[GTER] Advisory: Vulnerability exploiting the Winbox port
Andrio Prestes Jasper
mascaraapj at gmail.com
Tue Apr 24 16:12:50 -03 2018
agora vamos ter que atualizar as RB toda semana kkkkkkkkkkkk
tá igual ao kinder ovo, a cada nova versão, uma surpresa
Em 24 de abril de 2018 15:12, Andrio Prestes Jasper <mascaraapj at gmail.com>
escreveu:
> agora vamos ter que atualizar as RB toda semana kkkkkkkkkkkk
>
> Em 24 de abril de 2018 14:05, Silvio Licht Ahmad <silviola at gmail.com>
> escreveu:
>
>> Frediane, não entendi "quando usa o IP Services" ?
>>
>> Aqui por exemplo, nestas opção eu mantenho tudo desativado menos Winbox (
>> porém criei regras para somente aceitar acesso interno ou externo de
>> faixas
>> seguras designadas por mim, só que isso é um pouco oneroso, um dia que eu
>> estiver viajando, não poderei acessar de onde quiser ).
>>
>>
>>
>>
>> 2018-04-24 2:02 GMT-03:00 Fernando Frediani <fhfrediani at gmail.com>:
>>
>> > Quando usa o /ip services acredito que não precisa utilizar regras de
>> > firewall. Pra quem tem Fast-path ativado não vai perder essa
>> funcionalidade
>> > bastante importante para performance do roteador.
>> >
>> > Cuidado com regras de bloqueio de forward. Por mais bem intencionadas
>> que
>> > sejam podem facilmente violar o Marco Civil da Internet bloqueando algo
>> que
>> > seu cliente (seja ele de trânsito ou de banda larga) não deseje que seja
>> > bloqueado.
>> >
>> > Fernando
>> >
>> > On 23/04/2018 11:37, Joao Paulo Saldanha wrote:
>> >
>> >> Vamos atentar a segurança:
>> >>
>> >> Fiz algumas regrinhas aqui que podem ajudar aos amigos a protegerem
>> seus
>> >> MIkrotik. A mesma pode ser aplicada a todas RBs./ip firewall
>> address-list
>> >>
>> >>
>> >> add address=SEU_PREFIXO_1 list=ACCESSO_WINBOX
>> >>
>> >>> add address=SEU_PREFIXO_2 list=ACCESSO_WINBOX
>> >>> add address=100.64.0.0/10 list=ACCESSO_WINBOX
>> >>> add address=192.168.0.0/16 list=ACCESSO_WINBOX
>> >>> add address=172.160.0.0/12 list=ACCESSO_WINBOX
>> >>> add address=10.0.0.0/8 list=ACCESSO_WINBOX
>> >>>
>> >>> /ip firewall filter
>> >>> add action=drop chain=input comment=PROTECAO_WINBOX dst-port=8291
>> >>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>> >>> add action=drop chain=forward comment=PROTECAO_WINBOX dst-port=8291
>> >>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>> >>>
>> >>> /ip firewall filter move [/ip firewall filter find
>> >>> comment=PROTECAO_WINBOX] 0
>> >>>
>> >>> /ip service
>> >>> set winbox address="SEU_PREFIXO_1/21,SEU_PREFIXO_2/22,
>> >>> 100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
>> >>>
>> >>>
>> >> Atentem aos campos SEU_PREFIXO_1, SEU_PREFIXO_2. Coloquem suas faixas
>> no
>> >> lugar, caso tenha mais de 2, replique a regra. Se precisarem de
>> >> esclarecimentos podem me chamar.
>> >> Outro detalhe, que estamos bloqueando acesso total a porta default
>> 8291.
>> >> Caso vendam transito, precisaram permitir antes do bloqueio, se não seu
>> >> cliente ficará sem acesso externo aos Winbox dele.
>> >>
>> >> 2018-04-23 9:20 GMT-03:00 Andre Almeida <andre at bnet.com.br>:
>> >>
>> >> https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
>> >>>
>> >>> We have discovered a new RouterOS vulnerability affecting all RouterOS
>> >>> versions since v6.29.
>> >>>
>> >>> *How it works*: The vulnerability allowed a special tool to connect to
>> >>> the
>> >>> Winbox port, and request the system user database file.
>> >>>
>> >>> *Versions affected*: 6.29 to 6.43rc3 (included). Updated versions in
>> all
>> >>> release chains coming ASAP.
>> >>>
>> >>> *Am I affected?* Currently there is no sure way to see if you were
>> >>> affected. If your Winbox port is open to untrusted networks, assume
>> that
>> >>> you are affected and upgrade + change password + add firewall. The log
>> >>> may
>> >>> show unsuccessful login attempt, followed by a succefful login attempt
>> >>> from
>> >>> unknown IP addresses.
>> >>>
>> >>> *What do do*: 1) *Firewall* the Winbox port from the public interface,
>> >>> and
>> >>> from untrusted networks. It is best, if you only allow known IP
>> addresses
>> >>> to connect to your router to any services, not just Winbox. We suggest
>> >>> this
>> >>> to become common practice. As an alternative, possibly easier, use the
>> >>> "IP
>> >>> -> Services" menu to specify "*Allowed From*" addresses. Include your
>> >>> LAN,
>> >>> and the public IP that you will be accessing the device from. 2)
>> *Change
>> >>> your passwords. *
>> >>>
>> >>> *What to expect in the coming hours/days*: Updated RouterOS versions
>> >>> coming
>> >>> ASAP. RouterOS user database security will be hardened, and
>> deciphering
>> >>> will no longer be possible in the same manner.
>> >>>
>> >>>
>> >>> Andre
>> >>> --
>> >>> gter list https://eng.registro.br/mailman/listinfo/gter
>> >>>
>> >>> --
>> >> gter list https://eng.registro.br/mailman/listinfo/gter
>> >>
>> >
>> > --
>> > gter list https://eng.registro.br/mailman/listinfo/gter
>> >
>> --
>> gter list https://eng.registro.br/mailman/listinfo/gter
>>
>
>
>
> --
> *Andrio prestes Jasper*
> (65) 9 9320-3170 / 8444-0040
>
>
> [image: LinkedIn] <https://htmlsig.com/t/000001CV280A> [image: Skype]
> <https://htmlsig.com/t/000001CZSRMM>
>
>
--
*Andrio prestes Jasper*
(65) 9 9320-3170 / 8444-0040
[image: LinkedIn] <https://htmlsig.com/t/000001CV280A> [image: Skype]
<https://htmlsig.com/t/000001CZSRMM>
More information about the gter
mailing list