[GTER] Advisory: Vulnerability exploiting the Winbox port
Joao Paulo Saldanha
jp.saldanha4 at gmail.com
Mon Apr 23 11:37:17 -03 2018
Vamos atentar a segurança:
Fiz algumas regrinhas aqui que podem ajudar aos amigos a protegerem seus
MIkrotik. A mesma pode ser aplicada a todas RBs./ip firewall address-list
add address=SEU_PREFIXO_1 list=ACCESSO_WINBOX
> add address=SEU_PREFIXO_2 list=ACCESSO_WINBOX
> add address=100.64.0.0/10 list=ACCESSO_WINBOX
> add address=192.168.0.0/16 list=ACCESSO_WINBOX
> add address=172.160.0.0/12 list=ACCESSO_WINBOX
> add address=10.0.0.0/8 list=ACCESSO_WINBOX
>
> /ip firewall filter
> add action=drop chain=input comment=PROTECAO_WINBOX dst-port=8291
> protocol=tcp src-address-list=!ACCESSO_WINBOX
> add action=drop chain=forward comment=PROTECAO_WINBOX dst-port=8291
> protocol=tcp src-address-list=!ACCESSO_WINBOX
>
> /ip firewall filter move [/ip firewall filter find
> comment=PROTECAO_WINBOX] 0
>
> /ip service
> set winbox address="SEU_PREFIXO_1/21,SEU_PREFIXO_2/22,
> 100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
>
Atentem aos campos SEU_PREFIXO_1, SEU_PREFIXO_2. Coloquem suas faixas no
lugar, caso tenha mais de 2, replique a regra. Se precisarem de
esclarecimentos podem me chamar.
Outro detalhe, que estamos bloqueando acesso total a porta default 8291.
Caso vendam transito, precisaram permitir antes do bloqueio, se não seu
cliente ficará sem acesso externo aos Winbox dele.
2018-04-23 9:20 GMT-03:00 Andre Almeida <andre at bnet.com.br>:
> https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
>
> We have discovered a new RouterOS vulnerability affecting all RouterOS
> versions since v6.29.
>
> *How it works*: The vulnerability allowed a special tool to connect to the
> Winbox port, and request the system user database file.
>
> *Versions affected*: 6.29 to 6.43rc3 (included). Updated versions in all
> release chains coming ASAP.
>
> *Am I affected?* Currently there is no sure way to see if you were
> affected. If your Winbox port is open to untrusted networks, assume that
> you are affected and upgrade + change password + add firewall. The log may
> show unsuccessful login attempt, followed by a succefful login attempt from
> unknown IP addresses.
>
> *What do do*: 1) *Firewall* the Winbox port from the public interface, and
> from untrusted networks. It is best, if you only allow known IP addresses
> to connect to your router to any services, not just Winbox. We suggest this
> to become common practice. As an alternative, possibly easier, use the "IP
> -> Services" menu to specify "*Allowed From*" addresses. Include your LAN,
> and the public IP that you will be accessing the device from. 2) *Change
> your passwords. *
>
> *What to expect in the coming hours/days*: Updated RouterOS versions coming
> ASAP. RouterOS user database security will be hardened, and deciphering
> will no longer be possible in the same manner.
>
>
> Andre
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
>
More information about the gter
mailing list