[GTER] Advisory: Vulnerability exploiting the Winbox port
Alexandre J. Correa (Onda)
alexandre at onda.net.br
Tue Apr 24 22:08:18 -03 2018
Nunca foi Silvio !!
Simples nmap acha a 'nova' porta....
On 24/04/2018 20:20, Silvio Licht Ahmad wrote:
> E trocar a porta padrão já não seria o suficiente para fugir deste ataque
> em específico ?
>
> Em 24 de abril de 2018 19:01, Rubens Kuhl <rubensk at gmail.com> escreveu:
>
>> OOB via IPSEC ?
>>
>>
>> Rubens
>>
>>
>> 2018-04-24 17:12 GMT-03:00 Andrio Prestes Jasper <mascaraapj at gmail.com>:
>>
>>> uma pena que a mikrotik ainda não suporte listas dinamicas na
>> configuração
>>> dessas restrições.
>>> a unica forma de utilizar isso é totalmente via firewall.
>>>
>>> Em 24 de abril de 2018 15:33, Fernando Frediani <fhfrediani at gmail.com>
>>> escreveu:
>>>
>>>> Olá Silvio
>>>>
>>>> O que quis dizer é que se você utiliza a funcionalidade /ip service set
>>>> winbox ... para restringir as ranges que podem acessar aquele serviço
>> de
>>>> gerência do RouterOS não há necessidade de utilizar também o Firewall
>> do
>>>> RouterOS para bloquear pois se voce utilizar regras de firewall
>>>> automaticamente desativa o Fast-path da caixa que é uma feature
>>> importante
>>>> para manter a performance ótima do roteador.
>>>>
>>>> No seu caso isso se resolve com uma VPN ou um Jump Server.
>>>>
>>>> Fernando Frediani
>>>>
>>>>
>>>>
>>>> On 24/04/2018 15:05, Silvio Licht Ahmad wrote:
>>>>
>>>>> Frediane, não entendi "quando usa o IP Services" ?
>>>>>
>>>>> Aqui por exemplo, nestas opção eu mantenho tudo desativado menos
>> Winbox
>>> (
>>>>> porém criei regras para somente aceitar acesso interno ou externo de
>>>>> faixas
>>>>> seguras designadas por mim, só que isso é um pouco oneroso, um dia que
>>> eu
>>>>> estiver viajando, não poderei acessar de onde quiser ).
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2018-04-24 2:02 GMT-03:00 Fernando Frediani <fhfrediani at gmail.com>:
>>>>>
>>>>> Quando usa o /ip services acredito que não precisa utilizar regras de
>>>>>> firewall. Pra quem tem Fast-path ativado não vai perder essa
>>>>>> funcionalidade
>>>>>> bastante importante para performance do roteador.
>>>>>>
>>>>>> Cuidado com regras de bloqueio de forward. Por mais bem intencionadas
>>> que
>>>>>> sejam podem facilmente violar o Marco Civil da Internet bloqueando
>> algo
>>>>>> que
>>>>>> seu cliente (seja ele de trânsito ou de banda larga) não deseje que
>>> seja
>>>>>> bloqueado.
>>>>>>
>>>>>> Fernando
>>>>>>
>>>>>> On 23/04/2018 11:37, Joao Paulo Saldanha wrote:
>>>>>>
>>>>>> Vamos atentar a segurança:
>>>>>>> Fiz algumas regrinhas aqui que podem ajudar aos amigos a protegerem
>>> seus
>>>>>>> MIkrotik. A mesma pode ser aplicada a todas RBs./ip firewall
>>>>>>> address-list
>>>>>>>
>>>>>>>
>>>>>>> add address=SEU_PREFIXO_1 list=ACCESSO_WINBOX
>>>>>>>
>>>>>>> add address=SEU_PREFIXO_2 list=ACCESSO_WINBOX
>>>>>>>> add address=100.64.0.0/10 list=ACCESSO_WINBOX
>>>>>>>> add address=192.168.0.0/16 list=ACCESSO_WINBOX
>>>>>>>> add address=172.160.0.0/12 list=ACCESSO_WINBOX
>>>>>>>> add address=10.0.0.0/8 list=ACCESSO_WINBOX
>>>>>>>>
>>>>>>>> /ip firewall filter
>>>>>>>> add action=drop chain=input comment=PROTECAO_WINBOX dst-port=8291
>>>>>>>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>>>>>>>> add action=drop chain=forward comment=PROTECAO_WINBOX dst-port=8291
>>>>>>>> protocol=tcp src-address-list=!ACCESSO_WINBOX
>>>>>>>>
>>>>>>>> /ip firewall filter move [/ip firewall filter find
>>>>>>>> comment=PROTECAO_WINBOX] 0
>>>>>>>>
>>>>>>>> /ip service
>>>>>>>> set winbox address="SEU_PREFIXO_1/21,SEU_PREFIXO_2/22,
>>>>>>>> 100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
>>>>>>>>
>>>>>>>>
>>>>>>>> Atentem aos campos SEU_PREFIXO_1, SEU_PREFIXO_2. Coloquem suas
>> faixas
>>>>>>> no
>>>>>>> lugar, caso tenha mais de 2, replique a regra. Se precisarem de
>>>>>>> esclarecimentos podem me chamar.
>>>>>>> Outro detalhe, que estamos bloqueando acesso total a porta default
>>> 8291.
>>>>>>> Caso vendam transito, precisaram permitir antes do bloqueio, se não
>>> seu
>>>>>>> cliente ficará sem acesso externo aos Winbox dele.
>>>>>>>
>>>>>>> 2018-04-23 9:20 GMT-03:00 Andre Almeida <andre at bnet.com.br>:
>>>>>>>
>>>>>>> https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
>>>>>>>
>>>>>>>> We have discovered a new RouterOS vulnerability affecting all
>>> RouterOS
>>>>>>>> versions since v6.29.
>>>>>>>>
>>>>>>>> *How it works*: The vulnerability allowed a special tool to connect
>>> to
>>>>>>>> the
>>>>>>>> Winbox port, and request the system user database file.
>>>>>>>>
>>>>>>>> *Versions affected*: 6.29 to 6.43rc3 (included). Updated versions
>> in
>>>>>>>> all
>>>>>>>> release chains coming ASAP.
>>>>>>>>
>>>>>>>> *Am I affected?* Currently there is no sure way to see if you were
>>>>>>>> affected. If your Winbox port is open to untrusted networks, assume
>>>>>>>> that
>>>>>>>> you are affected and upgrade + change password + add firewall. The
>>> log
>>>>>>>> may
>>>>>>>> show unsuccessful login attempt, followed by a succefful login
>>> attempt
>>>>>>>> from
>>>>>>>> unknown IP addresses.
>>>>>>>>
>>>>>>>> *What do do*: 1) *Firewall* the Winbox port from the public
>>> interface,
>>>>>>>> and
>>>>>>>> from untrusted networks. It is best, if you only allow known IP
>>>>>>>> addresses
>>>>>>>> to connect to your router to any services, not just Winbox. We
>>> suggest
>>>>>>>> this
>>>>>>>> to become common practice. As an alternative, possibly easier, use
>>> the
>>>>>>>> "IP
>>>>>>>> -> Services" menu to specify "*Allowed From*" addresses. Include
>> your
>>>>>>>> LAN,
>>>>>>>> and the public IP that you will be accessing the device from. 2)
>>>>>>>> *Change
>>>>>>>> your passwords. *
>>>>>>>>
>>>>>>>> *What to expect in the coming hours/days*: Updated RouterOS
>> versions
>>>>>>>> coming
>>>>>>>> ASAP. RouterOS user database security will be hardened, and
>>> deciphering
>>>>>>>> will no longer be possible in the same manner.
>>>>>>>>
>>>>>>>>
>>>>>>>> Andre
>>>>>>>> --
>>>>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>>>>
>>>>>>> --
>>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>>>
>>>>>> --
>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>>
>>>> --
>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>
>>>
>>>
>>> --
>>> *Andrio prestes Jasper*
>>> (65) 9 9320-3170 / 8444-0040
>>>
>>>
>>> [image: LinkedIn] <https://htmlsig.com/t/000001CV280A> [image: Skype]
>>> <https://htmlsig.com/t/000001CZSRMM>
>>> --
>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>
>> --
>> gter list https://eng.registro.br/mailman/listinfo/gter
>>
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
--
Fwd: a
*Alexandre Jeronimo Correa* / CEO
_alexandre at onda.net.br <mailto:alexandre at onda.net.br>_ / Office +55 34
3351 - 3077
*ONDA INTERNET*
+55 34 3351-3077
Av. Benedito Valadares, 217 – Centro – Sacramento – MG - BR
_http://www.onda.net.br <http://www.onda.net.br/>_
More information about the gter
mailing list