Mikrotik in the news..bad news

msatter · Thu Aug 02, 2018 12:41 pm

Hacked MikroTik routers inject cryptominer onto websites

Thursday, August 2, 2018, 11:30 by Editors , 0 comments

Researchers have discovered tens of thousands of hacked routers from manufacturer MikroTik that inject a cryptominer on all websites visited by the owners. It may even involve 170,000 hacked routers, according to researcher Simon Kenin of security company Trustwave in a blogposting.

The MikroTik routers are hacked through a vulnerability patched by MikroTik on April 23 this year. Still, hundreds of thousands of vulnerable routers can still be found, according to Kenin. The vulnerability could allow remote attacker access to a vulnerable MikroTik router remotely. Then a script is executed that injects the Coinhive cryptominer on all websites that the owner visits.

Coinhive is a crypto machine that uses the computational power of the computer via the browser to minate to the cryptocurrency Monero. For this, the computer performs a cryptographic calculation. Figures from analysis platform Censys.io show that the cryptominer is active on more than 170,000 MikroTik routers. 70,000 of the routers would be in Brazil. Owners of the devices are advised to install the latest firmware update.

Source: Security.nl
https://www.security.nl/posting/571954/ ... p+websites

More links:
https://www.bleepingcomputer.com/news/s ... k-routers/

https://securityboulevard.com/2018/08/c ... 0-routers/

https://www.itwire.com/security/83882-b ... ction.html

Update: the CVE number for this CVE-2018-14847 and was filed/created on the second of August 2018

Nefraim · Thu Aug 02, 2018 1:52 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....

Samot · Thu Aug 02, 2018 1:58 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....

You mean the one the patched back in April 2018? Or the one that was patched in March 2017? What really is sad is the amount of Mikrotik users who have let their devices sit unwatched/maintained/updated for months and years on end.

Thu Aug 02, 2018 1:59 pm

There was a bug that allowed to find out passwords configured on the router. After that hacker can use them and log into router as a normal user. Then he can do whatever he wants. Upgrade will close this vulnerability, but if password is not changed, then hacker can still connect.

Hacker connects to the router and adds configuration - scripts, schedulers, enables SOCKS, etc. RouterOS filesystem is not affected. Only changes made by hacker are into RouterOS configuration.

msatter · Thu Aug 02, 2018 2:01 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....

Have a look at the posting times and my posting is probably the trigger to have Mikrotik posting and take hopefully more public steps.

Thu Aug 02, 2018 2:02 pm

The sad part is that owners/admins DO NOT CARE.

Samot · Thu Aug 02, 2018 2:04 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....
Have a look at the posting times and my posting is probably the trigger to have Mikrotik posting and take hopefully more public steps.

What public steps? They fixed it in April!!!!! They are just now telling us "Hey, this is still happening. Make sure you updated." This is just another repeat of VPNFilter when the patch was released a year ago but the malware made news in May (a year later) and people demanded to know what Mikrotik was doing *RIGHT NOW* about it despite the fact they addressed it a year ago.

msatter · Thu Aug 02, 2018 2:05 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....
You mean the one the patched back in April 2018? Or the one that was patched in March 2017? What really is sad is the amount of Mikrotik users who have let their devices sit unwatched/maintained/updated for months and years on end.

Who could dream (nightmare) that your router hands out it's most secret information to everyone that asked for it.

Samot · Thu Aug 02, 2018 2:05 pm

The sad part is that owners/admins DO NOT CARE.

And that statement right there is the crux of the issue.

Samot · Thu Aug 02, 2018 2:08 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....
You mean the one the patched back in April 2018? Or the one that was patched in March 2017? What really is sad is the amount of Mikrotik users who have let their devices sit unwatched/maintained/updated for months and years on end.
Who could dream (nightmare) that your router hands out it's most secret information to everyone that asked for it.

I'm not arguing the point that there was a vulnerability that was pretty major but it was addressed months ago when it became public knowledge. Asking what they are doing today over something they addressed already just means no one is really paying attention to what Mikrotik is doing and putting out. They seem only care (freak out) when a random website blog tells them about it.

Thu Aug 02, 2018 2:10 pm

@msatter:
How do you expect that Mikrotik could MORE persuade people to upgrade if they (users not Mikrotik) do not care? It is not a matter how many infos Mikrotik will publish. If admin/user/owner do not care than it is not a problem of Mikrotik.
Do you think that other comapnies call or mail each customer to inform about their security problems?

msatter · Thu Aug 02, 2018 2:10 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....
Have a look at the posting times and my posting is probably the trigger to have Mikrotik posting and take hopefully more public steps.
What public steps? They fixed it in April!!!!! They are just now telling us "Hey, this is still happening. Make sure you updated." This is just another repeat of VPNFilter when the patch was released a year ago but the malware made news in May (a year later) and people demanded to know what Mikrotik was doing *RIGHT NOW* about it despite the fact they addressed it a year ago.

Sorry, but you must have seen that we are pushing to get up to speed in communicating important stuff.

IT IS TOO LATE NOW and the bad news had to been pushed down everyones throat in the past months

msatter · Thu Aug 02, 2018 2:12 pm

The sad part is that owners/admins DO NOT CARE.
And that statement right there is the crux of the issue.

Now they care and have seen some go mad in their first posting.

msatter · Thu Aug 02, 2018 2:19 pm

@msatter:
How do you expect that Mikrotik could MORE persuade people to upgrade if they (users not Mikrotik) do not care? It is not a matter how many infos Mikrotik will publish. If admin/user/owner do not care than it is not a problem of Mikrotik.
Do you think that other comapnies call or mail each customer to inform about their security problems?

I am sure the Win box could display minimal recommend RouterOS version in Winbox and keep that in view as long you are legging behind.

If I was not in the forum I would totally missed it that that the router was that easy to be hacked.

If everyone is looking at each other to see what they can come away with then you are depicting the current time.

schadom · Thu Aug 02, 2018 2:20 pm

Mikrotik did a good job in timely fixing and communicating the security issue with their customers.
It's not their fault but many admins and device owners are just lazy or do not check the news.

@MT: Maybe a security announcement mailinglist like other vendors offer them could be beneficial for the future.

Thu Aug 02, 2018 2:22 pm

@msatter
Do you think that all 70 000 users of hacked devices in Brazil do even know what WinBox is?

Samot · Thu Aug 02, 2018 2:25 pm

Mikrotik staff already posted a reminder for users to upgrade.
More info here viewtopic.php?f=21&t=137572

The sad part it's that the exploit is more than two months old....
Have a look at the posting times and my posting is probably the trigger to have Mikrotik posting and take hopefully more public steps.
What public steps? They fixed it in April!!!!! They are just now telling us "Hey, this is still happening. Make sure you updated." This is just another repeat of VPNFilter when the patch was released a year ago but the malware made news in May (a year later) and people demanded to know what Mikrotik was doing *RIGHT NOW* about it despite the fact they addressed it a year ago.
Sorry, but you must have seen that we are pushing to get up to speed in communicating important stuff.

IT IS TOO LATE NOW and the bad news had to been pushed down everyones throat in the past months

You understand how this works, right? Cisco isn't going to get an alert from some security group/person on Monday that's "Oh there's a major exploit" and then announce it on Tuesday to their users. Why? Because they probably don't have a fix for it yet and announcing it could make something that only a small group (Cisco and the reporters) may know exists just puts a target on all the possibly infected devices before they could push a fix for them. It might take Cisco *weeks* to disclose this exploit to their users so they can determine how serious it is, how to fix it and release said fix for the users so the announcement is "There's an exploit, please update to X version for the fix along with X, Y, Z to ensure you're not compromised".

But let's be honest here. This Winbox fix, when announced, had instructions of "Update THEN change passwords" but people were still like "I got hacked even though I did the update" and it turns out that they either updated the passwords then did the ROS update or just did the ROS update without touching their passwords. While they may stop FUTURE attacks, if they were already compromised they didn't do the step to fix that problem or they did it in the wrong order.

I'm with BartoszP on this. While Mikrotik can take some of the blame for perhaps not "communicating fast enough" it really doesn't matter how fast they communicate or how many methods they use to communicate when the users (you and I) ignore it and do NOTHING. Even worse, not ignore it but not follow the actual instructions properly. At some point the users have to step up and take responsibility for their laziness and/or not taking action.

msatter · Thu Aug 02, 2018 2:34 pm

@msatter
Do you think that all 70 000 users of hacked devices in Brazil do even know what WinBox is?

Hmmmmmm you are giving me an idea.

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version.

If ignored then after two weeks the router only functions when you are initiate an update. After the update all the functions are restored.

Mikrotik happy, user happy or not and the rest of the world is a bit saver again.

schadom · Thu Aug 02, 2018 2:36 pm

The main problem with Mikrotik/RouterOS in my opinion is the default "accept any", whereas it should be "reject any except..." instead. Mikrotik might consider shipping future ROS devices with a stronger default firewall ruleset which locks down all services except Winbox/SSH from an Internal IP range on a single interface. Security should be by-default and not optional nowadays.

Unfortunately too many admins and device owners simply do not care enough, do not read the manual/wiki and just unpack and connect their new device happily to the internet. That's where the problem begins.

Thu Aug 02, 2018 2:42 pm

Schadom, what do you mean? The default firewall DROPS ALL from internet interface.

msatter · Thu Aug 02, 2018 2:46 pm

Im sure that suggestions for improving the firewall IPv4/IPv6 will be taken serious. For larger networks tr069 could be used to keep the routers up-to-date or streamline configs.

An user can interfere but that is something between the provider and the customer.

usdmatt · Thu Aug 02, 2018 2:47 pm

I agree Samot and co, I'm not really sure what Mikrotik can do about the kit out there that still isn't patched. These routers probably haven't been logged into at all for years. Unfortunately Mikrotik aren't big enough for this to have been global big news like it might be with Netgear/TPlink or big enterprise giants like Cisco. Even then, a business or home user who had a Mikrotik installed years ago that hasn't been touched since, and have never heard of Winbox, aren't going to bother updating.

If users have a Mikrotik and it's injecting crypto-mining into their traffic because they haven't installed the fix, then really it's on them. Unfortunate that it causes bad press for Mikrotik, but hopefully these articles have done their homework and point out it's an issue that was fixed in a timely manner, causing problems because users haven't followed advice to update.

There was a guy a few years ago who wrote an exploit for hacked IoT devices to brick them, because it was the only way to force owners to update them. He did get done for it though... (not that I'm suggesting that's a good idea here, just that it's near impossible to get 100% of people to update something that is working)

AlainCasault · Thu Aug 02, 2018 2:48 pm

I think he means the default action of "if not filters apply", which is a non issue given the factory "default" firewall filters.

Sent from Tapatalk

usdmatt · Thu Aug 02, 2018 2:57 pm

I think he means the default action of "if not filters apply", which is a non issue given the factory "default" firewall filters.

I did think which reading this post that maybe the firewall should default to deny with no rules, so you have to explicitly allow everything you want to go through.

Some people would just stick an allow all in of course. It's amazing how many people leave the router open (even IT people) because it's easier for them to get remote access, or don't want to spend the time creating rules to match only the specific services they need to use.

AlainCasault · Thu Aug 02, 2018 3:07 pm

I think he means the default action of "if not filters apply", which is a non issue given the factory "default" firewall filters.
I did think which reading this post that maybe the firewall should default to deny with no rules, so you have to explicitly allow everything you want to go through.

Some people would just stick an allow all in of course. It's amazing how many people leave the router open (even IT people) because it's easier for them to get remote access, or don't want to spend the time creating rules to match only the specific services they need to use.

Yup! No matter how much I stress creating catch-all filters logging and dropping "the rest of the traffic", many still don't get it and call me in a panic about strange behavior. Even supposed "experts" put their customers in a bad position because they fail to create even the most basic FW rules. Very sad indeed, but it's probably MT's fault for some obscure reason... "sarcasm here"

Samot · Thu Aug 02, 2018 3:14 pm

I think he means the default action of "if not filters apply", which is a non issue given the factory "default" firewall filters.
I did think which reading this post that maybe the firewall should default to deny with no rules, so you have to explicitly allow everything you want to go through.

As it was already pointed out, the default firewall rules do that. They block all until allowed by the user.

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

This is basically the set of default rules I have found on every device I've gotten from Mikrotik. Until I add proper rules, either firewall or NAT, I cannot access the router or the devices behind it remotely because it would drop all my traffic since it lacks proper rules.

usdmatt · Thu Aug 02, 2018 3:27 pm

As it was already pointed out, the default firewall rules do that. They block all until allowed by the user.

I was referring to a implicit block that everything hits even if the firewall is empty (of course thought would have to be put in to what to do if someone deletes all the rules). Lots of people replace the firewall rules, and for some reason some decide to try and block certain things, rather than just allow what they want and drop the rest. It's also very common for people to mess with the firewall until their requirements work, but not consider what has been left open in the process. Not that I'm genuinely suggesting it; I like having full control over the firewall - but then I always end with a drop *ALL* forward/input anyway.

Also the default rules are all very well until you add a pppoe client for your wan and realise the traffic skips straight over the ether1 drop rule (even if you're using that port, which may be a surprise to some users, especially new ones). They'd arguably be better off with an allow from bridge-lan, and a drop all.

sid5632 · Thu Aug 02, 2018 3:29 pm

I'm not really sure what Mikrotik can do about the kit out there that still isn't patched. These routers probably haven't been logged into at all for years.

If hackers can login and change the config. then all anybody else needs to do is login and update the software. Job done. Simple.

AlainCasault · Thu Aug 02, 2018 3:36 pm

This is basically the set of default rules I have found on every device I've gotten from Mikrotik. Until I add proper rules, either firewall or NAT, I cannot access the router or the devices behind it remotely because it would drop all my traffic since it lacks proper rules.

I can't find the (older??) wiki page I have in mind (but found https://wiki.mikrotik.com/wiki/Manual:D ... igurations) but fresh out of the box, configs vary. Some models may be shipped blank (as was the case for my RB1200), so it would be easy to forget FW filters.

Thu Aug 02, 2018 3:43 pm

What we are talking about?
Ask average user what router is .... answers will be like "What?", "YYYYaaaaayyyyaaa? What?", to more sophisticated "Do you mean this white/blue/silver etc. box?" or "I have Internet from WiFi".

mrz · Thu Aug 02, 2018 3:45 pm

Also the default rules are all very well until you add a pppoe client

This already addressed for quite some time using interface lists in default configuration.

As you stated "people to mess with the firewall", default allow changed to default drop will not improve anything.

@AlainCasault
1200 is not a home router, if you buy it you have to know what you are doing.

usdmatt · Thu Aug 02, 2018 4:12 pm

This already addressed for quite some time using interface lists in default configuration
As you stated "people to mess with the firewall", default allow changed to default drop will not improve anything.

Assuming you know to add the interface to the wan list... But yes this doesn't improve anything as it's up to the user to make sure it's locked down and many don't have the expertise. Any changes would just be altering the way the default config blocks wan access, until someone starts messing with it.

1200 is not a home router, if you buy it you have to know what you are doing.

You have to know what you're doing with all this kit really unless you can just plug it in with the default config and not touch it, which goes back to the original issue. Lots of people buy this kit with no real expertise, and lots of people have these routers installed with no ongoing support and don't even know what it is.

AlainCasault · Thu Aug 02, 2018 4:32 pm

@AlainCasault
1200 is not a home router, if you buy it you have to know what you are doing.

I agree with you, but my point was that some models have different behavior. And as stated in other replies, even so-called "experts" will miss basic steps setting up (corporate) devices. My comment is to emphasize that we can't (always) rely on defaults.

P.S. what is the URL for the default parameters based on models??

pe1chl · Thu Aug 02, 2018 4:32 pm

Also the default rules are all very well until you add a pppoe client
This already addressed for quite some time using interface lists in default configuration.

Unfortunately the default configuration is determined when the device is first powered up.
So when you get a MikroTIk device that was manufactured before that change, then immediately update its software and start configuring it,
you will will be using the old firewall config, as is aptly shown above where user Samot pasts his default firewall which is the old vulnerable type.

It should be considered to do a reset to defaults when an update is done on a router that has fully default config, at least for the firewall.
(a similar issue exists in the IPv6 default config which is not loaded unless you reset to defaults AFTER enabling the IPv6 package, which
lots of users probably will not do, and they end up with an empty allow-all firewall for IPv6)

Thu Aug 02, 2018 4:38 pm

You have to know what you're doing with all this kit really unless you can just plug it in with the default config and not touch it, which goes back to the original issue. Lots of people buy this kit with no real expertise, and lots of people have these routers installed with no ongoing support and don't even know what it is.

If you, as average driver using standard cars, buy big american truck with 24 or more step gearbox, do you expect that this truck will have all bells and whistles installed to protect itself from being destroyed? Should gearbox constructor expect that someone unfamiliar with this technology and untrained will use it with 30 ton load?

pe1chl · Thu Aug 02, 2018 5:03 pm

I don't think the affected users are home users with a CCR, which would compare to untrained users buying a truck.
No, they are using a hAP or hEX as their home router and they have default config but they had to add a PPPoE client
and they mistakenly believed that this could be done by watching a youtube video.
E.g. videos like this https://www.youtube.com/watch?v=OTW2fOQ_pT0 have probably done a lot of damage to MikroTik
reputation. 79000 views, maybe 30000 victims? And look at the comments, they are sooo happy! But now they all
have been hacked.
Maybe someone should collect a list of those helpful videos posted by nitwits and ask youtube to take them down.
No idea if they would do that, maybe when you refer to risk of privacy or disruption of internet?

Nefraim · Thu Aug 02, 2018 5:20 pm

(a similar issue exists in the IPv6 default config which is not loaded unless you reset to defaults AFTER enabling the IPv6 package, which
lots of users probably will not do, and they end up with an empty allow-all firewall for IPv6)

Since the post has gone away from the initial topic and deviated into trying to find solutions to improve the overall experience, this might be the time to argue that indeed there are place were Mikrotik could do better.
As already mentioned by default routers don't have ipv6 enabled and enabling it will leave you with no default firewall rules. Resetting the router while ipv6 package is enabled will give you a starting point for a decent ipv6 firewall, which will even block bogus ipv6 addresses.

Maybe, router os could ask to enable the default firewall when someone enables ipv6 package for the first time. I seem to remember that it warns that enabling ipv6 will results in no firewall rules for it (correct me if I’m wrong) but yet it still leaves you without any default protection. It does not have to be something that is done automatically, but rather give the user the choice whether to enable or not the default ipv6 rules. This isn't something groundbreaking but could help some people who are less tech savvy. It's still up to the user whether to enable the rules or not, but could help to increase the default security in new installs and after router resets.

Give the user a choice and who knows, he might like the increased security.

mrz · Thu Aug 02, 2018 5:24 pm

That particular video has nothing to do with default configuration. He removes default configuration and makes everything from scratch, basically showing how not to configure your router.

pe1chl · Thu Aug 02, 2018 6:00 pm

That particular video has nothing to do with default configuration. He removes default configuration and makes everything from scratch, basically showing how not to configure your router.

True but this is just one video that I found by a quick search, I have seen another (that I did not find so quickly now) that works from a default config but still forgets to correct the firewall.
With a new default config that is not so much of a problem, but you will need a router which is manufactured and delivered with a fairly recent version to get that new config.
(because default config is not made by your updated routeros but by the routeros that happens to be on the device)

Besides, you have to understand that today's home admin or wannabe WISP admin does not work from established procedures/manuals but watches Youtube.
So all that crap on Youtube is a major problem...

ik3umt · Thu Aug 02, 2018 6:33 pm

...........you will will be using the old firewall config, as is aptly shown above where user Samot pasts his default firewall which is the old vulnerable type.

That was the basic firewall :

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

and the one from a 6.42.6 :

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

So, starting from scratch with no-defaults=yes , is this latest sequence safer thus recommended ??

pe1chl · Thu Aug 02, 2018 6:40 pm

The new version is more reliable when uneducated administrators add new things like PPPoE client.
It also fixes an issue where incoming traffic over IPsec is dropped by default, which users usually would not want.
When ether1 is really your internet interface (i.e. where your default route points) it is otherwise not more secure.

Sob · Thu Aug 02, 2018 6:52 pm

Don't forget that until recently, even router with no firewall was sort of safe (if it had at least strong password). Even to become open resolver, user had to manually enable remote requests (most probably did that). Same for becoming open web or socks proxy (fewer did so, because proxies are not used that much). Router's own services didn't allow unauthorized access either.

So if it wasn't for www and winbox bugs, things wouldn't be perfect, but not extremely bad either. I'm not really buying current "if you want it secure, you must not allow anyone to connect", just because MikroTik hates to admit how bad these bugs were and tries to shift blame on users.

But I don't want to repeat myself (although maybe I'm not, because my post in other thread did strangely not appear, I see it in search, but not in thread; perhaps there's moderator approval required for posts in announcements forum, I don't know).

msatter · Thu Aug 02, 2018 8:24 pm

I can see the top of Sob's posting in the preview. And what happened was the unimaginable happening. A buyer of a device, you expect that it won't share your secret information, that you need to use that device.

It was a blindspot on the side Mikrotik that it not was discovered during audits of this most vulnerable part of the router.

mistry7 · Thu Aug 02, 2018 9:08 pm

One think I’m missing is information to the Distribution, they know the big Customers, so all get informed not only the ones, that look at Facebook or here!

Sob · Thu Aug 02, 2018 10:07 pm

Let's face it, it was horrible mistake and oversight. But what's done is done. It's easy to bash MikroTik, but it can happen to anyone. Everyone hopes that such thing won't ever happen to them, and they won't have to explain it to their customers. But you never know, only 100% safe way is to not write any code. And that's clearly not the solution.

Everything bad is good for something. It will make some people think more about security. I did that after www bug and realized that maybe I don't absolutely have to keep some services (WinBox included) accessible from everywhere, even though it was convenient and should be safe with strong passwords. Others will have similar thoughts now. But please don't go overboard and say that the only secure way is to block everything. Many services must be accessible from everywhere by design. And if they can survive, so can WinBox.

About current situation, damage is done and it's not the end of it. Those articles mention some 200k infected routers, some more will follow, some will be fixed, but unless hackers make a mistake and visibly break something, many of them will be infected even years from now. And there's really nothing to be done. Some ISPs started to block incoming connections to tcp/8291 (not ideal solution) and many will probably stop there. Others won't care at all, until it starts to harm their networks. And users, half of them won't care or won't know what to do even if someone alerts them.

infused · Fri Aug 03, 2018 12:38 am

There was a bug that allowed to find out passwords configured on the router. After that hacker can use them and log into router as a normal user. Then he can do whatever he wants. Upgrade will close this vulnerability, but if password is not changed, then hacker can still connect.

Hacker connects to the router and adds configuration - scripts, schedulers, enables SOCKS, etc. RouterOS filesystem is not affected. Only changes made by hacker are into RouterOS configuration.

Does the latest bugfix fix this, or do we need to be on 6.42? I don't really like using non-bugfix releases. If it isn't, can you guys work to update bugfix?

Pea · Fri Aug 03, 2018 12:58 am

Yes, last bugfix 6.40.8 is fine (+ change your passwords after upgrading, restore your configuration and inspect it for unknown settings, implement a good firewall)

What's new in 6.40.8 (2018-Apr-23 11:34):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router

msatter · Sat Aug 04, 2018 6:17 pm

The warning e-mails by Mirkotik are sent out a day after news. I hope next week we will be informed why informing resellers and users that were on the mailing list were not informed earlier about the risk. If creating a CVE would have reduced the number of routers being infected to spread bad software?

Looking forward to that and maybe Mikrotik will layout a plan how they are going to handle security risks in the future and if they going to think and implement a way to warn owners of routers that are not updated and form a risk to the rest of the internet.

Sat Aug 04, 2018 7:54 pm

Hands up who is daily following CVE news?

pe1chl · Sat Aug 04, 2018 8:17 pm

Is it not possible to integrate Firewall default rules into Mikrotik devices so that the user can not delete them, just turn off (ON-Off)?
Create default options so that we only open what is needed. No default open 21.22.23 port. For example, if you need to add a firewall filter, this could be done as before, but it would not affect the default configuration in any way.
It would be ideal if mikrotik were to think of a case like a built-in firewall from the factory, which can be disabled if necessary, but then the normal user saw the message - your router is not protected or similar. That would improve the situation.

It is already like that! There could be a minor improvement: to update the default firewall when a new version is loaded with another default firewall.
But other than that, it works like you suggest it should work. The problem is caused by incorrect action by the user, often directed by incorrect Youtube videos that are not from MikroTik.
There is little that can be done.

The same goes for downloading updates. Create a simple section with a check-in option - Allow auto updates. If you do not want to - no check-in

I am all for an auto-update function. Configurable of course.
By default it should auto-update. Users should be able to turn it off and to configure the update channel to use.
There should be a separate update channel that releases "required updates" and that is the default for new devices.
(so every device does not track all the updates by default, but it only installs updates that MikroTik have marked as "required". those will be the updates that fix vulnerabilities, not those that merely are further development of features. once in a year or so, a feature development could be marked to be auto-updated after it has been found to be stable and without issues)

msatter · Sat Aug 04, 2018 8:29 pm

Hands up who is daily following CVE news?

I have bookmarked for Mikrotik and AVM now. AVM had a good run after the last containment of the VOIP vulnerability. ISP often offer also VOIP and the had to compensate customers for the expenseive calls made due to this vulnerability.

Version 7 by AVM is rolled out whole we are speaking and it is based on a more recent version of Linux and let's hope all checks move with it.

msatter · Sun Aug 05, 2018 1:48 pm

Since a few months we have now GDPR laws which regulated protection of private information.

I think that I can state that password falls also under the GDPR and that would have the impact that Mikrotik did not do enough, to protect their customers under the GPDR.

bramwittendorp · Sun Aug 05, 2018 11:05 pm

From the GDRP Wiki-page: https://en.wikipedia.org/wiki/General_D ... Regulation

According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address."[7]

As you care about IT-security, and you're right to do so. I asume you're using some sort of password-manager so the password isn't related to you.

Besides that, the GDPR protects you for data-stored by companies, the password is stolen from your own router, you can blame MikroTik for the security-flaw in the RouterOS software, but you cannot state that the GDPR applies to it.

If all our account on this forum where breached, yeah, than you have the right to say MikroTik didn't protect our data accordingly to the GDPR, but that doesn't apply here.

msatter · Mon Aug 06, 2018 1:14 am

Thanks Bram for explaining this and the access data was indeed stored in the device and so not with Mikrotik. Was stored, this because the password is not stored in router anymore, if I remember that well?

sindy · Mon Aug 06, 2018 1:31 am

Some kind of hash of the password has to be stored in the router unless you'd use RADIUS for remote authentication, but cleartext passwords are not there any more.

BrianHiggins · Mon Aug 06, 2018 10:11 pm

Yes, last bugfix 6.40.8 is fine (+ change your passwords after upgrading, restore your configuration and inspect it for unknown settings, implement a good firewall)

What's new in 6.40.8 (2018-Apr-23 11:34):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router

tell that to the several routers which were compromised today, running 6.40.8.

Sob · Mon Aug 06, 2018 11:02 pm

@BrianHiggins: It would have to be either:

a) something new (the same WinBox exploit doesn't work with 6.40.8 )
b) you didn't change passwords
c) you changed passwords before upgrading and previously infected system managed to send them out before the upgrade happened

Who is online