CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

NEVER TRUST, there is no guarantee that the remote site will not be modified on purpose to execute arbitrary commands on your router.

It's one thing to download and import a list of addresses via script,
it's another to download a list of commands to apply blindly, without any limits or controls, in the router.

In general, never trust files provided by external sources.

Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.

attacker can perform MITM attack

also, right!

We just need mikrotik to implement firewall list load feature, since now there is no easy and simple way...

Never trust, yes!
like ip dns adlist

You should mirror check everytime

Do you know what is sad? Docker images works exactly this way....you download something and run it. Also go programs uses this, includes sources directly from internet.

That's why docker images needs to be downloaded from trusted repositories and even then it's good to treat them as insecure network client by restricting connections to/from them only for provided service by container.
For downloaded application software at least you can use some antivirus/anti malware solution but also it is sane to know what you are installing and from which source.

Again...
viewtopic.php?t=152632#p1109095

Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.

If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.

Again...
viewtopic.php?t=152632#p1109095

Do not make unnecessary comments. Unfortunately, people like you have time to discuss empty things that are really problematic because of the pushes like you.
Look: viewtopic.php?p=1109299#p1109299

Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.

If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.

HTTP != HTTPS - That's why I mentioned especially HTTP, if someone using http (unencrypted) protocol in fetch.

Regarding MITM attack on HTTPS, there are ways to also perform it, but it requires manual intervention from user to install CA certificate which MITM response uses to sign own certificate. User can be tricked by some social engineering technique like phishing, less chance than HTTP but possible.
Still, even if MITM is not performed concern is in aspect how much you trust the public source, if is for eg. Github source, repository owner account can be compromised and repo then can be updated with malicious script, if is some other site then you are not certain how well is protected, etc... I always follow the rule - better safe than sorry

@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script directly on your router or on a separate server. The use of HTTPS/SSL for the actual transfer does not change this risk.

@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script directly on your router or on a separate server. The use of HTTPS/SSL for the actual transfer does not change this risk.

Unless it's a reliable source, yes, you're right. It doesn't make sense to use it. Here it depends on how much you trust the source. In addition, instead of automation, it can be achieved manually by allocating labor, as you said. Not every convenience is always completely safe.

I'm not sure the "CRITICAL" is necessary. Everything here can be relegated to security "best practices". And applies equality to "cut-and-paste" scripts and containers. Or even the dude, which downloads the matching version. And winbox4 new's "Update Winbox" risks MITM attacks, if one adopts the posture suggested here.

There is nothing magical about RouterOS scripting in this regard than an other OS. Some mainstream software use "curl ... | sh" - whether that's "safe" depends on the environment it's used and threat profile.

+1 for the emoji's ;-P

If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.

As I wrote in the other post:

Obviously, it is obvious that you do not know how to distinguish a list of IPs from a list of commands, there is little to add.

Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
"Your" link does not just refer to a ready-made list of IPs, but creates an "import" where you can safely put any command you want to execute in the router, maybe it's a way to make money by selling machines on the darkweb.

If people "can check" it does not mean that they do not go and check when for others it is already too late.

If you can't see the security problem, it is certainly not my fault.


And let me be clear, I never talked about HTTP or HTTPS issues, it's the content that's the problem, not the means of transport.
However the suggested script does NOT install the proper SSL certificate and does NOT check HTTPS, so no matter what happens a MITM attack is still possible...

depends on the environment it's used and threat profile.

Key word "environment", which makes company environments much more sensitive than home users environment. If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...

I'm not sure the "CRITICAL" is necessary.

Yes, because most users can only copy & paste without knowing what they are doing, without distinguishing a list of commands from a list of IPs...

If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...

I see you get the point...

Key word "environment", which makes company environments much more sensitive than home users environment. If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...

Well, this is pure fantasy, but if I *somehow* manage to find out what my ISP does (no matter what is actually done) it means that their security (be it the technical or "human" one) is a nice colander.

If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.

As I wrote in the other post:

Obviously, it is obvious that you do not know how to distinguish a list of IPs from a list of commands, there is little to add.

Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
"Your" link does not just refer to a ready-made list of IPs, but creates an "import" where you can safely put any command you want to execute in the router, maybe it's a way to make money by selling machines on the darkweb.

If people "can check" it does not mean that they do not go and check when for others it is already too late.

If you can't see the security problem, it is certainly not my fault.


And let me be clear, I never talked about HTTP or HTTPS issues, it's the content that's the problem, not the means of transport.
However the suggested script does NOT install the proper SSL certificate and does NOT check HTTPS, so no matter what happens a MITM attack is still possible...

I really won't argue with you . Good luck to you in life. (I hope you will improve your incomplete knowledge in practice.)
my answer:
viewtopic.php?t=152632&start=300#p1109312 & viewtopic.php?t=152632&start=300#p1109322

Well, this is pure fantasy, but if I *somehow* manage to find out what my ISP does (no matter what is actually done) it means that their security (be it the technical or "human" one) is a nice colander.

Depends where you live, in small communities, people with similar interest/occupation gathers and talk, you never know what you can find out...

Depends where you live, in small communities, people with same interest/occupation gathers and talk, you never know what you can find out...

Well, in small communities you don't even need to share interests or occupation, if the boyfriend of the cousin of the friend of your brother-in-law likes a few pints of beer or some wine ...

Yes, but the point is, It's not always a fantasy to find out some insider information

Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?

The issue is you suggest that anyone who builds an open source script/framework and publish them transparently on GitHub is an CRITICAL" ..."security issue".

So you devalue the work that me, @eworm, @merlinthemagic, and MANY others to do publish their work on GitHub, and make it easier for people who not coders to use well-designed scripts to mask the complexity of RouterOS. The basic idea of OSS is that transparency is the security - while not everyone is an expert in scripting, enough are. And folks like @eworm even follow best practices like using HTTPS and certificate verification, which mitigates some of the risks here.

Billons of people use code downloaded they do not understand and/or cannot even access to audit —like RouterOS itself.

Probably true, but there’s always a chance of hidden backdoors, like the "XZ backdoor". With popular solutions, it’s easier to spot and handle malicious hacks and put in countermeasures because of the sheer number of people involved. But if you’re using less reliable sources, the risk goes up, and making those kinds of judgments takes a lot of experience and not everyone has that.

EDIT:
Using smart pattern-matching tools like machine learning and LLMs to check source code for malicious hacks will probably become pretty common in the future. I heard that the Linux Foundation is working on security improvements using these kind of tools. This was mentioned on a podcast on Spotify a few months ago (can’t remember his name tho but it might have been 'XZ Backdoor: A FOSS Danger Story')

Just asking cause I am ignorant of such things but Git Hub is a repository. Who is responsible or what kind of vetting process is there to ensure no hacks or quacks in the stuff that is put there.
If your saying its completely reliant upon users checking each other, that is not security, until ENOUGH actual qualified people have actually dissected the contents to the degree required ( repeatable and all edge cases explored ) and have reported back on their findings.....
Compare to Apple, for example, where there is what seems to be a strict vetting process, ( sure a. to ensure revenue but I imagine b. to check security ).

When I see AMMO as an author, I run to the hills ;-P

You’re spot on, it’s exactly the vetting process that’s the weak link!

There are plenty of techical tools to lock down a GitHub repo, but it’s up to the owners/admins to decide how to use them. In the case of the XZ backdoor, the attacker got in using social engineering which let the villains access the xz-utils repository on GitHub (which BTW is shut down now).

Ps..
Run to the hills? Nah, when I see Amm0, I grab my notebook - always something new to learn!

(I hope you will improve your incomplete knowledge in practice.)

Nobody knows everything, but staying within the RouterOS scripts, at most I'll teach you.

Telling me about incomplete knowledge of RouterOS scripting, or arguing about https (which you don't verify) says much more than many words.
Not to you, of course, but to others it does.

So you devalue the work that me, @eworm, @merlinthemagic, and MANY others to do publish their work on GitHub, […]

No, for two reasons, and also for others not listed,

the first is that the warning is to avoid doing the "/import" automatically from who knows what sources,
without do any veify on script before import (like check if present other than "add addres..."), and without check certificates.

and the second, "the user who posts once and goes away" is certainly less reliable than someone who is always present on the forum...

Nobody knows everything, but staying within the RouterOS scripts, at most I'll teach you.

I am always open to new information, but due to your initial approach, I am closed to any information from you.

and the second, "the user who posts once and goes away" is certainly less reliable than someone who is always present on the forum...

The world is not just this forum and I am newly registered in the forum, yes, but I do not have an anonymous account. To be long-term, you have to start somewhere.

you are really funny. Your aim is obvious when I examine her profile a little.

Good thing, at least you get a laugh.

Some general obsevations.
Every now and then someone is asking here in the forum"what to do, I forgot my password, can't get in to my rooter!". Well, hopefully no one is giving them an advice how to do it. Even if there was a way to do it without resetting your rooter.
This one was quite obvious, but what if an evil hacker is asking and getting information bit by bit how to make evil things in our rooters? "How to make this and how to make that?". There are experts in this forum who can give brilliant assistance, you just have to ask. In the end of the day hackers might have useful info how to get things going as they like. Does anyone see there might be a problem? I'm not saying that you should not help users to get their rooters working, but do you recognise a weird inquiries? At least, if someone find a bug that compromise rooter security, please don't bring it here to the forum, but inform Mikrotik asap.

It's not a security bug.

It is normal for the knife to be sharp, that is its purpose.
I'm just telling you not to rub the blade on your skin... because you read somewhere on the internet that it keeps mosquitoes away...

I am always open to new information, but due to your initial approach, I am closed to any information from you.

Your loss and I guess some folks can't handle the truth. I find honest no BS answers refreshing and they are irrefutable when back up by technical acumen.

Never ever run scripts unvetted, from any place.

There are script that use to import lists and those scripts you should vet and then use over and over. If a new version is published the you start again with vetting it before using it.

Git's are nice, but code from this forum is seen by members that can see if someting is not right. And as it is with updates be a bit patient so you are not the first one catching a bug.