MikroTik

hi,,
as per subject, what is 6.55.6 firmware and why is there no announcement of it?

bill

There isn't such version, at least not yet, maybe in future. But perhaps it could be this in real life action:

https://medium.com/tenable-techblog/rou ... e0b07c0b21

well why does our routers report there is?

the update server reports as 185.162.131.116 , in the netherlands.

something is broke as only the stable release exists and the version number is not real it seems.

perhaps somebody at MT needs to investigate this as it could be a nasty fake firmware attack

bill

i am not installing it but have a copy of what it downloaded, too big to upload here though

routeros-mipsbe-6.55.6.npk

You or your ISP is hijacking the DNS for the download server. MikroTik's servers are in Latvia.
Check what DNS server your router is using and check the static DNS entries on it, if you have nothing in static DNS regarding upgrade.mikrotik.com or download.mikrotik.com and you're using the ISP's DNS servers, well, your ISP is hacked. It might even force redirect all your queries. Too many options.
You have to check which one is it, doing local queries using different servers from your PC.
Check the firewall in your router for any suspicios lines too.
That changelog is from 6.45.6 anyway. (the one you have installed) but the actual version might be 6.42.12 or older.

i am not installing it but have a copy of what it downloaded, too big to upload here though

routeros-mipsbe-6.55.6.npk

Send it support@mikrotik.com so they can have a look at it what supposed to do.

The gives mixed results of being located in Meppel in the Netherlands including street and housenumber. The phonenumber is in the USA most likely in New York.

It's renamed 6.41.4, exactly as in the article I linked to.

i

right so there are no static entries in the dns setup for our core router.

our "ISP" is level 3/centurylink and i find it difficult to consider their DNS servers are hacked

To add to this this is occuring on every other core MT router on other connections with other DNS servers too.

So in summary it looks to be an invisible exploit installed on our MT edge routers running 6.45.6/7. We will try and block that IP and set the dns manually but the fact seems to be our MT routers are compromised so they may of also let all manner of unseen changes happen too.

What are Mikrotik doing about this please?

Until you have contacted support and nobody else has, probably nothing yet. Please email support and if possible, provide full access to such a device.

As previously advised, it is always possible this exploit was installed in 6.3x versions when a known Winbox problem allowed full access to your device if Winbox port was open.

*ahem* my bad. It looks like it's exactly what Sob mentioned earlier.

There isn't such version, at least not yet, maybe in future. But perhaps it could be this in real life action:
https://medium.com/tenable-techblog/rou ... e0b07c0b21

Long story short, you have winbox open to the world and your DNS Cache is poisoned. Read the full page above.

No DNSSEC active on the Mikrotik domain so you are only protected by the measurement of Mikrotik to not install a invalid version.

If automatic updates is active then the router is made vulnerable by installing this OLD version if that is possible without pressing the Downgrade button.

Long story short, you have winbox open to the world and your DNS Cache is poisoned.

Not necessarily, those records could simply come from upstream resolver, i.e. from whatever is in "/ip dns".

hi,

always your helpful self normis.

i noticed this last night, all previous emails to support hit a wall, primarly as mikrotik decided to block me from their forum , support and even at one point blocked our IP ranges remember? Just after giving me a l6 licence as reward for being a top contributor to the forum. All because i dared point out a fault with your hardware apparently. you neatly erased all history of my posts too.

So your sarcasm as usual is unwarranted and unhelpful. Some things never change over the years.

It is clear form other posts on here that this vulnerability IS known to Mikrotik and is also public knowledge.

Why mikrotik thought it a smart move to fix another vulnerability recently by making a downgrade wipe out any access security is beyond me without first taking action to make such downgrades difficult or at least 2 step, then of course widely publicising this exploit.

Now i need answers and a solution to this issue, i am less than comfortable knowing that all our edge routers have effectively been rooted with seemingly zero care for it from you.

Perhaps it is time to change the supplier of them too as we did with our wireless side after the last fiasco. Mikrotik lost ~£1M of trade from us for that decision alone.

bill

bROADNAD
Until you have contacted support and nobody else has, probably nothing yet. Please email support and if possible, provide full access to such a device.

As previously advised, it is always possible this exploit was installed in 6.3x versions when a known Winbox problem allowed full access to your device if Winbox port was open.

Ouch. However it is not the time to settle old pains and Mikrotik is now interested in solving this and it in their hands that poisoning gets more difficult if not impossible.

That article was very illuminating. I suppose one could conclude some shortcuts or loopholes have to be closed when updating Winbox files and Im assuming that work has been done for 6.45???
However as Sob notes DNS poisoning is still possible IF ONE allows remote users (External) access to the DNS system of MK or at least thats what I interpreted.

Finally, it seems best practices still prevent problems, common sense!!
a. Use netinstall to latest firmware if sense one is hacked
Prevent a. by NOT opening winbox to the WAN side, use only VPN to access router externally
Prevent a. by NOT allowing external access to DNS cache (by explicit drop WAN access to port 53 for input chain rules, or by drop all else rule at end of input chain).

Probably way more complicated just trying to understand.

Has anyone checked if the Level3 DNS server is returning the correct IP and TTL? The shown TTL is longer than 6 days and that is very long.

If the dns entry is coming from the outside and the DNSEC is available then the routers should be able to check it. This is way why I requested to be able to disable RouterOS to use dynamic obtained DNS servers (IKEv2).

I use my own DNS resolver that is better equiped and secured than the resolver in RouterOS. Not thwt cache can be poisoned but it much more difficult.

Why do you have your management ports exposed to the internet? Stop doing that.

a. Use netinstall to latest firmware if sense one is hacked

So if RouterBoard has been hacked just rewriting firmware using netinstall will solve issue to have clean (not corrupted) firmware, right?

I was using RB750 with an old release 6.22 or 6.30, or something else.
I can't download firmware from RB (I won't explain why..), so provider alerted me RB was hacked and someone is trying to login on provider router from my RB.
It said it was a bug on that ROs release and he had many customers with same issue.
I would like to recover RouterBoard (if possible, if you say is not safe I'll throw it on garbage) with 6.44.6... is it enough safe for now?

Yes, Netinstall from mikrotik.com (make sure you download the correct files, we have MD5 and SHA sum available) is enough to recover. Also, apply config by hand, don't import unknown config files from internet sources and blogs.

make sure you download the correct files, we have MD5 and SHA sum available

Checksums do help against corruption at transfer time, but that's it. If an attacker manages to replace the package files he/she will also place matching checksums.
Having gpg signatures would be much better...