[GTER] Advisory: Vulnerability exploiting the Winbox port
Fernando Frediani
fhfrediani at gmail.com
Tue Apr 24 02:02:50 -03 2018
Quando usa o /ip services acredito que não precisa utilizar regras de
firewall. Pra quem tem Fast-path ativado não vai perder essa
funcionalidade bastante importante para performance do roteador.
Cuidado com regras de bloqueio de forward. Por mais bem intencionadas
que sejam podem facilmente violar o Marco Civil da Internet bloqueando
algo que seu cliente (seja ele de trânsito ou de banda larga) não deseje
que seja bloqueado.
Fernando
On 23/04/2018 11:37, Joao Paulo Saldanha wrote:
> Vamos atentar a segurança:
>
> Fiz algumas regrinhas aqui que podem ajudar aos amigos a protegerem seus
> MIkrotik. A mesma pode ser aplicada a todas RBs./ip firewall address-list
>
>
> add address=SEU_PREFIXO_1 list=ACCESSO_WINBOX
>> add address=SEU_PREFIXO_2 list=ACCESSO_WINBOX
>> add address=100.64.0.0/10 list=ACCESSO_WINBOX
>> add address=192.168.0.0/16 list=ACCESSO_WINBOX
>> add address=172.160.0.0/12 list=ACCESSO_WINBOX
>> add address=10.0.0.0/8 list=ACCESSO_WINBOX
>>
>> /ip firewall filter
>> add action=drop chain=input comment=PROTECAO_WINBOX dst-port=8291
>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>> add action=drop chain=forward comment=PROTECAO_WINBOX dst-port=8291
>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>>
>> /ip firewall filter move [/ip firewall filter find
>> comment=PROTECAO_WINBOX] 0
>>
>> /ip service
>> set winbox address="SEU_PREFIXO_1/21,SEU_PREFIXO_2/22,
>> 100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
>>
>
> Atentem aos campos SEU_PREFIXO_1, SEU_PREFIXO_2. Coloquem suas faixas no
> lugar, caso tenha mais de 2, replique a regra. Se precisarem de
> esclarecimentos podem me chamar.
> Outro detalhe, que estamos bloqueando acesso total a porta default 8291.
> Caso vendam transito, precisaram permitir antes do bloqueio, se não seu
> cliente ficará sem acesso externo aos Winbox dele.
>
> 2018-04-23 9:20 GMT-03:00 Andre Almeida <andre at bnet.com.br>:
>
>> https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
>>
>> We have discovered a new RouterOS vulnerability affecting all RouterOS
>> versions since v6.29.
>>
>> *How it works*: The vulnerability allowed a special tool to connect to the
>> Winbox port, and request the system user database file.
>>
>> *Versions affected*: 6.29 to 6.43rc3 (included). Updated versions in all
>> release chains coming ASAP.
>>
>> *Am I affected?* Currently there is no sure way to see if you were
>> affected. If your Winbox port is open to untrusted networks, assume that
>> you are affected and upgrade + change password + add firewall. The log may
>> show unsuccessful login attempt, followed by a succefful login attempt from
>> unknown IP addresses.
>>
>> *What do do*: 1) *Firewall* the Winbox port from the public interface, and
>> from untrusted networks. It is best, if you only allow known IP addresses
>> to connect to your router to any services, not just Winbox. We suggest this
>> to become common practice. As an alternative, possibly easier, use the "IP
>> -> Services" menu to specify "*Allowed From*" addresses. Include your LAN,
>> and the public IP that you will be accessing the device from. 2) *Change
>> your passwords. *
>>
>> *What to expect in the coming hours/days*: Updated RouterOS versions coming
>> ASAP. RouterOS user database security will be hardened, and deciphering
>> will no longer be possible in the same manner.
>>
>>
>> Andre
>> --
>> gter list https://eng.registro.br/mailman/listinfo/gter
>>
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
More information about the gter
mailing list