Community discussions

MikroTik App
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 6:03 am

As per title:
Changing rights / disable / delete the users has no effect on already logged in users.

For example: If you open a terminal, or even winbox, with a user and this user's permissions are changed, or even the user is disabled or deleted,
this user will still be logged into the terminal or winbox until log out.
If is one administrative user, he would still have full powers, also if the user is deleted

Tested with 6.48.7 and 7.10.2
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 9:03 am

To my knowledge, it's already like that for as long as I can remember.

One of the very first things I do when configuring a new device is creating a new user and delete admin.
But I am logged in as admin at that point ?! So I can delete myself ?

When you open terminal from that session, it will ask for new user and passwd.
But Winbox lets you continue just fine.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1352
Joined: Mon Sep 23, 2019 1:04 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 3:06 pm

Must be hot in Italy. :roll:
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 6:22 pm

I think this behavior is as old as UNIX /etc/passwd ;).

Right or wrong – IDK – but RouterOS has done this forever. Existing "login sessions" (winbox/terminal/ssh) keep their authentication (since it isn't re-checked). New ones fail. A "New Terminal" in winbox is a new session, so you'll see a prompt for creds for new logins after some change to /users.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1352
Joined: Mon Sep 23, 2019 1:04 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 7:07 pm

Active users can be seen, it's up to the admin doing the user cleaning to kill the connections too, or script it.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 7:27 pm

Active users can be seen, it's up to the admin doing the user cleaning to kill the connections too, or script it.
I mostly use branding packages, so really never get into this state.

But I'm not sure scripting be too easy since I'd expect this working:
 /user/active/request-logout [find]
action failed (6)
and there is no "get" in /user/active to use in a :foreach in=[find] to even workaround it...

And winbox doesn't have a "-" / remove (or "request-logout") in the "Active" tab in system/users...
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1352
Joined: Mon Sep 23, 2019 1:04 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 9:42 pm

I don't know what branding has to do with this topic.
So far this is only about a new feature request, as you discovered yourself (no easy way to kill an active user session).
Anyway, one could kill the connection using the firewall, or even cut access to the management VPN for that user, as a good admin should have.
No "security issue" :).
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 06, 2023 9:48 pm

Reboot.
Problem solved.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Mon Aug 07, 2023 1:57 pm

I wrote a small script that detect logged in users that do not exist in /users:
::foreach item in=[/user/active find] do={:if ([/user find name=[/user/active get $item]->"name"]) do={} else={:put "Warning: found a removed user(s) being still be logged in: $[:tostr [/user/active get $item]]"}}
Warning: found a removed user that is still logged in: .id=*3;address=192.192.0.11;group=winbox;name=test;radius=false;via=winbox;when=2023-08-07 12:01:38
This could be run in schedule and write to the log.

Removing the connection in connection tracking does not work. The removed user can reconnect even while the connection is gone.

Mikrotik should allow to remove the active session in /user/active or/and, check on every reconnect if the user still exists or that changes in the rights are made.

And a check for changing groups:
:foreach item in=[/user/active find] do={:if ([/user find group=[/user/active get $item]->"group"]) do={} else={:put "Warning: found a logged in user using a wrong group. Ask user to disconnect and reconnect to the services: $[:tostr [/user/active get $item]]"}}
Then this could be adapted to find first if the user still exists or not. If user exists then the policies can be checked knowing group/radius/via from /user/active
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Mon Aug 07, 2023 3:08 pm

Bravo! Thank you.
Removing the connection in connection tracking does not work. The removed user can reconnect even while the connection is gone.
...ah, actually that too, I hadn't considered it...
 
User avatar
spippan
Member
Member
Posts: 464
Joined: Wed Nov 12, 2014 1:00 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Mon Aug 07, 2023 10:00 pm

Reboot.
Problem solved.
no, not at all!
rOS needs a "kill session" since FOREVER! even it would be on CLI only ... but not even that is available and it drives me crazy.
in winbox there also should be a button to kill sessions - especially if i am the user with "full" privileges

even fs.com switches have such a "feature" (it is a basic function IMHO!)
MT routerOS still nothing like that
opened a feature request (did not find via search) -> viewtopic.php?t=198456
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Mon Aug 07, 2023 10:16 pm

Special policy "license to kill".....the connection and not the user overcourse.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Mon Aug 07, 2023 11:17 pm

Why there isn't a "-" in winbox, IDK...

But I think the CLI does work – just stupidly – but if you're trying to kill the current session and/or winbox, somethings go to an on-error=. So a more complex expression should work:
/user/active {:local lsess [print as-value where name~".*"]; :foreach i in=$lsess do={:do { 
        request-logout ($i->".id")
    } on-error={}}}
Now if you don't want all sessions change the "where" clause or name~ regex.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Mon Aug 07, 2023 11:32 pm

Why there isn't a "-" in winbox, IDK...
And, in ideal world, at least prompt if you attempt disable and/or delete a user that has active sessions...
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Mon Aug 07, 2023 11:36 pm

Play with the tools you have.
Reboot.
Done. :lol:
 
User avatar
spippan
Member
Member
Posts: 464
Joined: Wed Nov 12, 2014 1:00 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Tue Aug 08, 2023 12:00 am

Play with the tools you have.
Reboot.
Done. :lol:
is this some kind of useless trolling?

a PROD router is not always elegible for "just a quick reboot"
imagine a BGP router has this issue and needs a reboot ...
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Tue Aug 08, 2023 2:20 am

@Amm0, thank for finding that and it indeed closes the terminal (CLI) in the Winbox of the user that does not exits anymore. Disabled user is an other possible option.

This is can select the correct user to be booted from the terminal. Winbox seems to cache stuff and with that it can reconnect.
:foreach item in=[/user/active find] do={:if ([/user find name=[/user/active get $item]->"name"]) do={} else={:do {/user/active request-logout $item} on-error={:put "bugger"}}}
bugger
01:12:47 echo: system,error,critical login failure for user test from 192.168.0.11 via local 
Displayed in the second Winbox, where the user has been requested to log out:
Disconnected.JPG
Then who want to do more tests which other connections it closes. It does not close Winbox. Terminal is closed and logging in again is not allowed.

Update: check for disabled users would be:
:foreach item in=[/user/active find] do={:if ([/user find name=[/user/active get $item]->"name" disabled] ) do={:do {/user/active request-logout $item} on-error={:put "bugger"}}} 
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Tue Aug 08, 2023 8:14 am

is this some kind of useless trolling?

a PROD router is not always elegible for "just a quick reboot"
imagine a BGP router has this issue and needs a reboot ...
In all seriousness:
I am quite aware a reboot can not be done on some devices whenever you want.
But equally so I can not understand an admin of such a device would have user profiles lingering around which would potentially require such actions to get rid of an unwanted user session.
Because from what I see, it's still left unanswered to deal with winbox-sessions. An unwanted person having such a session open, can potentially still do whatever he/she wants (given the user has/had admin rights). Even revert all changes earlier admin just made.

Given ROS is not really an environment where you can add a lot of granularity/functionality/handling to user profiles (unlike the underlying Linux environment), the only way out I currently see with my still limited knowledge of ROS is ... reboot. Like it or not.
With all the consequences it has, obviously. But sometimes that's the better choice.

Whatever environment, if you got unwanted visitors on your devices and the only way to get out of the loop is to reboot the systems, I want to see an admin who choses NOT to do so while he sees loads of money draining away because of business interruptions.

As it happens to be: my client got news yesterday afternoon from a MAJOR WORLDWIDE player in the adhesive business indicating they will bring all their systems off line for a WEEK because of hacker attack. All their systems potentially compromised. Production facilities worldwide down. Even their VPN/LAN/Wifi environment (probably some central authentication system in the background which controls everything).
I am pretty sure the moment they discovered the hack, some systems WILL have been SHUT DOWN at the moment only to be rebooted in an isolated manner.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Wed Aug 09, 2023 3:07 am

Taken offline, in a business product environment are you insane, you bad bad troll. ;-)
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Wed Aug 09, 2023 10:51 am

I found it very disturbing that this tread was closed while I was still very active with this, even while the problem did not effect me directly.

Mikrotik could activate short time, the options to logout removed users/disabled users automaticly. First in local and other services.

An other thing is services that are left open and there should be a tool to lock or close those after a set time.

Winbox and maybe Web are caching and can hold open the connection. There then should be option select current behavior or new behavior rechecking rights every so many minutes. If rights change then the user have to login again or the session is blocked after a timeout.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Wed Aug 09, 2023 12:48 pm

I agree with everything you wrote
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1352
Joined: Mon Sep 23, 2019 1:04 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Wed Aug 09, 2023 1:09 pm

I'm so glad that this is the last bug/feature to be fixed in RouterOS while all the other bugs were reported and fixed already.
One could say that this makes RouterOS great again.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sat Aug 12, 2023 2:15 pm

So after read and lot of testing I can disconnect a user locally at the moment the change is made in /user. Because the change is made in /user the script is watching that and not /user/active:
# activate reading the .id from global
:global eventPathUser;

# remove previous running event scripts (:execute)
:do { /system script job remove $eventPathUser } on-error={:log error "Script .id not found"}

:global eventPathUser [:execute {
          /user print follow-only [:foreach item in=[/user/active find] do={
          	#disabled user
                :if ([/user find name=[/user/active get $item]->"name" disabled] ) do={
                     :do {/user/active request-logout $item} on-error={}}
                # removed user
                :if ([/user find name=[/user/active get $item]->"name"]) do={} else={
                :do {/user/active request-logout $item} on-error={}}
                     
                         }; # end foreach
                        ]; # end print
                      };  # end execute
         ]; # end eventpath
There can be more than one :if do in the :foreach so more checks can be made.

I tested it in scheduler and I had interval time of 10 seconds. This can be hours, day or even till reboot. Warning, disabling the schedule does not stop the script that is already started, to stop it you have to run this commend in terminal:
 /system script job remove $eventPathUser 
If you are going to create more than event checker then use a unique global variable. Let say for Log: evenPathLogTopicsAccount for checking the log for lines with account in topics [/log print follow-only where topics~"account"]
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sun Aug 13, 2023 1:57 am

Hi msatter would that be useful in a home network or is this strictly business stuff.
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Posts: 720
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Thu Aug 17, 2023 7:13 pm

I wrote a small script that detect logged in users that do not exist in /users:
Most of my devices use RADIUS to authenticate users, so they never exist in /users, so.....
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Thu Aug 17, 2023 8:02 pm

I wrote a small script that detect logged in users that do not exist in /users:
Most of my devices use RADIUS to authenticate users, so they never exist in /users, so.....
Not sure. BUT...I'd bet the RADIUS users still show up in /user/active & if you disable them in RADIUS while winbox is still open, they'd have access until winbox was closed.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Thu Aug 17, 2023 8:07 pm

Hi msatter would that be useful in a home network or is this strictly business stuff.
I guess if your spouse had an account on the router, and you got a divorce. But you fire a network admin more often.
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Posts: 720
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Thu Aug 17, 2023 8:33 pm


Most of my devices use RADIUS to authenticate users, so they never exist in /users, so.....
Not sure. BUT...I'd bet the RADIUS users still show up in /user/active & if you disable them in RADIUS while winbox is still open, they'd have access until winbox was closed.
they certainly do show up in /users/active, and if you disabled them in RADIUS while logged in the router would never know since the credentials are cached for the duration of the session.

While I don't feel this is a huge issue that exposes any major security hole in ROS by lacking the ability to log out / disconnect an active user (regardless of how they got connected), I do think it's something that should at some point be addressed and added (really should have been done ~10 years ago, but it's also a rarely needed function and the handful of times I've ever needed it in the past 18 years, I eventually did just reboot the device, not that I consider that a good option).
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Thu Aug 17, 2023 9:18 pm

...I eventually did just reboot the device, not that I consider that a good option).
Well, now you mention it ... :lol:
 
sup5
Member
Member
Posts: 359
Joined: Sat Jul 10, 2010 12:37 am

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Fri Aug 18, 2023 9:05 am

You could also terminate a users session by killing his connection tracking entry or by setting up a firewall rule dropping his specific IP/TCP-Port tuple.

The user session should run into a session timeout.
 
mada3k
Forum Veteran
Forum Veteran
Posts: 741
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sat Aug 19, 2023 11:22 am

All operating systems works like this. Permissions are checked at login - not during session.
 
sup5
Member
Member
Posts: 359
Joined: Sat Jul 10, 2010 12:37 am

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sat Aug 19, 2023 11:55 am

That's not true.
With proper triple A in place every command put into the CLI is being checked against the central AAA appliance .
(Tacacs+)

Furthermore nearly every other vendor besides Mikeotik allows manual deletion of active user sessions.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Sat Aug 19, 2023 12:04 pm

That all was already exchanged. Connection tracking has no power in this.Firewall it, but how when all are behind a NAT. You might then block on scr-port.

Best is session control and on change on user check every active connection if it still has the rights to be connected.

So it does not have to be a constant sweep but only on event. That makes it much easier.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Thu Aug 31, 2023 6:20 pm

FWIW, this same issue comes up with the REST API too: viewtopic.php?p=1022624#p1022512

And, even more unexpected... since login is provided per-call and REST HTTP isn't a "session"...
 
DarkNate
Forum Guru
Forum Guru
Posts: 1065
Joined: Fri Jun 26, 2020 4:37 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Thu Aug 31, 2023 8:45 pm

I've seen this on MikroTik, but what about other vendors?

Plain Debian, or whatever or any big vendor. Do they proactively kill user session upon deletion immediately?
 
User avatar
spippan
Member
Member
Posts: 464
Joined: Wed Nov 12, 2014 1:00 pm

Re: ⚠️Security Issue: Changing rights / disable / delete the users has no effect on already logged in users.

Fri Sep 01, 2023 1:54 am

I've seen this on MikroTik, but what about other vendors?

Plain Debian, or whatever or any big vendor. Do they proactively kill user session upon deletion immediately?
don't know if upon deletion but you have the option to kill a session proactively
something which is not possible at all on rOS

Who is online

Users browsing this forum: gkoleff and 43 guests