VPNfilter official statement

Thu May 24, 2018 8:24 am

Cisco informed us on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including three devices made by MikroTik. We are highly certain that this malware was installed on these devices through a vulnerability in MikroTik RouterOS software, which was already patched by MikroTik in March 2017*. Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Let us know if you need more details. Upgrading RouterOS is done by a few clicks and takes only a minute.

To be safe against any kinds of attacks, make sure you secure access to your devices:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

P.S: The name VPNfilter is only a code name of the malware that was found (more specifically, a fake executable name). The modus operandi of this tool has no relation to VPN tunnels. In basic terms, the malware could either sniff certain types of traffic and send it somewhere, or destroy the routers.

*: viewtopic.php?f=21&t=132499

DhrSoulslayer · Thu May 24, 2018 9:55 am

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?

Thu May 24, 2018 9:57 am

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?

The vulnerability in question was fixed in March 2017:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

ITDave · Thu May 24, 2018 10:20 am

Hi Normis,

Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. What’s your take on this article??
https://www.itnews.com.au/news/hackers- ... ces-491582

Thu May 24, 2018 10:31 am

Hi Normis,

Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. What’s your take on this article??
https://www.itnews.com.au/news/hackers- ... ces-491582

please read the first post in this thread.

levicki · Thu May 24, 2018 10:32 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.

Thu May 24, 2018 10:33 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.

We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.

levicki · Thu May 24, 2018 10:41 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.

Thanks for the quick response, that is good to know and quite reassuring.

UPDATE:
FBI has seized and sinkholed toknowall.com domain, here is a copy of an affidavit (PDF).

djdrastic · Thu May 24, 2018 12:51 pm

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?

Thu May 24, 2018 12:56 pm

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?

Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.

Thu May 24, 2018 1:51 pm

Normis, do not citate the previous post.

gmsmstr · Thu May 24, 2018 3:52 pm

As always, great job guys.

Nenad · Thu May 24, 2018 4:29 pm

This is great news, but why have I had to dig this info out from the forum? Why isn't this statement on the Mikrotik home page, somewhere in the news section?

R1CH · Thu May 24, 2018 4:40 pm

How do you know for sure it was the www exploit that was used instead of for example the more recent winbox exploit?

martinm · Thu May 24, 2018 4:43 pm

Hi, after the the linked news/thread back in March (viewtopic.php?f=21&t=132499) I checked patch levels - or at least thought I had.

On rechecking with the latest set of news today, it became clear to me that I've been applying upgrades incorrectly for a long time - I have only been upgrading the RouterOS packages (bang up to date now, and never far behind), not the Routerboard firmware, which was really old (3.x).

1/ Would this partial upgrade have potentially left me open to this attack? I'm hoping not, and that the firmware is basically just a bootloader.

2/ Particularly if the answer to the above is 'yes', it would be great to have reassurance that upgrading the firmware (which I have now done) as well as the packages would definitely clear the malware. I know Mikrotik has said 'yes' to this before. However, it would be good to have confirmation that - as far as Mikrotik is aware - the malware has not evolved the ability to protect itself against removal, given that we appear to be talking about a state actor that has had since March to develop this defence.

3/ (Unrelated to this thread, really) What level of general exposure would I have had from not updating firmware over a long period of time?

I have had a pretty restrictive set of firewall rules applied - there should be no access from the Internet for anything except L2TP VPN connections. Hopefully that would have mitigated the attack on its own. But it would be great to have an answer to 1/ that would apply even if I had made a mistake in those firewall rules, as it appears I'm incapable of applying an update

Cheers,

Martin

mrz · Thu May 24, 2018 5:01 pm

Exploit was in RouterOS, so if you upgraded only RouterOS and left old bootloader you are safe.

martinm · Thu May 24, 2018 5:06 pm

Thanks mrz for the fast reply.

anav · Thu May 24, 2018 5:12 pm

Thanks for the update and the reminder (link) to the good security practices page!

Thu May 24, 2018 5:21 pm

.....Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. ....

Isn't strange that all these news inform that many devices are volunerable but CISCO ones are free from the problem?

investigating the malware, which targets devices from Linksys, MikroTik, Netgear, TP-Link and QNAP, advising users to install security updates. .... Cisco Systems, which has been investigating the threat for several months....

For me it seems to be some kind of "gray PR" (gray means that I do not want use the "black" word yet) but it resambles a little the "Volkswagengate" in the USA.

anav · Thu May 24, 2018 5:35 pm

BartosP are you working for juniper ;-P
CISCO has their own issues, they are not virginal.
https://www.bankinfosecurity.com/200000 ... ed-a-10788
https://www.scmagazine.com/cisco-patche ... le/740572/
https://www.fliegerfaust.com/cyber-atta ... 49185.html

Modestas · Thu May 24, 2018 6:03 pm

BartosP are you working for juniper ;-P

Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn't

Anyway, it's great to see prompt statement and clarification from Mikrotik on this threat.
I wonder if Mikrotik offers some mailing list for customers to receive alerts on security issues, detected vulnerabilities and remedies/corrections.

anav · Thu May 24, 2018 6:33 pm

BartosP are you working for juniper ;-P
Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn't

You mean Roland or PPoland They are on the slippery slope of being pwned by he who shall not be named!! No happy face! - makes me sad.

Thu May 24, 2018 8:47 pm

.... in Poland ....
You mean Roland or PPoland ...

Anav ... problems with reading? What do you want to be explained more?

P like Planet
O like On Networks
L like Lucent
A like Alcatel
N like Nokia
D like D-Link

Thu May 24, 2018 9:19 pm

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
And note - I have the following /ip/service in my configuration:
/ip service
set telnet address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks))) disabled=yes
set ftp address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set www address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set ssh address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks))) disabled=yes
set www-ssl address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set api address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set winbox address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set api-ssl address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))

11:00:33 warning denied winbox/dude connect from 213.57.88.215
11:00:39 warning denied winbox/dude connect from 168.194.108.144
11:00:47 warning denied winbox/dude connect from 94.230.25.2
11:00:51 warning denied winbox/dude connect from 213.177.66.226
11:00:52 warning denied winbox/dude connect from 43.229.63.228
11:00:53 warning denied winbox/dude connect from 198.233.88.218
11:01:00 warning denied winbox/dude connect from 191.6.164.82
11:01:01 warning denied winbox/dude connect from 191.6.164.154
11:01:03 warning denied winbox/dude connect from 213.57.88.215
11:01:05 warning denied winbox/dude connect from 94.230.25.2
11:01:16 warning denied winbox/dude connect from 119.18.39.159
11:01:17 warning denied winbox/dude connect from 94.230.25.2
11:01:21 warning denied winbox/dude connect from 213.177.66.226
11:01:27 warning denied winbox/dude connect from 94.142.173.34
11:01:33 warning denied winbox/dude connect from 213.57.88.215
11:01:48 warning denied winbox/dude connect from 94.230.25.2
11:01:57 warning denied winbox/dude connect from 213.57.88.215
11:01:58 warning denied winbox/dude connect from 168.194.108.144
11:02:01 warning denied winbox/dude connect from 191.6.164.82
11:02:01 warning denied winbox/dude connect from 191.6.164.154
11:02:03 warning denied winbox/dude connect from 213.57.88.215
11:02:08 warning denied winbox/dude connect from 198.233.88.218
11:02:13 warning denied winbox/dude connect from 119.18.39.159
11:02:17 warning denied winbox/dude connect from 94.230.25.2
11:02:21 warning denied winbox/dude connect from 213.177.66.226
11:02:22 warning denied winbox/dude connect from 43.229.63.228
11:02:33 warning denied winbox/dude connect from 213.57.88.215
11:02:44 warning denied winbox/dude connect from 94.142.173.34
11:02:46 warning denied winbox/dude connect from 119.18.39.159
11:02:51 warning denied winbox/dude connect from 213.177.66.226
11:03:01 warning denied winbox/dude connect from 191.6.164.82
11:03:02 warning denied winbox/dude connect from 191.6.164.154
11:03:03 warning denied winbox/dude connect from 94.230.25.2
11:03:03 warning denied winbox/dude connect from 213.57.88.215
11:03:17 warning denied winbox/dude connect from 119.18.39.159
11:03:21 warning denied winbox/dude connect from 213.57.88.215
11:03:24 warning denied winbox/dude connect from 94.230.25.2
11:03:24 warning denied winbox/dude connect from 168.194.108.144

Or - is this a log from my btest fw rules which auto-blocks lengthy btest connections then later auto-removes them. I do see some of the above IP address in my fw Connections list (which are auto added & auto removed an hour later).

North Idaho Tom Jones

Sofa · Thu May 24, 2018 9:28 pm

Good evening, I have a hAP ac lite 6.38.4 or 6.38.5 router I do not remember exactly, Firware 3.27, now updated to the latest version (6.42.2, Firware 6.42.2)
The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?

anav · Thu May 24, 2018 9:46 pm

Bartoz, email me as that is a separate discussion.................

anuser · Thu May 24, 2018 11:19 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?

That´s a fraud/fake call, google for that one that wants you to pay him.

jebz · Fri May 25, 2018 2:26 am

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

Or - is this a log from my btest fw rules which auto-blocks lengthy btest connections then later auto-removes them. I do see some of the above IP address in my fw Connections list (which are auto added & auto removed an hour later).
North Idaho Tom Jones

.
In Dude you can add your server to a map and this makes it very easy to choose when you do a bandwidth test. When on a Dude map I think it then probes your server, but not with malicious intent. So you'll see bandwidth tests and attempted winbox/dude connections from the same host.

macsrwe · Fri May 25, 2018 7:44 am

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .

North Idaho Tom Jones

Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.

Sofa · Fri May 25, 2018 2:19 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
That´s a fraud/fake call, google for that one that wants you to pay him.

The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the director

squeeze · Fri May 25, 2018 4:28 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
That´s a fraud/fake call, google for that one that wants you to pay him.
The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the director

Your writing is difficult to understand. Do not give property or access to property to anyone, even the police. They have to have a legal warrant from your country's court system and that would have been sent to company officers, so it would be company officer telling you to do anything.

Direct all formal communications with third parties to management and Directors responsible in your company. Third parties have no business telling employees to do anything.

Factory reset your router using the reset button, then upgrade to the latest firmware. Done. When security is an issue, this is always the correct procedure on any networking device. The only thing that changes is the timing (some may be expert enough to do forensic analysis first).

Fri May 25, 2018 4:31 pm

I read his post differently. It seems some local cyber crime agency called him and told him that there is suspicious activity coming from his router. They suggested him to upgrade his router.

Well ...

1. Upgrade or reinstall
2. Protect it properly, as you should have done a long time ago: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
3. Make sure that the virus is not actually in your LAN, for outside observer this might look like coming from the router, but may be in a Windows computer inside your network

Fri May 25, 2018 6:35 pm

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .

North Idaho Tom Jones
Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.

If it's not an attack , then I am OK with it.
I don't run Dude and I did not know if this was something I should be taking action on.
Thanks for your reply
For me - a good thing is , that if somebody was able to gain control of this 207.32.194.24 btest server , that this server is 100 percent outside of my business ISP/WISP networks.
North Idaho Tom Jones

intermod · Fri May 25, 2018 7:26 pm

As the hack could have been sniffing traffic, our other systems may be at risk. So we don't have to audit all of our other systems now, how can we tell whether our particular device was compromised? This is very important. This could be extremely costly for our organization.

desertadmin · Sun May 27, 2018 11:34 pm

Just added the Talos IPs to prevent further spread. Pretty scary how it infiltrates a busy box based OS.

Thank you Mikrotik for patching this so quickly. In addition I added the following IPs to my Drop DDOS list. This is not a DDOS but any suspicious traffic I get I place it on this filter.

So modify how you like but this is the list of known IPs that needed to be blocked to prevent the stage 2 of this VPNfilter attack.

/ip firewall address-list
add address=91.121.109.209 comment="TALOS" list=DROPDDOS
add address=217.12.202.40 comment="TALOS" list=DROPDDOS
add address=94.242.222.68 comment="TALOS" list=DROPDDOS
add address=82.118.242.124 comment="TALOS" list=DROPDDOS
add address=46.151.209.33 comment="TALOS" list=DROPDDOS
add address=217.79.179.14 comment="TALOS" list=DROPDDOS
add address=91.214.203.144 comment="TALOS" list=DROPDDOS
add address=95.211.198.231 comment="TALOS" list=DROPDDOS
add address=195.154.180.60 comment="TALOS" list=DROPDDOS
add address=5.149.250.13.76 comment="TALOS" list=DROPDDOS
add address=91.200.13.76 comment="TALOS" list=DROPDDOS
add address=94.185.80.82 comment="TALOS" list=DROPDDOS
add address=62.210.180.229 comment="TALOS" list=DROPDDOS

Hope this helps out.

Sincerely,
DesertAdmin

doctorrock · Mon May 28, 2018 10:59 pm

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html

Deantwo · Tue May 29, 2018 10:54 am

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html

Funny how it says that it is hard to defend against it because it is hard to upgrade router firmware on the devices.
I am quite happy with how extremely easy it is to upgrade RouterOS on a MikroTik device.

According to what I have read about all this, it seems that all the recent attacks rely on the "webfig" vulnerability in the <6.38.5 versions of RouterOS.
But I guess Talos isn't going to promote the MikroTik brand by saying that upgrading their devices is super easy to do.

The amount of "Cisco devices are safe thanks to X and..." at the end of the article makes me feel a little confused though.
Why do they need all those fancy sounding features? Just freaking setup a reasonable firewall/ACL and protect your devices like everyone else.

ssbaksa · Tue May 29, 2018 2:25 pm

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html

Nice article but ...

" Mikrotik RouterOS Versions for Cloud Core Routers:
1016
1036
1072
"
Dosn't mean a thing. They are mention router hardware version, not RouterOS versions which are important in this case.

naskoblg · Tue May 29, 2018 8:20 pm

Please read this article:
http://linkcom.lviv.ua/%D1%83%D0%B2%D0%B0%D0%B3%D0%B0/
https://www.facenews.ua/news/2018/407644/

They are stating that all versions prior 6.42.1 are vulnerable.

jerryroy1 · Tue May 29, 2018 8:50 pm

Can we confirm the RouterOS versions please?

We have 5.26 on hundreds of 750GL's. Is it a firmware issue or an RouterOS issue? It does not seem clear from this thread.

Also, what about GR2 and GR3/Hex? What versions are invulnerable?

Thanks,

Jerry

jmay · Wed May 30, 2018 12:53 am

I have never used webfig for my routers. Winbox only and I only allow specific IP's that access. I should be fine yeah? Most of my routers are currently at 6.41.

Wed May 30, 2018 9:08 am

As stated before. All RouterOS devices were affected under following conditions:

1) Webfig was open on untrusted networks (default firewall protects you, so this applies if you manually configured the firewall or removed the default);
2) You had an older RouterOS version, before these releases:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

What to do:

1) Upgrade RouterOS
2) Change your password
3) Configure firewall and other security measures according to this guide: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

NEVER LEAVE YOUR DEVICE OPEN TO THE INTERNET, WITHOUT SPECIFIC FIREWALL ACCESS RULES

Wed May 30, 2018 9:09 am

Please read this article:
http://linkcom.lviv.ua/%D1%83%D0%B2%D0%B0%D0%B3%D0%B0/
https://www.facenews.ua/news/2018/407644/

They are stating that all versions prior 6.42.1 are vulnerable.

Thats not correct.

JimmyNyholm · Wed May 30, 2018 11:56 am

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.

Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.

jerryroy1 · Wed May 30, 2018 7:35 pm

Hi Normis,

I still do not have a reply regarding 5.26 on R750GL, can you comment?

Best regards.

ludvik · Wed May 30, 2018 8:55 pm

Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.

Unfortunately, the DNS server does not allow restrictions using ip / services.

Chupaka · Wed May 30, 2018 9:21 pm

What's faster:
- no fastpath and IP firewall rule for blocking DNS;
or
- bridge interface, ipv4 fastpath and bridge filter rule for blocking access?

Thu May 31, 2018 8:30 am

Hi Normis,

I still do not have a reply regarding 5.26 on R750GL, can you comment?

Best regards.

I did reply that your version is below the one with the fix. If you have an exposed webfig interface to untrusted network, UPGRADE IMMEDIATELY

indimouse · Thu May 31, 2018 1:36 pm

Good afternoon!
A few thoughts about this problem.
We also suffered an attack, lost more than 50 routers, and many had a firmware version of 6.42.2.
Access to the router is preserved, but the user admin has read-only privileges. In this case, a new root user appears in the system.
Analysis of the situation showed that it is not possible to restore the router through a netinstall, because the protected-routerboot option is enabled. To flash the equipment, you need to see the time set in the field of the reformat hold button, then we fix the reset button for this period of time and supply power to the router. Through the terminal (console cable), we confirm the formatting of the flash. Further through netinstall we restore the firmware. We go to winbox and restore from backup.

Thu May 31, 2018 5:02 pm

You describe a different attack vector. We have seen this before. It was a brute-force password guess attack to the FTP (If I remember correctly). This is not a vulnerability. Simply limit access to the device services from unknown networks.

If you have read only access with Winbox, you can see the "reformat hold time" setting, then you can wipe the device and reconfigure it. Follow manual about protected RouterBOARD on how to use the button to wipe all config: https://wiki.mikrotik.com/wiki/Manual:R ... bootloader

indimouse · Thu May 31, 2018 5:35 pm

From the active services on the devices, ssh and winbox were installed. FTP was not active on any device. When starting in the console on all devices, there were reports of the inability to remove / var / run / vpnfilterw.
The process of restoring working capacity I described, by the way, support for Mikrotik in the email could not tell us this decision.

dlynes · Thu May 31, 2018 7:09 pm

FWIW, I use the following related best practices when I set up a router that has a public-facing interface:

reset all configuration settings, uncheck 'keep default settings'
Disable all non-essential services:
1. telnet
2. http
3. https
4. ftp
5. api
6. secure api
Create a whitelist of admin IP addresses/netmasks
Add the following firewall filter rules to the beginning of the list
1. Allow all admin whitelisted ips access to tcp 20,21,22,23,80,161,443,8291,8728,8729 on the input chain
2. Block all access to tcp 20,21,22,23,80,161,443,8291,8728,8729 on the input chain
3. Allow all admin whitelisted ips access to udp 161 on the input chain
4. Block all access to udp 161 on the input chain
5. Allow all established and related traffic (state) for both input and forward chains

The effect of this is that if a firmware upgrade accidentally clobbers one of these settings or one of my admins mistakenly deletes or disables a rule, I still have the other to fall back on.

For reference:
port 20 = ftp data port
port 21 = ftp control port
port 22 = ssh
port 23 = telnet
port 80 = http
port 161 = snmp
port 443 = https, sstp (do not block if you need to create an sstp connection to the box)
port 8291 = winbox
port 8728 = api
port 8729 = secured api

Set up the rest of your firewall as needed for your application.

Add a drop all rule to the input chain on the filter tab.

After an hour, make sure that you're getting packet counts on the drop all rule. If you're not, you've got another rule before it preventing packets from getting to it, and it's probably a misconfigured rule. It's pretty much a sure thing that you'll be getting traffic coming on the router's WAN interface that is unwanted traffic.

R1CH · Sat Jun 02, 2018 7:37 pm

Apparently VPNFilter is now scanning for port 2000 (btest server) on Mikrotik routers. Another exploit? Not many admins are aware that this service runs by default.

complex1 · Sat Jun 02, 2018 8:32 pm

Apparently VPNFilter is now scanning for port 2000 (btest server) on Mikrotik routers. Another exploit? Not many admins are aware that this service runs by default.

That’s why normis wrote in his original post...

To be safe against any kinds of attacks, make sure you secure access to your devices:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

SolarW · Sun Jun 03, 2018 11:26 am

Apparently VPNFilter is now scanning for port 2000 (btest server) on Mikrotik routers. Another exploit? Not many admins are aware that this service runs by default.

https://www.bleepingcomputer.com/news/s ... -comeback/
https://www.securitylab.ru/news/493715.php

BTest server is vulnerable?

Sun Jun 03, 2018 1:19 pm

Again and again ... it seems be kind of sport nowadays to ask "Is Mikrotik volunerable because someone is scanning particular port?"
If you disable or limit sources's IPs for all new incoming connections then there should be no problem at all.
If you not secure your router then offenders will try to identify the brand and then try to attack.
Scanning ports is not an attack. I have some routers with IP range where some addresses are not used yet but I see on WAN ports traffic to unsed IPs.
Should I ask: "Are my Mikrotik's routers volunerable as they see and could accept traffic for nonexistient IP?"

docmarius · Sun Jun 03, 2018 3:53 pm

If everyone would adhere to the principle "block all and allow only what you need", which is considered best practice, none of these discussions would be necessary.

Start with:
- allow all from (management) LAN
- allow established/related
- drop all

and work your way up from there on an "as needed" basis and be faithful to that (drop what you do don't need anymore).
In such a case, any port scan is useless, unless you have an intentional running service on that port, which is easy to track by checking your firewall accept and port forward rules. Nothing which is "unknown" can pass anywhere.
And, if needed, use VPN techniques for remote management, not direct access on WAN ports. It adds a layer of security to it.

R1CH · Sun Jun 03, 2018 6:58 pm

Again and again ... it seems be kind of sport nowadays to ask "Is Mikrotik volunerable because someone is scanning particular port?"
If you disable or limit sources's IPs for all new incoming connections then there should be no problem at all.
If you not secure your router then offenders will try to identify the brand and then try to attack.
Scanning ports is not an attack. I have some routers with IP range where some addresses are not used yet but I see on WAN ports traffic to unsed IPs.
Should I ask: "Are my Mikrotik's routers volunerable as they see and could accept traffic for nonexistient IP?"

There's a big difference between random port scans and targeted traffic to a specific port. MT devices without a firewall are trivial to identify due to service banners, I doubt attackers are trying to "identify the brand", most will just send any exploit to any device. Given that VPNFilter is supposedly created by a nation state attacker, it's a little more concerning to see it targeting a specific Mikrotik service.

Sun Jun 03, 2018 10:04 pm

R1CH
Scanning port 2000 is not new one ... I see it from long time .. I do not agree that scanners do not identify routers ... they scan them for "well known" ports to make proper attack instead of blind tries.
The point is that asking "is btest volunerable?" or "is service >>name of service<< volunerable?" just making noise and panicking than reporting problem.

SolarW · Sun Jun 03, 2018 10:04 pm

Guys, you don't understand me.
Situation for example:
- i want enable bandwidth test server for access from ANY IP without authentication
Anybody can get admin access to my mikrotik?

When i say "vulnerable" I mean vulnerability as winbox for version smaller then 6.42.1
(yes, I am test scanner and get admin credentials from unfirewalled routers).

Sun Jun 03, 2018 10:31 pm

I understand ... but we need assume that Mikrotik is doing their best and try to deliver software without bugs. If we/they have no proof that something is "broken" then they always could say "YES, it is safe".

squeeze · Mon Jun 04, 2018 12:07 am

1. If you are running any open ports on your router, then you are unsecured and implicitly accepting ALL the associated risks of remote exploits. That is regardless of the manufacturer. The device and service you choose to run is irrelevant.

2. Scans against any ports, specific or otherwise, mean nothing by themselves from a security perspective, i.e. this provides no new information of any kind since they are trivial to do.

3. If you are asking in this thread whether there is a 0-day exploit for Mikrotik routers and your only evidence for that are port scans, then please stop wasting everyone's time. How on Earth would anyone know that?

If your target audience is the vendor, they would not release information of a 0-day to you without going through private channels, for obvious reasons. If your target audience are hackers, they would say nothing on public forum, regardless of whether they are black hats or white hats. If your target is everyone else, ask in a completely separate thread with your specific evidence or concerns, not piggybacking on the official statement for a known attack.

Many people watch these official threads for very specific topic information or official information, not for general discussion. Thank you.

R1CH · Wed Jun 06, 2018 4:32 pm

A new technical update was published, which expands the compromised device list to include almost all Mikrotik boards (CCR1009 (new), CCR1016, CCR1036, CCR1072, CRS109 (new), CRS112 (new), CRS125 (new), RB411 (new), RB450 (new), RB750 (new), RB911 (new), RB921 (new), RB941 (new), RB951 (new), RB952 (new), RB960 (new), RB962 (new), RB1100 (new), RB1200 (new), RB2011 (new), RB3011 (new), RB Groove (new), RB Omnitik (new), STX5 (new)).

https://blog.talosintelligence.com/2018 ... pdate.html

The new version of VPNfilter intercepts HTTP traffic and rewrites HTTPS to HTTP. This makes it possible to detect signs of compromise externally, as it modifies the HTTP request, but at this time it isn't possible to know what domains it is targeting.

squeeze · Wed Jun 06, 2018 6:01 pm

Since the remote exploit targets previously known RouterOS vulnerabilities, then naturally it would have included all RouterOS devices anyway.

These Affected Devices lists are more informational than containing any new warnings because they simply show what devices they are seeing being targeted in the wild.

It may be more serious for other vendors if it is using a host of different vulnerabilities to span architectures (because different platforms may be updated differently), or worst of all, if it is using zero-day exploits (not as far as anyone knows).

If your have no open ports on your WAN interface, then you are completely safe from remote wired exploits of any kind. This is the default state for all Mikrotik SOHO devices, afaik.

indjov · Thu Jun 07, 2018 11:49 am

w 0 w the problem it`s more bigger.

https://www.theregister.co.uk/2018/06/0 ... e_thought/

pe1chl · Thu Jun 07, 2018 12:01 pm

If we/they have no proof that something is "broken" then they always could say "YES, it is safe".

Actually I have always found it ridiculous that MikroTik people made remarks on this forum that RouterOS is safe because there were no known security problems and there had been no major problems in the past.
Results obtained in the past are no guarantee for the future, and when software has no known problems it usually means there has been no adquate search for problems.

Now that the bad guys have discovered MikroTik, problems appear everywhere. That was only to be expected. It happened with all the other manufacturers as well.
This means there was no safety to begin with, it was only imagined. In fact we are lucky that up to now all the discovered problems are in services that you can quite easily firewall, but again: there is no guarantee that it will remain that way.

pe1chl · Thu Jun 07, 2018 12:05 pm

If your have no open ports on your WAN interface, then you are completely safe from remote wired exploits of any kind.

Unfortunately that is not true at all. You are safe from the exploits as they are seen now. You could still have problems e.g. when there turns out to be a problem in some obscure firewall rule type like L7 matching or when there is a problem in some client that you have to run (e.g. DHCP client).

Schlimmerfinger · Thu Jun 07, 2018 12:08 pm

Hi folks,
now are more mikrotik devices affected.....

https://blog.talosintelligence.com/2018 ... pdate.html
Also my RB3011.....
Any solution from Mikrotik?

regards

Alex

pe1chl · Thu Jun 07, 2018 12:18 pm

now are more mikrotik devices affected.....

No more devices affected, just an updated announcement after the announcers better researched the MikroTik product gamma.
(the original announcment where it was said it affected CCR1016 1036 and 1072 but not 1009 was of course hogwash)

Solution was mentioned already in the first post, please don't append questions without reading the topic.

Chupaka · Thu Jun 07, 2018 12:19 pm

ALL devices are affected which has OLD RouterOS. Cisco doesn't know that many devices can have the same firmware. And they're not able to write affected firmware versions. So just upgrade to the current of bugfix version.

Samot · Thu Jun 07, 2018 3:03 pm

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just bad practices all around.

ti1promotion · Thu Jun 07, 2018 3:22 pm

Hi to all
I think my router has been hacked i can't login to my router (CCR-1036-12G-4S) and i don't have backup to reset and restore backup, i have more data inside

pe1chl · Thu Jun 07, 2018 3:29 pm

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just bad practices all around.

Of course. Just like those people that post "I am locked out of my router and I don't have a backup". Just bad practices.
But that happens to all manufacturers, there is always a certain percentage of customers that do not update, do not backup, etc.
That is also the reason why the whole "internet of things security" is such a hot topic now. Millions of devices with poor default
security in the hands of unknowing users. That is just a disaster waiting to happen. (actually: a disaster already happening)

R1CH · Thu Jun 07, 2018 3:48 pm

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just bad practices all around.

It's also bad practice on the part of Mikrotik when it comes to information, it took them over a year to email about the httpd vulnerability, and I still have not yet received an email advisory about the winbox vulnerability. You cannot expect all Mikrotik users to be checking forum and changelog constantly.

Stibila · Thu Jun 07, 2018 4:08 pm

There is a lot of information here, how to protect router, how to deal with infection, how we should always upgrade and few overconfident statement about how were routers infected. But one crucial information is missing: how to determine if my router is infected?
And I know you already typing "Just upgrade your..." before you even finish reading this, but please bear with me and read on first.

Yes, we have some routers without latest upgrades, yes we should upgrade them and yes, it is not MikroTiks fault it is logistic nightmare to always upgrade all routers in our specific situation. We took every precaution to minimize the risk - we disabled every service except ssh and winbox and even then only from one of internal networks, created robust firewall rules etc. Now we want to determine IF router is infected or not. We want to determine it BEFORE we upgrade and therefore eliminate potential infection. If we are infected, that means it had to come from inside the network and therefore our network is not safe. That would mean some device in our network is spreading infection. And to not trying to get that information, I would be a terrible network administrator. Saying that we should upgrade is therefore not satisfactory.

And before you jump into conclusion that our router is not infected, because we disabled webserver etc., I don't buy this at all. Although it is most likely, that this particular vulnerability was exploited by VPNfilter, it is yet to be confirmed. And until it is confirmed that no other 0-day vulnerabilities were exploited too, we all are at potential risk. Just dismissing it by "upgrading and don't asking questions" is unprofessional and irresponsible, it gives you false sense of security.

Janina · Thu Jun 07, 2018 4:32 pm

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or more  some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.

R1CH · Thu Jun 07, 2018 4:43 pm

how to determine if my router is infected?

There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. Lack of shell access also makes it hard to tell if upgrading a compromised device actually removes the compromise, advanced malware could easily persist after an upgrade. If you think a device may be infected, netinstall is by far the safest option.

For now the best indicator of compromise would be to watch your outbound traffic at an upstream device, eg looking for suspicious traffic or traffic to known IPs associated with the malware. You can't trust monitoring the firewall table or torch etc since malware could hide itself from these lists (no indication VPNfilter does this yet, but certainly possible).

pe1chl · Thu Jun 07, 2018 4:46 pm

There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination.

There is a "check installation" feature but unfortunately it does not check if there are files on the router that are unaccounted for, even though this has been claimed.

Deantwo · Thu Jun 07, 2018 5:13 pm

how to determine if my router is infected?

Back in the Urgent security advisory, it was said that upgrading your RouterOS version would remove "the bad files" on the device.
I have not heard anywhere that this is not the case for all RouterOS upgrades, so I would assume that it remove all unknown files when upgrading even now.
While a confirmation from MikroTik would be nice, I see no need to panic before otherwise is proven. Not like I can do much about it until then anyway.

Just upgrade your routers to RouterOS bugfix >6.40.8 or stable >6.42.1, and possibly secure your routers. Once that is done, just wait for further information.

viewtopic.php?f=21&t=132499#p650812

- Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.

R1CH · Thu Jun 07, 2018 5:20 pm

There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination.
There is a "check installation" feature but unfortunately it does not check if there are files on the router that are unaccounted for, even though this has been claimed.

If the malware is already on the device with root level privileges, it can easily hide itself from a filesystem check.

pe1chl · Thu Jun 07, 2018 5:52 pm

Back in the Urgent security advisory, it was said that upgrading your RouterOS version would remove "the bad files" on the device.

But in reality the upgrading of RouterOS does not even detect the unwanted/temporary files it creates itself!
I had to rollback an update of a CCR1009 because after that there was almost no diskspace left and I would not have been able to update it again without doing netinstall.
The upgrade procedure and an installation check afterwards did absolutely nothing about it and specific questions about the issue were not answered so rollback was the only thing I could do.
This does not improve my trust in the removing of unwanted files installed by others!

Samot · Thu Jun 07, 2018 6:04 pm

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just bad practices all around.
It's also bad practice on the part of Mikrotik when it comes to information, it took them over a year to email about the httpd vulnerability, and I still have not yet received an email advisory about the winbox vulnerability. You cannot expect all Mikrotik users to be checking forum and changelog constantly.

What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

Just for the record, I don't think people need to check changelogs "constantly" but probably at least once a year might be cool. Maybe even every six months? Might be a stretch but just actually *looking* would be a start for most.

Thu Jun 07, 2018 6:32 pm

Re: ... since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. Lack of shell access also makes it hard to tell if upgrading a compromised device actually removes the compromise ... VPNfilte ...

A thought on how to possibly examine a Mikrotik x86/CHR file system.
Because the underlaying ROS operating system is Linux based , I suspect it may be possible to do something like this:
- Using a hypervisor system (in my case VmWare ESXi)
- Configure a Linux machine (in my case Ubuntu)
- Then add a second hard drive which is a cloned copy of an existing x86/CHR you may already have in production use.
- Using the Linux mount commands, mount the ROS hdd file system under the Linux /mnt directory
- Then just cd /mnt/"Mikrotiks-x86-CHR-file-system"
- Then use any Linux utility to scan, search the ROS file system

About 10 years ago I was able to do this with a different type of x86 no-shell-access Linux based device and I was able to see and manage all files on the foreign hdd system. I made my changes then returned the now modified hdd filesystem back into the x86 no-shell-access Linux based device. I also was able to do the same thing a 2nd time using a .bin filesystem also on a Linux computer. The problem for me is I don't remember how I did this 10+ years ago.

So , anybody got some ideas on how to do this and what can be found/checked/modified/fixed/enhanced/expanded ?
I would guess the bad guys already do something like this all of the time when looking for possible exploits on Internet connected devices.

North Idaho Tom Jones

Stibila · Thu Jun 07, 2018 6:42 pm

Mikrotik doesn't allow us shell access to our routers to perform this kind of examination.

They are able to release single purpose tool.

If you think a device may be infected, netinstall is by far the safest option.

I don't think so, we secure our network pretty heavily. But if we ought to find out we are infected, that means our security is not as good as we think it is.

For now the best indicator of compromise would be to watch your outbound traffic at an upstream device

Mikrotik is our edge device and as you pointed out, if it is infected, we can't trust it's tools.

Just upgrade your routers to RouterOS bugfix >6.40.8 or stable >6.42.1

As I said, doing that I would lose opportunity to find out if our otherwise heavily secured network has been breached. So I would really appreciate to know, i mean really know, not only guess if we were infected.

If the malware is already on the device with root level privileges

Unlikely. It would need to exploit multiple vulnerabilities, some of them yet unknown.

Thu Jun 07, 2018 7:02 pm

One of the problems almost all ISPs / WISPs have with firewall protecting large base of server & client CPE devices is that once something behind the firewall gets worm-infected, is that device is inside your protected network and can often have free range access to the rest of your network.

It's getting to the point that every device on a network (including your DMZs, server networks, workstation networks and client CPE networks all need to be extensively firewall protected not just from Internet attacks - but also from each other device in/on your many networks.

R1CH · Thu Jun 07, 2018 7:22 pm

Just for the record, I don't think people need to check changelogs "constantly" but probably at least once a year might be cool. Maybe even every six months? Might be a stretch but just actually *looking* would be a start for most.

The winbox exploit was a 0-day - meaning it was being exploited in the wild before a patch appeared. If you weren't paying close attention to forums / changelog you were probably compromised within a week or two.

R1CH · Thu Jun 07, 2018 7:29 pm

So , anybody got some ideas on how to do this and what can be found/checked/modified/fixed/enhanced/expanded ?
I would guess the bad guys already do something like this all of the time when looking for possible exploits on Internet connected devices.

This is definitely possible, you should be able to netboot to a different Linux distribution then mount and examine the flash memory, but this obviously involves a lot of work and of course downtime for the device compared to simply opening a terminal!

R1CH · Thu Jun 07, 2018 7:31 pm

One thing I have started doing as a preventative measure - block everything in the OUTPUT chain except necessary services (eg dhcp client, sntp client, etc). Most exploits can only carry a very small payload, which often downloads a "real" payload from some other infected device. By restricting outbound connections to only necessary services, any 0-day exploit will have a hard time downloading the 2nd stage payload to actually infect your device. And by logging all the blocked traffic, you get immediate insight if something is trying to compromise your device.

pe1chl · Thu Jun 07, 2018 8:05 pm

One thing I have started doing as a preventative measure - block everything in the OUTPUT chain except necessary services (eg dhcp client, sntp client, etc).

I have that for some time. As that router is used as a VPN/Tunnel router it required some more rules but indeed it is a potentially good measure.

anav · Thu Jun 07, 2018 9:13 pm

Rich/Pe1chi do you mean something like?

/ip firewall filter
add chain=output action=drop protocol=tcp src-port=80

mkx · Thu Jun 07, 2018 10:31 pm

Rich/Pe1chi do you mean something like?

/ip firewall filter
add chain=output action=drop protocol=tcp src-port=80

Change that src-port with dst-port ...

sid5632 · Thu Jun 07, 2018 10:41 pm

That'll stop the check for upgrades of RouterOS from working, so not very clever.
You should at least add a white-list item for upgrade.mikrotik.com first.

anav · Thu Jun 07, 2018 10:44 pm

Rich/Pe1chi do you mean something like?

/ip firewall filter
add chain=output action=drop protocol=tcp src-port=80
Change that src-port with dst-port ...

That'll stop the check for upgrades of RouterOS from working, so not very clever.
You should at least add a white-list item for upgrade.mikrotik.com first.

To mkx WHY?
What is the functional difference or outcome of
a. src-port=80 What is prevented, what are the outcomes positive and negative?
vice
dst-port=80 What is prevented, what are the outcomes positive and negative?

To Sid5632
So what IP is that? LOL, I don't know which domain or IP mikrotik uses when checking for updates LOL. I suppose I could add an exception!

mkx · Thu Jun 07, 2018 10:46 pm

Sure it will. I was just pointing master anav in right direction without preventing him from tripping over a stone

anav · Thu Jun 07, 2018 10:49 pm

If I can snatch the pebble from your hand, can I use both src and des ports of 80, riddle me what that will do???

anav · Thu Jun 07, 2018 10:51 pm

let me go down this forbidden path some more.
why not put this as a RAW RULE
-prerouting output chain action=drop protocol tcp dest port or src port 80 - you guys seem awfully pick without logic!!!

mkx · Thu Jun 07, 2018 10:53 pm

Rich/Pe1chi do you mean something like?

/ip firewall filter
add chain=output action=drop protocol=tcp src-port=80
Change that src-port with dst-port ...

That'll stop the check for upgrades of RouterOS from working, so not very clever.
You should at least add a white-list item for upgrade.mikrotik.com first.
To WHY?
What is the functional difference or outcome of
a. src-port=80 What is prevented, what are the outcomes positive and negative?
vice
dst-port=80 What is prevented, what are the outcomes positive and negative?

Remember chain=output affects traffic generated by router itself.
If you add rule dropping traffic with src-port=80 it'll drop traffic originating from built-in http service. Either you want to protect WebMin interface from being used by Vogons (but you might just disable the service as well) or you're targeting malware that does connections around by using local port 80 (which is highly unusual).
If you add rule dropping dst-port=80, then you're preventing router to initiate any standard http connection (including malicious stage2 servers and legitimate mikrotik upgrade service as rightly pointed out sid5632).

sid5632 · Thu Jun 07, 2018 10:54 pm

What is the functional difference or outcome of
a. src-port=80 What is prevented, what are the outcomes positive and negative?
vice
dst-port=80 What is prevented, what are the outcomes positive and negative?

If you don't even know the difference between source and destination ports, then you need to stop polluting this thread and go and read up about some networking basics.

So what IP is that? LOL, I don't know which domain or IP mikrotik uses when checking for updates LOL. I suppose I could add an exception!

Who cares what IP it is? Just add an Address List item for the aforementioned name and then use the List name in the filter rule (dest. address list, not source address list!!!).

squeeze · Fri Jun 08, 2018 12:45 am

Once your device is compromised it can do anything. What actual value is there in changing user-level rules within a compromised router for what it can do? It has already been compromised, by no less than one of the most sophisticated state-level malwares seen to date ...

The output chain is there for control of services of a normally functioning device.

You could not with a straight face use such modifications for device security without external monitoring for compromised or unknown traffic, which makes such device changes redundant in the first place.

The winbox exploit was a 0-day - meaning it was being exploited in the wild before a patch appeared. If you weren't paying close attention to forums / changelog you were probably compromised within a week or two.

Basic security practice like not running router services on the WAN, preferably having no open ports on the WAN at all, and use of a management VLAN for internal router access in a well-segmented network would have prevent all compromise by remote exploits in any context, regardless of what firmware you are running. Communication methods can and should be greatly improved, but customer behavior is a lot more effective for both good and bad outcomes.

The changes I would like to see are all Mikrotik devices being secured by default from the factory. This is already done for SOHO devices. For enterprise professionals such configurations are a trivial delete away. So, why not have so called Sensible Defaults that do not hurt Mikrotik's reputation any further than necessary? Why not have it so that simply shipping such an unsecured device out of a Mikrotik door does not already hurt Mikrotik's reputation before it even gets to the customer?

This is especially as powerful device tech becomes much more affordable for non-professionals, combined with the growth of the Internet, Internet of Things and cybertech sophistication rapidly making security and security options a top priority.

anav · Fri Jun 08, 2018 12:59 am

Thanks, so other than the microtik update service there is really no need for port 80 traffic on the output chain (from the router either with a source port of 80 or with a destination port 0f 80).

Fri Jun 08, 2018 4:39 am

Re: ... since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. Lack of shell access also makes it hard to tell if upgrading a compromised device actually removes the compromise ... VPNfilte ...

Re: ... A thought on how to possibly examine a Mikrotik x86/CHR file system. ... Then just cd /mnt/"Mikrotiks-x86-CHR-file-system ... I would guess the bad guys already do something like this all of the time when looking for possible exploits on Internet connected devices ...

Got it mounted and now I can cd into the ROS filesystem(s)
*Please don't ask me how to do this - I assume any decent Linux admin can already probably do the same thing*

So a question to me is what is supposed to be in the /dev/sda /rw/store/user.dat file -and- ??? (take a look yourself if you know how to). Any security concerns here ?
I am by no means a Linux internals person , but I can't help but ask myself a question "What other methods/accounts might be built-in that we don't have normal access to see or manage?"
Part of the reason I ask myself is way back in the late 1980s I did find some hidden access (non-documented) systems in another very popular operating system which was in all distributions.

North Idaho Tom Jones

ingdaka · Fri Jun 08, 2018 8:38 am

Full list of affected RouterBoards since now:
MIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
If you have any of them backup and export configuration! And save it in a secured place!

pe1chl · Fri Jun 08, 2018 11:05 am

Once your device is compromised it can do anything. What actual value is there in changing user-level rules within a compromised router for what it can do? It has already been compromised, by no less than one of the most sophisticated state-level malwares seen to date ...

There is no point in doing this for an already compromised router!
The value could be to add it to routers that are still unaffected, to avoid that it will become compromised.
Usually in malware like this, the attack can insert only a small amount of code e.g. the size of a buffer somewhere, and the code is used to "bootstrap" the actual
malware into the device by making it do an outside connect to a server or an already affected router to download the malware code.
That step is prevented by the output rule, and at that time the malware is not yet in full control of the router.
Sure, once the attackers know this they could first add an accept rule at the top of the output table but until they know and do that (and even assuming they can
do that in this part of the attack) it works. And with some logging attached it also serves as a journal of what happened.

It is similar to the way that works well to protect Windows machines from malware: add an AppLocker policy that forbids executing code from a location inside
the user profile (normally under C:\Users). The majority of malware introduced via webpages, infected office documents, etc. will first download some program
into the user's Downloads or Temp directories and run it. The AppLocker policy forbids that and that is where it ends. It also protects against users clicking on links
to .exe (and similar) files and clicking away the warnings that this will give. E.g. when "a Microsoft employee" calls and tells the user to visit some site to start
something like Teamviewer to enable them to help removing a virus. Like the above, this is not a perfect measure but it works 99.9% of the time to protect naive users.

pe1chl · Fri Jun 08, 2018 11:06 am

Full list of affected RouterBoards since now

It is pointless to post this list, it was made by people who do not know MikroTik and do not know that all routers
are running the same firmware. You can safely assume that any device running RouterOS is affected.

R1CH · Fri Jun 08, 2018 5:23 pm

Thanks, so other than the microtik update service there is really no need for port 80 traffic on the output chain (from the router either with a source port of 80 or with a destination port 0f 80).

Be aware that compromised devices could serve 2nd stage payloads from any port - blocking OUTPUT port 80 will help a little bit but ideally you should block everything and use a whitelist approach to open up legitimate IPs / ports. Port 443 (HTTPS) is a popular port for web hosting too if you still prefer to only block web traffic.

Fri Jun 08, 2018 6:15 pm

In looking into one of my possible compromised Mikrotik ROS systems, I see in the underlying vmlinuz (compressed Linux kernel) user dat file what appears to be two additional user accounts which are not visible in the Mikrotik user manager system.
The two accounts in question are:
adminb (as in admin Backdoor)
adminr (as in admin Remote -or- admin Recovery)

Are they supposed to be there or is this Mikrotik ROS system VPNfilter compromised ?

Modestas · Fri Jun 08, 2018 7:46 pm

Are they supposed to be there or is this Mikrotik ROS system VPNfilter compromised ?

Do you have another clean router with up to date OS to compare? Actually, it should be possible to flash clean router with older SW.

Modestas · Fri Jun 08, 2018 8:04 pm

Just upgrade your routers to RouterOS bugfix >6.40.8 or stable >6.42.1
As I said, doing that I would lose opportunity to find out if our otherwise heavily secured network has been breached. So I would really appreciate to know, i mean really know, not only guess if we were infected.

No one asked me for advice, but I would restore normal network operation first while suspected device could go to the lab for forensic analysis. That is, perimeter router would be replaced asap with another, upgraded to the latest OS and configured from factory default settings.
But it's also valid option to wait for evidence of some fancy bears wandering in the internal network.

eXS · Sat Jun 09, 2018 2:02 am

It was less than a month between the increased botnet http vuln (03/28) & the discovery of the winbox vuln (04/23)

Can someone confirm VPNfilter exclusively utilizing the http vuln ?

A post in the http vuln (03/28) thread: "Also via the winbox port ... We think there is a circular second exploit that works in a similar way to this."

- It was repeatedly stated the winbox port was getting hit only to identify the device as MT.

I don't have a ton of time for forum searches, but i believe there were a few winbox vuln posts floating around between the http & winbox discoveries. The timeline feels fuzzy.

- Sorry about the edits

m4t7e0 · Mon Jun 11, 2018 1:50 pm

Hi All,
yesterday my Router RB750UPr2 with latest BugFix version was attached from something... Apparently just a DNS default server Change..
The device was opened to public ip *80 *8291 *21 *22 (i need to do leave it for see what this attack do to my router), so i get the first attack. After this change i make the upgrade to latest Stable Version 6.42.3, and changed the defaut port with *8000 *8019 *8021 *8022.
After one night i can axess to my router via any service ssh telnet web winbox and with MAC-Telnet after the password prompt the client close the connection (like if sent wrong password)...

next friday i wil make a netinstall setup for clean the device...

I hope my experience can help you.

pwuk · Mon Jun 11, 2018 10:36 pm

In looking into one of my possible compromised Mikrotik ROS systems, I see in the underlying vmlinuz (compressed Linux kernel) user dat file what appears to be two additional user accounts which are not visible in the Mikrotik user manager system.
The two accounts in question are:
adminb (as in admin Backdoor)
adminr (as in admin Remote -or- admin Recovery)

Are they supposed to be there or is this Mikrotik ROS system VPNfilter compromised ?

Thanks for posting this

Looking at a vanilla mikrotik x86 install - version 6.37.5, and CHR version 6.42.3, the only user mentioned is "admin"

When I create new ones, I see them appear in user.dat, but no entry for "adminb" or "adminr"

What architecture is your potentially compromised system?

Benjamin9 · Tue Jun 12, 2018 10:03 am

I understand ... but we need assume that Mikrotik is doing their best and try to deliver software without bugs. If we/they have no proof that something is "broken" then they always could say "YES, it is safe". gclub

Tue Jun 12, 2018 6:00 pm

What architecture is your potentially compromised system?

This was a in-house lab x86 system (non-production - but live Internet connected) system we sometimes used to ping to and btest to. Because it was not production and stand-alone , it had no firewalls on it.

pwuk · Tue Jun 12, 2018 9:52 pm

What architecture is your potentially compromised system?
This was a in-house lab x86 system (non-production - but live Internet connected) system we sometimes used to ping to and btest to. Because it was not production and stand-alone , it had no firewalls on it.

Interesting

I have a similar box, created a user called "theboss". This appeared in user.dat. I backed up user.dat first as user-old.dat
I then deleted that user, however the line didn't vanish from user.dat

I did an upgrade -- the line still didn't vanish, however concerningly the user-old.dat file didn't vanish either.

Perhaps a firmware upgrade would do the trick, but clearly cant' do that on an x86 instance.

jp · Wed Jun 13, 2018 3:53 am

Add the bandwidth test ports and this is what we do and it works. Good post.

FWIW, I use the following related best practices when I set up a router that has a public-facing interface:
reset all configuration settings, uncheck 'keep default settings'

Disable all non-essential services:
telnet

http

https

ftp

api

secure api

Create a whitelist of admin IP addresses/netmasks

Add the following firewall filter rules to the beginning of the list

Allow all admin whitelisted ips access to tcp 20,21,22,23,80,161,443,8291,8728,8729 on the input chain

Block all access to tcp 20,21,22,23,80,161,443,8291,8728,8729 on the input chain

Allow all admin whitelisted ips access to udp 161 on the input chain

Block all access to udp 161 on the input chain

Allow all established and related traffic (state) for both input and forward chains

The effect of this is that if a firmware upgrade accidentally clobbers one of these settings or one of my admins mistakenly deletes or disables a rule, I still have the other to fall back on.

For reference:
port 20 = ftp data port
port 21 = ftp control port
port 22 = ssh
port 23 = telnet
port 80 = http
port 161 = snmp
port 443 = https, sstp (do not block if you need to create an sstp connection to the box)
port 8291 = winbox
port 8728 = api
port 8729 = secured api

Set up the rest of your firewall as needed for your application.

Add a drop all rule to the input chain on the filter tab.

After an hour, make sure that you're getting packet counts on the drop all rule. If you're not, you've got another rule before it preventing packets from getting to it, and it's probably a misconfigured rule. It's pretty much a sure thing that you'll be getting traffic coming on the router's WAN interface that is unwanted traffic.

Chupaka · Wed Jun 13, 2018 1:43 pm

I have a similar box, created a user called "theboss". This appeared in user.dat. I backed up user.dat first as user-old.dat
I then deleted that user, however the line didn't vanish from user.dat

Try to change user's password - AFAIR, password history is also saved in user.dat

pe1chl · Wed Jun 13, 2018 2:09 pm

Of course it is quite typical (and to be expected) that a record in a user file is not completely wiped when the user is deleted, but instead there is some field that indicates active/inactive or there is a length field for the file, one of which is adjusted when you delete something. Looking in the raw disk image or even in the file itself you still see the old username.

pwuk · Wed Jun 13, 2018 6:23 pm

Certainly not the unix way
{code}
~$ grep testu /etc/passwd
testuser:x :1003:1003:,,,:/home/testuser:/bin/bash
~$ sudo userdel testuser
~$ grep testu /etc/passwd
{code}

But that's fine.

The way the underlying file system isn't wiped on an upgrade does make me slightly more concerned about how the internals work, if there's an exploit that exposed that internal file system

pe1chl · Wed Jun 13, 2018 6:37 pm

Unix uses the method of 1 line per user and a defined length of the file. When you add a user at the end and then delete it, the length of the file is decreased. But when you would look in the disk block directly, the entry for your deleted user would probably still be there. (depends on how the new file is written, directly over the old one or as a new file and then renamed over the old one)

Wed Jun 13, 2018 9:57 pm

What is Mikrotik's plan for everybody in the past that purchased Mikrotik-Crossroads and/or Mikrotik-RB500 series of wireless products ?
Are those long-time older Mikrotik owners just sh!t outta Luck & to bad & throw it in the trash can because there are no Mikrotik versions that are not vulnerable ???

In the past , I've sold and installed lots of them - grrrrrrr

North Idaho Tom Jones

Sob · Wed Jun 13, 2018 10:16 pm

@TomjNorthIdaho: I guess it's still the same (and unlikely to change) as last year, when the http server vulnerability was fixed, i.e. tough luck, use firewall.

Wed Jun 13, 2018 10:38 pm

@TomjNorthIdaho: I guess it's still the same (and unlikely to change) as last year, when the http server vulnerability was fixed, i.e. tough luck, use firewall.

Well I can make work-arounds , but most residential home users who have purchased Mikrotik WiFi routers probably have no idea that Mikrotik dropped all support for the older Mikrotik products.
Hey Mikrotik - how about making a fixed version for all of your older original customers so they are protected also. Or is this to be the new norm, that a few years after a purchase to assume that Mikrotik products migh have zero support and may have lots of severe known vulnerabilities later. There was no EOL with these products - they were just suddenly dopped without any advance planned EOL notices from Mikrotik.

Sob · Wed Jun 13, 2018 11:00 pm

I don't think there are too many residential users with surviving mipsle devices. But yeah, it would be a nice gesture to make fixed versions for them (at least two, for 5.x and 6.x). Then again, probably only few would appreciate it.

And yes, mipsle EOL was sudden and unexpected. If I remember correctly, there was even newer RC version in the works, but it had some problem on mipsle, and it felt like MikroTik just thought "oh screw it!" and dropped the whole platform rather than fixing it. It was a pity, because at least RB5xx were still good enough devices at that time.

Wed Jun 13, 2018 11:20 pm

I don't think there are too many residential users with surviving mipsle devices. But yeah, it would be a nice gesture to make fixed versions for them (at least two, for 5.x and 6.x). Then again, probably only few would appreciate it.

And yes, mipsle EOL was sudden and unexpected. If I remember correctly, there was even newer RC version in the works, but it had some problem on mipsle, and it felt like MikroTik just thought "oh screw it!" and dropped the whole platform rather than fixing it. It was a pity, because at least RB5xx were still good enough devices at that time.

I still happen to have some of both (Crossroads & RB-500 series) in production use - on those I've done what is possible to protect them via network attacks , but on the wireless vulnerabilities there are no solutions.
And I have several long-time customers who purchases these products for thier business/home use - and on those I have no admin management ability.

pe1chl · Thu Jun 14, 2018 11:22 am

The wireless vulnerabilities are mostly theoretical, it is not something that will go wrong just because it is there.
You need someone to go into the coverage area of your wireless and actively attacking it to then attack one of your users,
something that is not very likely to happen when looking at one particular installation.
The talk about those wireless vulnerabilities is mostly there to provide a newsfeed to IT news sites and for the ego
of those who discovered it, not really about the day-to-day risk they introduce to your or your customer's security,
especially when the wireless is only used as an access to internet, and another layer of secure communication (such as https)
is used on top of most communication.

This is of course different for the type of vulnerability in te admin interface that can be exploited over the internet and/or
using a worm, and which will eventually find its way to every vulnerable device. That is the type of thing you want to watch
out for, not those "we can hack your wireless" things.

Thu Jun 14, 2018 6:31 pm

The wireless vulnerabilities are mostly theoretical, it is not something that will go wrong just because it is there.
You need someone to go into the coverage area of your wireless and actively attacking it to then attack one of your users,
something that is not very likely to happen when looking at one particular installation.
The talk about those wireless vulnerabilities is mostly there to provide a newsfeed to IT news sites and for the ego
of those who discovered it, not really about the day-to-day risk they introduce to your or your customer's security,
especially when the wireless is only used as an access to internet, and another layer of secure communication (such as https)
is used on top of most communication.

This is of course different for the type of vulnerability in te admin interface that can be exploited over the internet and/or
using a worm, and which will eventually find its way to every vulnerable device. That is the type of thing you want to watch
out for, not those "we can hack your wireless" things.

Re: ...vulnerabilities...
All older ROS systems that are not updated and have IP services open to the Internet are totally vulnerable. I recently tested one tool that will scan IP networks then show the login name and password. I used it to scan my entire inside and outside IP networks and easily identified a dozen older ROS systems I have forgotten about or did not directly manage (some belonging to and managed by my customers). What bothers me the most is how fast and easy it was to gain full admin access to any Mikrotik ROS device that was not the latest version. Well - I did update and/or firewall what I could find on my network.
At this point in time, I think that all Mikrotik admins should be made aware just how fast and easy it is for anybody to gain full admin access to any Mikrotik ROS device that is running on a slightly older ROS version that also has IP services exposed to the Internet. ((( Lets put it this way --- It takes only seconds to scan a full Class C network an ISP might have and come up with a list of login and password for Mikrotik ROS devices ))) So all Mikrotik admins - please upgrade your ROS and also examine your firewall rules.

R1CH · Fri Jun 15, 2018 6:37 pm

For vulnerabilities that allow remote code execution or bypassing of authentication, Mikrotik should really be sending out a security advisory emails to every registered customer / active forum user. The winbox exploit for example is much worse than the httpd bug, and that was deserving of an email. A one line changelog entry that barely registers as a being a major security patch is not OK.

mrz · Fri Jun 15, 2018 6:42 pm

Security advisory emails were sent to all users that are in our database.

R1CH · Fri Jun 15, 2018 6:49 pm

The only email I got was about the old httpd exploit (below). Maybe something went wrong with the sending of the emails?

Subject: MikroTik: URGENT security advisory

"It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit a vulnerability in the RouterOS www server that was patched more than a year ago (in RouterOS v6.38.5, march 2017)."

mkx · Sat Jun 16, 2018 2:11 pm

Security advisory emails were sent to all users that are in our database.

I'm sure it's written somewhere, however would you kindly tell me how can I get my e-mail address to said database?

dlynes · Sat Jun 16, 2018 3:38 pm

I can confirm it was probably mailed out to everyone that was on the list. I had received it.

I have not, however received any updates from MikroTik on the subsequent updates to VPNFilter status where essentially all devices running RouterOS were added to the original four cloud core router devices.

To get added to the list (AFAIK), just create an account on mikrotik.com and during the signup process, make sure you check any checkboxes asking for updates from MikroTik.

pe1chl · Sat Jun 16, 2018 7:37 pm

I have not, however received any updates from MikroTik on the subsequent updates to VPNFilter status where essentially all devices running RouterOS were added to the original four cloud core router devices.

Of course those "updates" were not from MikroTik but from an external party who did not understand the matter and therefore published an incorrect advisory at first.
Over here on the forum it was always clear that the issue was not related to device type, and MikroTik have never mailed that it was.

Znuff · Sun Jun 17, 2018 12:30 am

Security advisory emails were sent to all users that are in our database.

The only e-mail I received was on 31st of March, with:

It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit a vulnerability in the RouterOS www server that was patched more than a year ago (in RouterOS v6.38.5, march 2017).

Tough I find myself now with a 6.41.3 that was recently Hacked. Luckily I have a backup config, but...

Can someone clarify what the "new" e-mail was supposed to say?

EDIT:

Also, this has been a constant issue with Mikrotik's e-mails. They arrive way to late. The GDPR notification arrived on 1st of June for me. Not sure if it was send before that, but it's usually like that. E-mails arrive weeks later. You should work on fixing that.

In other news, if I understand this correctly, ALL versions pre-6.43 (which is still in Release Candidate stage) are vulnerable to this 0-day WinBox exploit?

squeeze · Sun Jun 17, 2018 3:22 am

In other news, if I understand this correctly, ALL versions pre-6.43 (which is still in Release Candidate stage) are vulnerable to this 0-day WinBox exploit?

What are you talking about? What 0-day?

There hasn't been a public 0-day since Bugfix 6.40.8, Release 6.42.1, Release Candidate 6.43rc4, all back in April.

You do also realize the version numbers for each branch have no direct relationship with each other, right? They are probably only organized with the major version "6." so everyone doesn't lose their minds trying to track different version numbers over a decade.

vecernik87 · Sun Jun 17, 2018 8:04 am

ad zero-day - Technically, in 6.43rc17, something was changed in winbox service (thats why every RC since then has to use Winbox 3.14) to prevent MITM attack.
This change was not implemented in current/bugfix and is still related to release-candidate channel only. That means the attack vendor (even just theoretical) must be known at least to Mikrotik staff otherwise they would not come with such change. Knowing that, it is easy to conclude that current/bugfix channels are still vulnerable to this MITM attack.

I understand this is not related to VPNfilter, but it kind of fits the zero-day definition

Sun Jun 17, 2018 1:50 pm

in 6.43rc17, something was changed in winbox service (thats why every RC since then has to use Winbox 3.14) to prevent MITM attack.

No. And the purpose of this change has been explained here on the forum somewhere, and it has nothing with preventing MITM attacks.

RouterOS used to store local user credentials in plain-text (or using reversible crypto), and that's what changed in 6.43rc. It just happens that pre-existing authentication schemes cannot work without a plain-text password available on the server side, and that's why WinBox, BTest, MAC-telnet clients, API clients, etc. all suddenly became incompatible and had to be updated.

pe1chl · Sun Jun 17, 2018 2:24 pm

But that was done because there were bugs that allowed the retrieval of the unencrypted passwords (and thus the quick retrieval of valid user/password combinations as shown), and I am not convinced that in the current stable and bugfix versions there are no such bugs. Apparently there are still users who have current software but unwise firewall configurations that get hacked.

After this change has been implemented, it will be more difficult to obtain passwords once another bug has been found that allows a remote attacker to retrieve the authentication database, but frankly I think it would be safer when there was some more compartmentation in RouterOS.
After all, even when there is a bug in the webserver, the webserver has no business reading the authentication database directly, so in a correctly designed system (where the webserver runs under a less privileged user ID) even a bug in the webserver would not have leaked this info.

Sun Jun 17, 2018 2:41 pm

But that was done because there were bugs that allowed the retrieval of the unencrypted passwords (and thus the quick retrieval of valid user/password combinations as shown)

That's correct. And I must admit this change had to be implemented years ago without waiting for bugs like this one to pop up.

I am not convinced that in the current stable and bugfix versions there are no such bugs.

And so what?

Apparently there are still users who have current software but unwise firewall configurations that get hacked.

Any proven evidence? If so, can you please share? Probably any links to a forum post that I may have missed?

After this change has been implemented, it will be more difficult to obtain passwords once another bug has been found that allows a remote attacker to retrieve the authentication database, but frankly I think it would be safer when there was some more compartmentation in RouterOS.
After all, even when there is a bug in the webserver, the webserver has no business reading the authentication database directly, so in a correctly designed system (where the webserver runs under a less privileged user ID) even a bug in the webserver would not have leaked this info.

You are talking about obvious things, but, frankly, the world is not ideal, and is unlikely to ever be.

squeeze · Sun Jun 17, 2018 3:57 pm

The recent large security redesigns flowed from the April 0-day. Normis even explicitly stated it, so you are discussing nothing new: Advisory: Vulnerability exploiting the Winbox port [SOLVED]

Znuff · Sun Jun 17, 2018 4:59 pm

The recent large security redesigns flowed from the April 0-day. Normis even explicitly stated it, so you are discussing nothing new: Advisory: Vulnerability exploiting the Winbox port [SOLVED]

I wasn't even aware of the 0-day exploit from APRIL.

I only received the e-mail from MARCH stating that a vulnerability was fixed over a year ago, the vulnerability was exploited by VPNFilter.

You have our e-mail addresses. I can't believe to begin to understand why you didn't use the same means of communication regarding the APRIL vulnerability as you used in the past.

vecernik87 · Mon Jun 18, 2018 2:01 am

in 6.43rc17, something was changed in winbox service (thats why every RC since then has to use Winbox 3.14) to prevent MITM attack.
No. And the purpose of this change has been explained here on the forum somewhere, and it has nothing with preventing MITM attacks.

Maybe you are right, but changelog says otherwise:

*) winbox - improved authentication process excluding man-in-the-middle possibility (Winbox v3.14 required);

RouterOS used to store local user credentials in plain-text (or using reversible crypto), and that's what changed in 6.43rc.

Even if you are right with this one it is still vulnerability which is known and is not applied in current/bugfix. This is very close to zero-day definition because fix was not released in general. Despite being big fan of Mikrotik, I can still see some flaws and I appreciate all their hard work to fix these.

Mon Jun 18, 2018 9:46 am

Even if you are right with this one it is still vulnerability which is known and is not applied in current/bugfix.

Well, the fact that the previous versions of WinBox (even in secure mode) were susceptible to MITM attacks was well-known for years. Many users were concerned and raised questions here on the forum asking how secure the connection is provided it does not use any certificates nor asks for fingerprint confirmation in order to prove the server's identity, and eventually it was confirmed (at least once) by someone from MikroTik stuff that WinBox does not do server identity validation and is thus subject to MITM attacks. This should probably have been properly/better documented, but, to be honest, the fact that WinBox secure connection mode is not quite secure was rather apparent to any professional who takes security serious.

Mon Jun 18, 2018 9:52 am

Is 6.40.8 from this point of view safe or not?

Mon Jun 18, 2018 10:08 am

No, it is not.

Mon Jun 18, 2018 10:25 am

How is it possible that actual bugfix version does not solve long time well known security issue?

Chupaka · Mon Jun 18, 2018 10:46 am

Well, Telnet is vulnerable to MitM (in addition to usage of unencrypted plaintext password), and it cannot be fixed. Should they forbid Telnet in 'bugfix' versions?

pe1chl · Mon Jun 18, 2018 12:03 pm

How is it possible that actual bugfix version does not solve long time well known security issue?

There apparently is no fix ready yet. It is being tested in RC.
I would think it is too big of a change to be backported to bugfix without rigorous testing so likely it will first be only in current for a while.

pe1chl · Mon Jun 18, 2018 12:06 pm

Well, Telnet is vulnerable to MitM (in addition to usage of unencrypted plaintext password), and it cannot be fixed. Should they forbid Telnet in 'bugfix' versions?

It probably is time to disable telnet on newly loaded default and move from there.
(issue warning when telnet enabled and recommend disabling it, print warning in telnet session recommending ssh, etc)

mrz · Mon Jun 18, 2018 12:14 pm

What are you talking about?
v6.40.8 includes patches to fix known vulnerabilities including latest winbox port vulnerability.

JimmyNyholm · Mon Jun 18, 2018 12:16 pm

Security advisory emails were sent to all users that are in our database.

Where do I register to get this advisorys?

Chupaka · Mon Jun 18, 2018 12:23 pm

Where do I register to get this advisorys?

At the bottom of https://mikrotik.com/, I believe

Mon Jun 18, 2018 12:39 pm

What are you talking about?
v6.40.8 includes patches to fix known vulnerabilities including latest winbox port vulnerability.

We are talking about this: viewtopic.php?t=121039#p595087

Chupaka · Mon Jun 18, 2018 2:04 pm

So, is fixing Telnet MitM possibility a vulnerability fixing or protocol enhancement? The same question is about WinBox.

R1CH · Mon Jun 18, 2018 4:57 pm

Telnet is well known to be insecure, SSH is the replacement for it (although why telnet is still provided and enabled by default is another question...)

Winbox is a proprietary protocol that claims to be "secure" but is vulnerable to MITM, so the fault lies with it. Hopefully this a pointless discussion as with the new SRP authentication system it should protect from MITM, as long as it is correctly implemented.

Chupaka · Mon Jun 18, 2018 5:06 pm

Hopefully this a pointless discussion as with the new SRP authentication system it should protect from MITM

Well, the point was "Will those changes be back-ported to 'bugfix' and 'current' versions prior to 6.43?"
I think, the answer is 'no', because changes are too big to call them 'a bug fix'.

Thu Jun 21, 2018 4:26 am

VPNfilter infected device detection

I just wrote up a VPNfilter fw block & log on one of my core Mikrotik routers.
Please review and make any suggestions

Here is the configuration I added to my core Mikrotik CHR:

/ip firewall filter
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.37.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.41.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.39.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.38.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.40.0/24 log=yes
add action=drop chain=forward comment="VPNfilter photobucket.com" dst-address=209.17.68.0/24 log=yes

I discovered 11 customers devices on my customer network that are trying to make a VPNfilter stage-2 connection

Note - this FW rule(s) does not prevent VPNfilter infections , but it may help detect already infected devices.

North Idaho Tom Jones

vecernik87 · Thu Jun 21, 2018 5:54 am

dropping photobucket.com is terrible thing - you are blocking entire popular picture sharing website!
Also approach of blocking whole /24 ranges for all potentially malicious IP's not really good idea.

With this approach, you are gonna block not just infected traffic but also genuine traffic to normal websites which may be hosted on any IP of those blocked ranges. (that also means your log is meaningless as it does not necessarily mean those devices are accessing Stage 2)

If you decide to block IP or whole range despite my warning, wouldn't it be better to create ONE rule with dst-address-list instead of 6 rules with separate dst-address ?

Chupaka · Thu Jun 21, 2018 8:45 am

Well... Are you sure that blocking 1280 ip addresses of Cloudflare won't block some of thousands legit websites on those addresses?..

R1CH · Thu Jun 21, 2018 12:40 pm

toknowall.com is a sinkhole, nothing bad will come from hosts contacting it. Cloudflare IPs rotate often, you are probably blocking hundreds or thousands of legitimate sites with such wide rules.

You should instead redirect toknowall.com locally and monitor / block hosts that way.

Thu Jun 21, 2018 6:35 pm

Re my VPNfilter ROS fw configuration
- This is/was my first attempt to try to detect VPNfilter infected devices travesing through my network (this is why I am asking for comments).
- My ROS log shows 11 customer devices that keep trying to connect over and over again (like a heart beat)
- I can narrow down the /24 blocks to individual IP address that are blocked
- I possibly could change the block & log to a pass & log (so that valid legimit customer traffic still passwd (but also some VPNfilter stage-2 traffic will now also pass)

Any thoughts ?

North Idaho Tom Jones

Thu Jun 21, 2018 9:05 pm

Here is my slightly updated VPNfilter ROS fw configuration
I changed from /24 to individual /32 IP addresses

/ip firewall filter
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.37.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.41.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.39.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.38.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.40.155 log=yes
add action=drop chain=forward comment="VPNfilter photobucket.com" dst-address=209.17.68.100 log=yes

The above is a block and log. One potential problem with the above configuration is that I don't know what possible valid traffic to these IPs is also being blocked.

If you do not want to block these IPs, and instead want to allow/pass & log , then try this instead:

/ip firewall filter
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.37.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.41.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.39.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.38.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.40.155 log=yes
add action=accept chain=forward comment="VPNfilter photobucket.com" dst-address=209.17.68.100 log=yes

The above is a pass and log

Again - any comments and or ideas on how to help detect VPNfilter stage-2 traffic is welcome.

North Idaho Tom Jones

Chupaka · Mon Jun 25, 2018 11:20 am

/ip firewall
address-list add list=toknowall.com address=toknowall.com
filter add chain=forward comment="VPNfilter toknowall.com" \
  dst-address-list=toknowall.com action=drop log=yes

Cha0s · Mon Jun 25, 2018 4:22 pm

/ip firewall
address-list add list=toknowall.com address=toknowall.com
filter add chain=forward comment="VPNfilter toknowall.com" \
  dst-address-list=toknowall.com action=drop log=yes

What difference does this make? You still block CloudFlare and tons of other websites.

These are just bad suggestions. I am sorry for those that will copy those rules and don't understand why random websites don't work anymore.

Chupaka · Mon Jun 25, 2018 5:07 pm

You still block CloudFlare and tons of other websites.

Well, https cert on this host covers "ssl894059.cloudflaressl.com", "toknowall.com" and "*.toknowall.com" - doesn't look like there are tons of other websites

eworm · Mon Jun 25, 2018 5:10 pm

You still block CloudFlare and tons of other websites.
Well, https cert on this host covers "ssl894059.cloudflaressl.com", "toknowall.com" and "*.toknowall.com" - doesn't look like there are tons of other websites

You know that the server can use different certificates based on SNI extension?

Cha0s · Mon Jun 25, 2018 5:24 pm

You still block CloudFlare and tons of other websites.
Well, https cert on this host covers "ssl894059.cloudflaressl.com", "toknowall.com" and "*.toknowall.com" - doesn't look like there are tons of other websites

Which means absolutely nothing. CF is not a static thing. It is a dynamic system that shifts workloads around depending on laod, attacks, etc.
Now you see these domains, tomorrow will be other domains.
Or today toknowall.com resolves to these IPs and tomorrow CF will migrate the site other IPs.
Or today (due to anycast) you reach your local CF mirror that happens to only host this domain and tomorrow you reach CF via another country that happens to server way more domains.

Your suggested method is just wrong.

Chupaka · Tue Jun 26, 2018 2:20 pm

CF is not a static thing. It is a dynamic system that shifts workloads around depending on laod, attacks, etc.
Now you see these domains, tomorrow will be other domains.
Or today toknowall.com resolves to these IPs and tomorrow CF will migrate the site other IPs.
Or today (due to anycast) you reach your local CF mirror that happens to only host this domain and tomorrow you reach CF via another country that happens to server way more domains.

Well, my website still uses the same CF IPs as many months ago

Your suggested method is just wrong.

It's not my method, I just suggested how to make TomjNorthIdaho's rules shorter.

Cha0s · Tue Jun 26, 2018 3:58 pm

It's not my method, I just suggested how to make TomjNorthIdaho's rules shorter.

English suck. I didn't mean you as in singular. I meant you as in plural. You and Tom.

I am not gonna argue with you. Believe what you want about CF.

Tue Jun 26, 2018 5:43 pm

Well - in my fw rules , I made two suggestions.
One is block and log
-the other is , pass and log

If there are an estimated 1/2 million VPNfilter infected routers , I wonder how many PCs, servers & networks may actually be effected ?

Tue Jun 26, 2018 5:46 pm

Hey Mikrotik - do you have any suggestions for how to detect VPNfilter infected devices/traffic passing through a core router?

BRMateus2 · Thu Jun 28, 2018 7:07 am

Actually the second stage is, if this reference is correct (https://blog.securityevaluators.com/vpn ... df74fee92a), just detecting specific hardcoded destination IPs (supposing all VPNFilter code has the same IPs)

# Address list
/ip firewall address-list add address=91.121.109.209/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=217.12.202.40/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=94.242.222.68/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=82.118.242.124/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=46.151.209.33/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=217.79.179.14/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=91.214.203.144/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=95.211.198.231/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=195.154.180.60/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=5.149.250.54/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=91.200.13.76/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=94.185.80.82/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=62.210.180.229/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=toknowall.com comment="Domain that VPNFilter used, now its FBI Sinkhole" list=|abuse_VPNFilter
# Firewall
/ip firewall filter add chain=forward action=reject reject-with=icmp-host-prohibited dst-address-list=|abuse_VPNFilter connection-state=new log-prefix="Filter possible VPNFilter" disabled=yes comment="ICMP-Rej-Host possible VPNFilter hardcoded destination IP"

For those who will use the rules above, read @vecernik87 post below which contains important information - such as this detection does not count for the permanent first stage script - so take care. For first stage, shall use layer 7 detection which is not my knowledge.

vecernik87 · Thu Jun 28, 2018 12:03 pm

BRMateus2 - It is important to distinct between
"second stage trying to download" = infected by first stage which is permanent, trying to download second non-permanent stage
and
"second stage indicator" = infected by first and second stage, trying to download third stage or other commands

due to the fact that both sources of second stage infection (photobucket galleries and toknowall domain) were disabled, we can expect that not many people will get newly infected by second stage. Also we can expect that second stage penetration will slowly decrease as it is non-permanent and theoretically simple restart or power-outage should remove it.
Therefore filtering second stage stuff is not really helpful and can cause false feeling of security. You may have no devices infected by second stage but still have plenty of devices infected by permanent first stage. That is the main issue which we should focus on.

BRMateus2 · Thu Jun 28, 2018 8:09 pm

Many thanks @vecernik87 for such information, I've updated the original post tasking the reader to create layer 7 rules which is not my knowledge for all case scenario.

Zwe · Fri Jun 29, 2018 3:37 pm

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?

Fri Jun 29, 2018 3:43 pm

Like the first topic says, anything older than these versions is vulnerable, if you have not configured a firewall:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

Fri Jun 29, 2018 6:08 pm

VPNfilter stage 2

If you are not concerned about VPNfilter infected Mikrotiks trying to make stage 2 connections (because you feel the government shut down the stage 2 servers) , think again !!!

A VPNfilter infected device does the following stage 2 actions:
1st - try Photobucket
2nd - if Photobucket fails , then try Toknowall
3rd - if Toknowall fails , then open a listener and wait for an actor to send a trigger packet for a direct connection

Soooo, even if the 3rd party Command-and-Control servers for VPNfilter are shutdown , you may still have a VPNfilter infected device with an open port just waiting for another actor to send a trigger packet to it --- which could possibly allow somebody else to sieze admin control over your VPNfilter devices/networks.

Thus there is a strong justified reason to attempt to detect VPNfilter stage 2 traffic.

North Idaho Tom Jones

Chupaka · Fri Jul 06, 2018 10:14 am

http://www.symantec.com/filtercheck/

R1CH · Fri Jul 06, 2018 6:06 pm

I made a checking tool like that as soon as it was announced, but realized it's probably useless as this ssler module is very likely targeted to high profile victims and won't be enabled on most infections.

Asyouwanto · Fri Jul 20, 2018 5:41 pm

Hello guys, is there any way to have a conflict between VPNfilter and avast? It doesn't run properly...

BRMateus2 · Sat Jul 21, 2018 4:25 am

Lol the whole forum topic for nothing.
That's the function of an anti virus.

Tue Jul 24, 2018 5:49 pm

Lol the whole forum topic for nothing.
That's the function of an anti virus.

"Lol the whole forum topic for nothing." ???

Soooo , are you stating all of your devices such as firewalls, wireless routers and NAS are running anti virus on them ?
Whoa , Are you also saying that out of an estimated 1/2 million VPNfilter infected network devices, that it is impossible any of your network devices are VPNfilter infected ?

lewin · Thu Jul 26, 2018 6:37 pm

Hello guys, is there any way to have a conflict between VPNfilter and avast? It doesn't run properly...

It doesn't work that way.

Thu Jul 26, 2018 11:52 pm

re VPNfilter

Although the government has shutdown the command-and-control servers (I think), there still remains a very serious issue. VPNfilter infected devices also have a back-door installed. So although the C&C servers are no longer sending & receiving stage-1 VPNfilter connections, the back-door that was installed by VPNfilter is still running and waiting for special packet connects which could then allow a remote attacker admin access.

So, I suspect we will sometime see an updated version of of VPNfilter which will spread and take control of VPNfilter infected devices by using the back-door ports that were opened-up with round one of VPNfilter infections.

Sooo it is still very important to detect and fix existing VPNfilter devices , otherwise your network is just sitting there waiting for a new round of VPNfilter related vulnerabilities to happen again.

msatter · Thu Sep 27, 2018 1:02 pm

Update on VPNfilter:

https://blog.talosintelligence.com/2018 ... art-3.html

msatter · Mon Oct 08, 2018 3:12 pm

And the saga continues and this time by Tenable:

https://github.com/tenable/routeros

These are already patched so check if you are using a safe RouterOS.

Mon Oct 08, 2018 3:28 pm

Congratulations to Tenable !!! They should also send list of affected routers. - it is SARCASM.

IMHO it is totally irresponsible.

msatter · Mon Oct 08, 2018 3:42 pm

[sarcasm]Mikrotik patched RouterOS so all is safe now....[/sarcasm]

If it is possible to retake compromised routers, then the correct correct RouterOS can be installed and clean out the bad stuff. I a one leaves it's router open to attacks from the outside why not 'attack' it to make it safe again.

Or if not cleanable put a schedule in with a warning to update using Netinstall.

This continuing story is bad for Mikrotik and for us. If you are a reseller or installer and you recommend a Mikrotik then you have to come up with strong arguments because of the strain of negative publications.

Mon Oct 08, 2018 5:49 pm

Tenable story is different ... they mounted ROS filesystem system to other Linux, made changes to files and then explored RouterOS. You have to have physical access to such system you want to break in.

All Linuxes without encrypted filesystem are volunerable ... you can just mount root partition, remove one char from /etc/password and voila ... root access is ready.

PS. I'm not an advocate of Miktorik but each system is breakable ... even trusted ones as .... we can enumerate some here.
Simple Telnet, restart and you are in.

Thu Oct 18, 2018 5:53 pm

Has anybody else noticed that about half of all remote Internet connections to the Mikrotik winbox port (port # 8291) are coming from China and the other half is coming from the Netherlands ?

On average , I have a sustained 6 to 15 per-minute attemted remote Internet connections to port 8291 (winbox) on my my networks. Who else is seeing large scale attempted remote connections to the winbox port on their networks ?

Thank goodness for multiple firewalls , I just hope they are all working correctly and that I'm not missing some important FW settings.

North Idaho Tom Jones

Thu Oct 18, 2018 6:07 pm

It is log for 25 days since reboot so this router drops circa 15k connections per day. Most of them are for 22,23,8291 ports.

MM.PNG

Thu Oct 25, 2018 6:43 pm

More impressive statisctic for 42 days of up-time.
RAW2 registers IPs which "revisist" router and are still registered with RAW1 rule.

Firewall.PNG