[GTER] Advisory: Vulnerability exploiting the Winbox port

[Andre Almeida]

https://forum.mikrotik.com/viewtopic.php?f=21&t=133533

We have discovered a new RouterOS vulnerability affecting all RouterOS
versions since v6.29.

*How it works*: The vulnerability allowed a special tool to connect to the
Winbox port, and request the system user database file.

*Versions affected*: 6.29 to 6.43rc3 (included). Updated versions in all
release chains coming ASAP.

*Am I affected?* Currently there is no sure way to see if you were
affected. If your Winbox port is open to untrusted networks, assume that
you are affected and upgrade + change password + add firewall. The log may
show unsuccessful login attempt, followed by a succefful login attempt from
unknown IP addresses.

*What do do*: 1) *Firewall* the Winbox port from the public interface, and
from untrusted networks. It is best, if you only allow known IP addresses
to connect to your router to any services, not just Winbox. We suggest this
to become common practice. As an alternative, possibly easier, use the "IP
-> Services" menu to specify "*Allowed From*" addresses. Include your LAN,
and the public IP that you will be accessing the device from. 2) *Change
your passwords. *

*What to expect in the coming hours/days*: Updated RouterOS versions coming
ASAP. RouterOS user database security will be hardened, and deciphering
will no longer be possible in the same manner.


Andre