[GTER] Advisory: Vulnerability exploiting the Winbox port

Silvio Licht Ahmad silviola at gmail.com
Tue Apr 24 15:05:54 -03 2018


Frediane, não entendi "quando usa o IP Services" ?

Aqui por exemplo, nestas opção eu mantenho tudo desativado menos Winbox (
porém criei regras para somente aceitar acesso interno ou externo de faixas
seguras designadas por mim, só que isso é um pouco oneroso, um dia que eu
estiver viajando, não poderei acessar de onde quiser ).




2018-04-24 2:02 GMT-03:00 Fernando Frediani <fhfrediani at gmail.com>:

> Quando usa o /ip services acredito que não precisa utilizar regras de
> firewall. Pra quem tem Fast-path ativado não vai perder essa funcionalidade
> bastante importante para performance do roteador.
>
> Cuidado com regras de bloqueio de forward. Por mais bem intencionadas que
> sejam podem facilmente violar o Marco Civil da Internet bloqueando algo que
> seu cliente (seja ele de trânsito ou de banda larga) não deseje que seja
> bloqueado.
>
> Fernando
>
> On 23/04/2018 11:37, Joao Paulo Saldanha wrote:
>
>> Vamos atentar a segurança:
>>
>> Fiz algumas regrinhas aqui que podem ajudar aos amigos a protegerem seus
>> MIkrotik. A mesma pode ser aplicada a todas RBs./ip firewall address-list
>>
>>
>> add address=SEU_PREFIXO_1 list=ACCESSO_WINBOX
>>
>>> add address=SEU_PREFIXO_2 list=ACCESSO_WINBOX
>>> add address=100.64.0.0/10 list=ACCESSO_WINBOX
>>> add address=192.168.0.0/16 list=ACCESSO_WINBOX
>>> add address=172.160.0.0/12 list=ACCESSO_WINBOX
>>> add address=10.0.0.0/8 list=ACCESSO_WINBOX
>>>
>>> /ip firewall filter
>>> add action=drop chain=input comment=PROTECAO_WINBOX dst-port=8291
>>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>>> add action=drop chain=forward comment=PROTECAO_WINBOX dst-port=8291
>>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>>>
>>> /ip firewall filter move [/ip firewall filter find
>>> comment=PROTECAO_WINBOX] 0
>>>
>>> /ip service
>>> set winbox address="SEU_PREFIXO_1/21,SEU_PREFIXO_2/22,
>>> 100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
>>>
>>>
>> Atentem aos campos SEU_PREFIXO_1, SEU_PREFIXO_2. Coloquem suas faixas no
>> lugar, caso tenha mais de 2, replique a regra. Se precisarem de
>> esclarecimentos podem me chamar.
>> Outro detalhe, que estamos bloqueando acesso total a porta default 8291.
>> Caso vendam transito, precisaram permitir antes do bloqueio, se não seu
>> cliente ficará sem acesso externo aos Winbox dele.
>>
>> 2018-04-23 9:20 GMT-03:00 Andre Almeida <andre at bnet.com.br>:
>>
>> https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
>>>
>>> We have discovered a new RouterOS vulnerability affecting all RouterOS
>>> versions since v6.29.
>>>
>>> *How it works*: The vulnerability allowed a special tool to connect to
>>> the
>>> Winbox port, and request the system user database file.
>>>
>>> *Versions affected*: 6.29 to 6.43rc3 (included). Updated versions in all
>>> release chains coming ASAP.
>>>
>>> *Am I affected?* Currently there is no sure way to see if you were
>>> affected. If your Winbox port is open to untrusted networks, assume that
>>> you are affected and upgrade + change password + add firewall. The log
>>> may
>>> show unsuccessful login attempt, followed by a succefful login attempt
>>> from
>>> unknown IP addresses.
>>>
>>> *What do do*: 1) *Firewall* the Winbox port from the public interface,
>>> and
>>> from untrusted networks. It is best, if you only allow known IP addresses
>>> to connect to your router to any services, not just Winbox. We suggest
>>> this
>>> to become common practice. As an alternative, possibly easier, use the
>>> "IP
>>> -> Services" menu to specify "*Allowed From*" addresses. Include your
>>> LAN,
>>> and the public IP that you will be accessing the device from. 2) *Change
>>> your passwords. *
>>>
>>> *What to expect in the coming hours/days*: Updated RouterOS versions
>>> coming
>>> ASAP. RouterOS user database security will be hardened, and deciphering
>>> will no longer be possible in the same manner.
>>>
>>>
>>> Andre
>>> --
>>> gter list    https://eng.registro.br/mailman/listinfo/gter
>>>
>>> --
>> gter list    https://eng.registro.br/mailman/listinfo/gter
>>
>
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>



More information about the gter mailing list