeks back, > and there has been much discussion about it (even in this list I think?) > > To be honest, I'm amazed that RouterOS has been able to remain inconspicuous > for so long and why this has not happened before now is a total mystery to > me ;-) I regularly present MTCNA certification training a couple of times a > year, and when we get to the topic about securing routerOS admin interfaces > I always make a point of talking about how leaving port 22 open give a > literally 100% chance of taking brute force crack attempts within hours (or > minutes!) of the router getting a public address. In the same breath, I > also mention that it is only a matter of time that those crack attempts > start attempting 'admin/blank' blank credentials too - now I can say it is > already happening! ;-) > > There are two points worth noting about this recent activity: > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > has been widely reported recently > 2) it is here to stay - so YES, lock down the ports (should always be doing > it anyway ;) > > Cheers! > > Mike. > >> -----Original Message----- >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of >> Timothy Neilen >> Sent: Monday, 23 April 2018 4:19 PM >> To: public@talk.mikrotik.com.au >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability >> >> A colleague passed this one to me from the Mikrotik forums >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). >> >> Might be an idea to block access to 20, 80, 8291 externally unless from >> trusted sources if you don't already. >> >> >> TN >> >> >> >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | >> www.answersit.com.au >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
+1 Out of the box firewall your input chain (or equivalent) appropriately, disable any unused services and lock down the ones that are used as a minimum. Shane On 23/4/18, 10:03 pm, "Public on behalf of James Hodgkinson" <public-bounces@talk.mikrotik.com.au on behalf of yaleman@ricetek.net> wrote: Why would *anyone* allow access from arbitrary IPs to something that authenticates with nothing more complex than username and password with no rate limiting? Lock it down to source IP or something at least, if not requiring an IPSEC tunnel. I'm genuinely interested, my field's enterprise security and we'd be drawn and quartered if we exposed admin interfaces to the internet. James On Mon, 23 Apr 2018, at 22:14, Mike Everest wrote: > Damn! > > Just saw that too - just when we were talking about unknown unknowns too :-l > > More reasons to protect those admin interfaces! :-o > > Cheers, Mike. > > > -----Original Message----- > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > Shane Clay > > Sent: Monday, 23 April 2018 10:00 PM > > To: MikroTik Australia Public List <public@talk.mikrotik.com.au> > > Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > > > Posted by Mikrotik on their forums today... > > This is probably what you are seeing and why it didn't require a "brute force": > > > > https://forum.mikrotik.com/viewtopic.php?f=21&t=133533 > > > > Shane > > > > > > > > On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- > > bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote: > > > > I have a burn-in box - running 6.42 that I neglected to block 8291 on. > > > > My logs show a single failed auth attempt and 1 second later a successful > > log in. > > > > After that they disabled all the firewall rules, all service ports (except > > winbox) and then uploaded some files. > > > > This is definitely something different than a brute force... > > > > > On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > > > > > Hi Tim, thanks for posting! > > > > > > MikroTik themselves made an official announcement about it a few > > weeks back, > > > and there has been much discussion about it (even in this list I think?) > > > > > > To be honest, I'm amazed that RouterOS has been able to remain > > inconspicuous > > > for so long and why this has not happened before now is a total mystery > > to > > > me ;-) I regularly present MTCNA certification training a couple of times a > > > year, and when we get to the topic about securing routerOS admin > > interfaces > > > I always make a point of talking about how leaving port 22 open give a > > > literally 100% chance of taking brute force crack attempts within hours > > (or > > > minutes!) of the router getting a public address. In the same breath, I > > > also mention that it is only a matter of time that those crack attempts > > > start attempting 'admin/blank' blank credentials too - now I can say it is > > > already happening! ;-) > > > > > > There are two points worth noting about this recent activity: > > > > > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > > > has been widely reported recently > > > 2) it is here to stay - so YES, lock down the ports (should always be doing > > > it anyway ;) > > > > > > Cheers! > > > > > > Mike. > > > > > >> -----Original Message----- > > >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf > > Of > > >> Timothy Neilen > > >> Sent: Monday, 23 April 2018 4:19 PM > > >> To: public@talk.mikrotik.com.au > > >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > >> > > >> A colleague passed this one to me from the Mikrotik forums > > >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). > > >> > > >> Might be an idea to block access to 20, 80, 8291 externally unless from > > >> trusted sources if you don't already. > > >> > > >> > > >> TN > > >> > > >> > > >> > > >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 > > >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | > > >> www.answersit.com.au > > >> _______________________________________________ > > >> Public mailing list > > >> Public@talk.mikrotik.com.au > > >> > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I see 6.42.1 Just came out.. !)winbox - fixed vulnerability that allowed to gain access to an unsecured router; & a bunch of misc tweaks... ---------------------- Cheers Greg Mc On 23/04/2018 10:36 PM, Shane Clay wrote:
+1
Out of the box firewall your input chain (or equivalent) appropriately, disable any unused services and lock down the ones that are used as a minimum.
Shane
On 23/4/18, 10:03 pm, "Public on behalf of James Hodgkinson" <public-bounces@talk.mikrotik.com.au on behalf of yaleman@ricetek.net> wrote:
Why would *anyone* allow access from arbitrary IPs to something that authenticates with nothing more complex than username and password with no rate limiting? Lock it down to source IP or something at least, if not requiring an IPSEC tunnel.
I'm genuinely interested, my field's enterprise security and we'd be drawn and quartered if we exposed admin interfaces to the internet.
James
On Mon, 23 Apr 2018, at 22:14, Mike Everest wrote: > Damn! > > Just saw that too - just when we were talking about unknown unknowns too :-l > > More reasons to protect those admin interfaces! :-o > > Cheers, Mike. > > > -----Original Message----- > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > Shane Clay > > Sent: Monday, 23 April 2018 10:00 PM > > To: MikroTik Australia Public List <public@talk.mikrotik.com.au> > > Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > > > Posted by Mikrotik on their forums today... > > This is probably what you are seeing and why it didn't require a "brute force": > > > > https://forum.mikrotik.com/viewtopic.php?f=21&t=133533 > > > > Shane > > > > > > > > On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- > > bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote: > > > > I have a burn-in box - running 6.42 that I neglected to block 8291 on. > > > > My logs show a single failed auth attempt and 1 second later a successful > > log in. > > > > After that they disabled all the firewall rules, all service ports (except > > winbox) and then uploaded some files. > > > > This is definitely something different than a brute force... > > > > > On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > > > > > Hi Tim, thanks for posting! > > > > > > MikroTik themselves made an official announcement about it a few > > weeks back, > > > and there has been much discussion about it (even in this list I think?) > > > > > > To be honest, I'm amazed that RouterOS has been able to remain > > inconspicuous > > > for so long and why this has not happened before now is a total mystery > > to > > > me ;-) I regularly present MTCNA certification training a couple of times a > > > year, and when we get to the topic about securing routerOS admin > > interfaces > > > I always make a point of talking about how leaving port 22 open give a > > > literally 100% chance of taking brute force crack attempts within hours > > (or > > > minutes!) of the router getting a public address. In the same breath, I > > > also mention that it is only a matter of time that those crack attempts > > > start attempting 'admin/blank' blank credentials too - now I can say it is > > > already happening! ;-) > > > > > > There are two points worth noting about this recent activity: > > > > > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > > > has been widely reported recently > > > 2) it is here to stay - so YES, lock down the ports (should always be doing > > > it anyway ;) > > > > > > Cheers! > > > > > > Mike. > > > > > >> -----Original Message----- > > >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf > > Of > > >> Timothy Neilen > > >> Sent: Monday, 23 April 2018 4:19 PM > > >> To: public@talk.mikrotik.com.au > > >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > >> > > >> A colleague passed this one to me from the Mikrotik forums > > >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). > > >> > > >> Might be an idea to block access to 20, 80, 8291 externally unless from > > >> trusted sources if you don't already. > > >> > > >> > > >> TN > > >> > > >> > > >> > > >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 > > >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | > > >> www.answersit.com.au > > >> _______________________________________________ > > >> Public mailing list > > >> Public@talk.mikrotik.com.au > > >> > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
And we’d just finished upgrading our networks to 6.42! Given two reasonably nasty exploits have surfaced in recent history, I’m wondering if ROS is becoming a more attractive target to try and exploit and if we might see some more coming to light? In any case, we firewall off the admin ports from external sources on (whether it is Mikrotik, Cisco, or any other vendor) which everyone should do as step 1 of setting up a new router so I’m not overly concerned - every vendor has bugs. Sent from mobile Thomas Jackson Managing Director +61 2 8378 5555
On 23 Apr 2018, at 23:16, Greg McLennan <mclennan@internode.on.net> wrote:
I see 6.42.1 Just came out..
!)winbox - fixed vulnerability that allowed to gain access to an unsecured router;
& a bunch of misc tweaks...
---------------------- Cheers Greg Mc
On 23/04/2018 10:36 PM, Shane Clay wrote: +1
Out of the box firewall your input chain (or equivalent) appropriately, disable any unused services and lock down the ones that are used as a minimum.
Shane
On 23/4/18, 10:03 pm, "Public on behalf of James Hodgkinson" <public-bounces@talk.mikrotik.com.au on behalf of yaleman@ricetek.net> wrote:
Why would *anyone* allow access from arbitrary IPs to something that authenticates with nothing more complex than username and password with no rate limiting? Lock it down to source IP or something at least, if not requiring an IPSEC tunnel. I'm genuinely interested, my field's enterprise security and we'd be drawn and quartered if we exposed admin interfaces to the internet. James On Mon, 23 Apr 2018, at 22:14, Mike Everest wrote: > Damn! > > Just saw that too - just when we were talking about unknown unknowns too :-l > > More reasons to protect those admin interfaces! :-o > > Cheers, Mike. > > > -----Original Message----- > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of > > Shane Clay > > Sent: Monday, 23 April 2018 10:00 PM > > To: MikroTik Australia Public List <public@talk.mikrotik.com.au> > > Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > > > Posted by Mikrotik on their forums today... > > This is probably what you are seeing and why it didn't require a "brute force": > > > > https://forum.mikrotik.com/viewtopic.php?f=21&t=133533 > > > > Shane > > > > > > > > On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- > > bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote: > > > > I have a burn-in box - running 6.42 that I neglected to block 8291 on. > > > > My logs show a single failed auth attempt and 1 second later a successful > > log in. > > > > After that they disabled all the firewall rules, all service ports (except > > winbox) and then uploaded some files. > > > > This is definitely something different than a brute force... > > > > > On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > > > > > Hi Tim, thanks for posting! > > > > > > MikroTik themselves made an official announcement about it a few > > weeks back, > > > and there has been much discussion about it (even in this list I think?) > > > > > > To be honest, I'm amazed that RouterOS has been able to remain > > inconspicuous > > > for so long and why this has not happened before now is a total mystery > > to > > > me ;-) I regularly present MTCNA certification training a couple of times a > > > year, and when we get to the topic about securing routerOS admin > > interfaces > > > I always make a point of talking about how leaving port 22 open give a > > > literally 100% chance of taking brute force crack attempts within hours > > (or > > > minutes!) of the router getting a public address. In the same breath, I > > > also mention that it is only a matter of time that those crack attempts > > > start attempting 'admin/blank' blank credentials too - now I can say it is > > > already happening! ;-) > > > > > > There are two points worth noting about this recent activity: > > > > > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > > > has been widely reported recently > > > 2) it is here to stay - so YES, lock down the ports (should always be doing > > > it anyway ;) > > > > > > Cheers! > > > > > > Mike. > > > > > >> -----Original Message----- > > >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf > > Of > > >> Timothy Neilen > > >> Sent: Monday, 23 April 2018 4:19 PM > > >> To: public@talk.mikrotik.com.au > > >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability > > >> > > >> A colleague passed this one to me from the Mikrotik forums > > >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). > > >> > > >> Might be an idea to block access to 20, 80, 8291 externally unless from > > >> trusted sources if you don't already. > > >> > > >> > > >> TN > > >> > > >> > > >> > > >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 > > >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | > > >> www.answersit.com.au > > >> _______________________________________________ > > >> Public mailing list > > >> Public@talk.mikrotik.com.au > > >> > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Mon, 2018-04-23 at 20:51 +0000, Thomas Jackson wrote:
In any case, we firewall off the admin ports from external sources
Yes - it's nice to be able to be smug :-) If bug like this ever shows up in their ssh implementation, we are doomed indeed. Also, does ROS allow publickey-only ssh? It doesn't seem to... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
Once you add a key to a user they can no longer log in via ssh with a password so it does apply for that user. As for a default setting for all users, it doesn’t seem so but might be a damned good thing for Mikrotik to get onto rather quickly. For now I guess you could put a dud key into every user via a script. Cheers, Andrew
On 24 Apr 2018, at 8:22 am, Karl Auer <kauer@nullarbor.com.au> wrote:
On Mon, 2018-04-23 at 20:51 +0000, Thomas Jackson wrote:
In any case, we firewall off the admin ports from external sources
Yes - it's nice to be able to be smug :-)
If bug like this ever shows up in their ssh implementation, we are doomed indeed.
Also, does ROS allow publickey-only ssh? It doesn't seem to...
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (10)
-
Andrew Radke
-
Ben Williams
-
Greg McLennan
-
James Hodgkinson
-
Karl Auer
-
Mike Everest
-
Shane Clay
-
Thomas Jackson
-
Tim Warnock
-
Timothy Neilen