[GTER] Advisory: Vulnerability exploiting the Winbox port

Joao Paulo Saldanha jp.saldanha4 at gmail.com
Mon Apr 23 11:37:17 -03 2018

Vamos atentar a segurança:

Fiz algumas regrinhas aqui que podem ajudar aos amigos a protegerem seus
MIkrotik. A mesma pode ser aplicada a todas RBs./ip firewall address-list

> add address=SEU_PREFIXO_2 list=ACCESSO_WINBOX
> add address= list=ACCESSO_WINBOX
> add address= list=ACCESSO_WINBOX
> add address= list=ACCESSO_WINBOX
> add address= list=ACCESSO_WINBOX
> /ip firewall filter
> add action=drop chain=input comment=PROTECAO_WINBOX dst-port=8291
> protocol=tcp src-address-list=!ACCESSO_WINBOX
> add action=drop chain=forward comment=PROTECAO_WINBOX dst-port=8291
> protocol=tcp src-address-list=!ACCESSO_WINBOX
> /ip firewall filter move [/ip firewall filter find
> comment=PROTECAO_WINBOX] 0
> /ip service
> set winbox address="SEU_PREFIXO_1/21,SEU_PREFIXO_2/22,

Atentem aos campos SEU_PREFIXO_1, SEU_PREFIXO_2. Coloquem suas faixas no
lugar, caso tenha mais de 2, replique a regra. Se precisarem de
esclarecimentos podem me chamar.
Outro detalhe, que estamos bloqueando acesso total a porta default 8291.
Caso vendam transito, precisaram permitir antes do bloqueio, se não seu
cliente ficará sem acesso externo aos Winbox dele.

2018-04-23 9:20 GMT-03:00 Andre Almeida <andre at bnet.com.br>:

> https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
> We have discovered a new RouterOS vulnerability affecting all RouterOS
> versions since v6.29.
> *How it works*: The vulnerability allowed a special tool to connect to the
> Winbox port, and request the system user database file.
> *Versions affected*: 6.29 to 6.43rc3 (included). Updated versions in all
> release chains coming ASAP.
> *Am I affected?* Currently there is no sure way to see if you were
> affected. If your Winbox port is open to untrusted networks, assume that
> you are affected and upgrade + change password + add firewall. The log may
> show unsuccessful login attempt, followed by a succefful login attempt from
> unknown IP addresses.
> *What do do*: 1) *Firewall* the Winbox port from the public interface, and
> from untrusted networks. It is best, if you only allow known IP addresses
> to connect to your router to any services, not just Winbox. We suggest this
> to become common practice. As an alternative, possibly easier, use the "IP
> -> Services" menu to specify "*Allowed From*" addresses. Include your LAN,
> and the public IP that you will be accessing the device from. 2) *Change
> your passwords. *
> *What to expect in the coming hours/days*: Updated RouterOS versions coming
> ASAP. RouterOS user database security will be hardened, and deciphering
> will no longer be possible in the same manner.
> Andre
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter

More information about the gter mailing list