MikroTik

"ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed"

"Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2"

"Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2"

Any way how can I find if, how or ''supposedly'' my router is infected with so called "ChimayRed"?

*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;

... it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.4 'current' and 6.37.5 'bugfix' or newer)...

... it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.4 'current' and 6.37.5 'bugfix' or newer)...

FYI, the current download page still indicates the bugfix version as 6.37.4. Not sure if 6.37.5 was a typo, or if the page needs to be updated.

We will continue to strengthen RouterOS services and have already released RouterOS version 6.38.4 which removes any malicious files in devices that have been compromised.

Thanks for the update Normis.

So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?

Thanks for the update Normis.
So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?

Please could you confirm this Normis ?

Operator Notes
ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed.

Alternatively, have an option to remove management capability from the internal web server so it has no access to ROS and config, leaving all management to Winbox and CLI.

You can limit the IP addresses for defined users. Just make sure that any user IDs that have anything more than read capability can log in only from the LAN side of the network.

Have Mikrotik reached out to Wikileaks

most likely due to memory or executable offsets changing between versions

Mikrotik should release a tool to check if there is any suspicious file.

page still indicates the bugfix version as 6.37.4. Not sure if 6.37.5 was a typo, or if the page needs to be updated.

does it report the presence of such files if any are detected

So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?

Please could you confirm this Normis ?

here are some clients who want to have the graphs publicly available.

No. We clean the system as such, we do not speculate if a certain file came from this malware or from elsewhere.

Re: Statement on Vault 7 document release
by jarda » Thu Mar 09, 2017 9:09 am

I appreciate the way how mikrotik officially stands in this situation. Thank you.

My questions is what was the attacking vector because we were told in the past that even authorised user with Ros admin rights cannot manipulate with system files or inject and run whatever code.

So how it could be possible to do it without any authorisation?

They get shell access by exploiting an unknown vulnerability.
But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with
It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc..
As @nuclearcat stated, even JunOS has one. Why not mikrotik ?

So how it could be possible to do it without any authorisation?

It is only www management interface problem or Hotspot service is affected too?

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

Will you please also release a fix for 6.36.4 as it is the only version which works with my wireless-devices?

*) wireless - improved compatibility with Intel 2200BG wireless card;

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.

They get shell access by exploiting an unknown vulnerability.
But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with
It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc..
As @nuclearcat stated, even JunOS has one. Why not mikrotik ?

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.

Are you sure ?
You are asking them to write antivirus software for all version till 6.30.2 ? Isn't it smarter to upgrade routers to newer versions ?
What if you will not find any virus installed ? Do you leave routers "open" for beeing attacked ? Do you want to secure them other way ?

They get shell access by exploiting an unknown vulnerability.
But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with
It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc..
As @nuclearcat stated, even JunOS has one. Why not mikrotik ?

A proper hack would modify the shell, so that it would hide the presence of such files. So, if a router is hacked, any and all available tools are not to be trusted. Moreover, that would create a false sense of security. Only the upgrade process can be relied upon in this case.

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

RC and Bugfix builds coming a bit later.

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

RC and Bugfix builds coming a bit later.

After people have had time to upgrade, could you share some technical details of how the exploit work or what was vulnerable?

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

RC and Bugfix builds coming a bit later.

After people have had time to upgrade, could you share some technical details of how the exploit work or what was vulnerable?

Why to give hints for hackers, who will might create botnet from non-upgraded mikrotiks?
It is enough obvious already this exploit seems was using some function from management web-interface, that is most probably available without authorization.

If you opened your management services to the internet and run old versions of software then it's your own problem. Any service exposed to the internet without being updated is in the same situation, expect outdated services to be compromised regardless if it's RouterOS, Linux, Windows, etc. I want to know the details so I can evaluate if further services in RouterOS may be vulnerable (ie winbox) and what kind of coding bug allowed the device to be fully compromised (was it a simple mistake that code review could have spotted, or some complex series of minor bugs that unfolded into full compromise?). Also keep in mind the exploit is already circulating, having it public or not doesn't really make much difference.

....
Yes i am sure.
Its not antivirus at all, not even close, it is trivial file/filesystem structure integrity verification tool, and it is trivial to write as well to detect unathorized modified executable/library files.
Also it is not a virus at all, such "implants" don't replicate themself.

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.
[...]
It will be MUCH more difficult to hide all traces of presence from raw storage reading tool (similar to dd) + memory inspection + regular checksum verification + common linux rootkit detection techniques.
Right now Mikrotik provide no tools at all to detect malicious content inside system, and if it is possible to plant this payload even without exploit, just if bad person have access to hardware for a while, and trivial to provide for this malware persistence.

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants.
[...]
It will be MUCH more difficult to hide all traces of presence from raw storage reading tool (similar to dd) + memory inspection + regular checksum verification + common linux rootkit detection techniques.
Right now Mikrotik provide no tools at all to detect malicious content inside system, and if it is possible to plant this payload even without exploit, just if bad person have access to hardware for a while, and trivial to provide for this malware persistence.

You don't need such a tool to verify if a system has been compromised.

A much direct, and less time consuming way :

1.- Put another router (or switch) in front of router to be tested
2.- Torch it / look at outgoing connections.

Can you imagine labor cost and downtime comparing with proper integrity verification that is done completely automated way?

Can you imagine labor cost and downtime comparing with proper integrity verification that is done completely automated way?

Yes... What I cannot imagine is such a company leaving webfig enabled and open to the internet (or any other management tools) .

Mikrotik would produce such detection package for current hack, but for that they need a compromised system, so it's up to Wikileaks to collaborate, there's little more they can do.

And there would be no point on having them as a system tool, as again, any properly implemented exploit/hack will bypass them.

Please make also the fix for last mipsle working version...

Please make also the fix for last mipsle working version...

Normis, what about the 6.32.4, the last working mipsle 6.x version? Will we get the bugfix version 6.32.5 to secure the routers?

Have Mikrotik reached out to Wikileaks

Yes, but as you can imagine, all the big tech companies are probably doing the same.

Hotspot is NOT affected by the vulnerability described in the Vault 7 leaks published on March 7.

Aren't you mixing port with protocol?

1. If the firewall prohibits opening the Webfig in the browser from an address, the server is safe

[chris@bacon ~]$ curl -vvv https://x.x.x.x
* About to connect() to x.x.x.x port 443 (#0)
*   Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

2. The vulnerability was in the server, regardless of protocol or port. If you could open Webfig, you could be vulnerable

What kind of ACL do you mean? Proper firewall will drop all connections, and will not allow the IP to try to negotiate SSL connections

[admin@XXXXXX] /ip firewall connection tracking> print
                   enabled: auto
...

Can you please state for the record whether routers are vulnerable to attack from an IP which is not listed in this ACL.

Hi,

It would be nice if Mikrotik can take some proactive steps. For example IOS/Junos devices has proper shell in devices, and as sysadmin i can inspect system integrity easily, including taking storage/filesystem dumps over dd, checksums for all filesystem files and etc, and i can run also scripts to check for changes over time.
With mikrotik i am totally blind, if someone plant in device backdoor, as they state in document - they dont need even to bother to hide it, it will reflect only on memory consumption, which is not reliable method at all to detect malware. And even Mikrotik will(and as far as i remember there is some) implement their own integrity check, be sure, they will find way around it, so vendor should provide a way for customer to implement integrity verification over several ways, as it more "raw" - it's better (more ways to detect it).

P.S. Please take appropriate steps with recursive DNS server. It is matter of time someone will open this subject, but lack of ACL and/or easiness of putting "allow all", together with lack of any default defensive methods (throttling of specific abusive requests) making Mikrotik units as a top dns amplification DDoS source.
For example severely throttling ips doing identical requests, requests with large answers and etc.

+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade.

Will you please also release a fix for 6.36.4 as it is the only version which works with my wireless-devices?

The fix for your wireless issue is fixed in 6.38.5 as well

*) wireless - improved compatibility with Intel 2200BG wireless card;

+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.

As I understand it, if you want a shell on Mikrotik, wait for the code mentioned in vault7 to be released. That seems to do exactly what you want!

It is worth noting, that we never saw the release of any proof in these claims, let alone the tools mentioned. After a thorough code review, we could not find anything hinting to the described issues.

I'm not sure if this is still the case, but:

While I agree that a Mikrotik is "secure" by default (ships with firewall enabled and so on) and other vendors gets their exploits as well. Many vendors have their software contained in a single image file (e.g like Cisco, Juniper) that becomes replaced when updating the device. For what I understand RouterOS just appends updated files over old ones, opening the possibility for persistent root-kits (until modified files is replaced).

I think there is a lot of confusion what "reset configuration" do, this command wipes all '''configuration''' and thats it. It does not rely on script that you are talking about.
"Reset configuration" also has nothing to do with clearing linux file system, it is called "reset configuration" for a reason not "reset filesystem" etc.

Netinstall is the only tool that is wiping all filesystem and installing RouterOS on empty drive.

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

And thats unfortunately a security flaw itself. Preferably the whole system should be replaced on update, but at least the the complete startup-chain (kernel -> init -> rc etc..)

Netinstall is not always possible. Can be very remote or hard to reach devices.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

I wasn't asking for an explanation of netinstall.

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.

Usually a configuration management system does this for you.
Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes.
(this is what I recommended in my talk)

You can't really do this in any good way natively in RouterOS or The Dude.
And while you could do this using Syslog, it would not be full-featured config change notifications.
(since over syslog you will get that something has changed, but not what)

In Unimus (and other NCM systems), you can get a full graphical diff email on config change notifications.
I really recommend having this in your network, it is super useful.

Thanks for the suggestion. Also, great talk!

I was wondering more about how it is actually done, rather than using a 3rd party service/software.
In the case of Unimus, does it periodically connect to the router and does a full export and produces the diffs you mentioned?

For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact".
After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.).

Parse the config, check if anything changed against last retrieved config.
If a change is detected, build a diff, and render a full graphical HTML email with the diff.
Send email to configured notification contacts.

That is how Unimus does it, I can't speak to other NMC systems.

How is that different from /exporting the configuration and git it ?
Then compare different commits?

Cause the video on their homepage just looks like it.