Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User caffn8me
(eat-sleep-adslguide) Mon 26-Mar-18 18:45:09
Print Post

Milrotik router vulnerability


[link to this post]
 
If you're running a Mikrotilk router to connect to the internet, please check your firmware is up to date.

Today I've noticed four UK-based hosts repeatedly trying to connect to my firewalls on TCP 23 (telnet) and TCP 7547.

I did a bit of poking around and determined that three out of four are definitely Mikrotik devices. The fourth may be too, I'm not sure.

There's a vulnerability currently being exploited on Mikrotik routers and it's been discussed on the Mikrotik forums at https://forum.mikrotik.com/viewtopic.php?f=2&t=13236...

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Vorlon
(fountain of knowledge) Thu 24-May-18 20:35:25
Print Post

Re: Milrotik router vulnerability


[re: caffn8me] [link to this post]
 
I see this was posted back in March and after reading the linked forum information where it appears firmware was being overwritten remotely the recently released and named VPNFilter Botnet seems to fit the bill?

It seems it could be an issue for many as many Modem/router vendors are slow to update their products (if at all). Those of us who use ISP supplied equipment are left to whatever they choose to do.
Standard User tdw42
(regular) Thu 24-May-18 21:56:01
Print Post

Re: Milrotik router vulnerability


[re: Vorlon] [link to this post]
 
There have been, unfortunately, several large vulnerabilities come to light in Mikrotik RouterOS in the last year:

6.38.5 (2017-Mar-09 11:32) & 6.37.5 (2017-Mar-09 11:54)
!) www - fixed http server vulnerability

6.41.3 (2018-Mar-08 11:55) & 6.40.7 (2018-Mar-29 13:29)
!) smb - fixed buffer overflow vulnerability, everyone using this feature is urged to upgrade

6.42.1 (2018-Apr-23 10:46) & 6.40.8 (2018-Apr-23 11:34)
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router

The most recent one to come to light is particularly worrying as it appears that anyone with remote management access could download the internal user database from a router without authentication, and that this database contains plaintext passwords!

At least Mikrotik are fairly proactive in fixing issues which appear, unlike some other large router manufacturers, although this latest issue is made worse by poor historic design decisions.

As ever defense-in-depth is a good idea - disable unused services, restrict access to those needed with access control lists and VPNs.


Register (or login) on our website and you will not see this ad.

Standard User caffn8me
(eat-sleep-adslguide) Fri 25-May-18 00:21:51
Print Post

Re: Mikrotik router vulnerability


[re: Vorlon] [link to this post]
 
I hadn't seen much activity from compromised Mikrotik routers for a few weeks and then last week another one popped up.

I've reported it to the upstream ISP - it's in a Post Office branch (yes, I do know which one) so it's something that really ought to be sorted. It's currently running 6.30.2 which is way out of date.

Obviously, this isn't ISP supplied equipment so whoever installed and maintains it is responsible for the failure to keep it up to date.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Vorlon
(fountain of knowledge) Fri 25-May-18 01:00:32
Print Post

Re: Milrotik router vulnerability


[re: tdw42] [link to this post]
 
I see too that Tripwire's VPN Filter BotNet Article list "Mikrotik RouterOS" *** in it's listing:-

https://www.tripwire.com/state-of-security/featured/...

It was interesting to read the link on the opening post on this thread as issues started to come to light with Mikrotik models. As from what I have read the researchers kept this under wraps until now. For those that weren't in the know I should imagine the story's release has made some sense.

*** Versions 1016, 1036, and 1072

Edited by Vorlon (Fri 25-May-18 01:01:57)

Standard User caffn8me
(eat-sleep-adslguide) Sat 02-Jun-18 18:23:35
Print Post

Re: Mikrotik router vulnerability


[re: Vorlon] [link to this post]
 
Now I'm seeing connection attempts from another compromised Mikrotik router - running version 6.30.2

The embarrassing thing (not for me) is that the originating IP address is registered at RIPE as belonging to a Mikrotik technology partner and they offer IT consultancy services including security.

Oops! laugh

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User ukhardy07
(knowledge is power) Sun 03-Jun-18 06:27:33
Print Post

Re: Milrotik router vulnerability


[re: caffn8me] [link to this post]
 
Just to put things into perspective, here is Ciscos Security Vulnerabilities:

https://tools.cisco.com/security/center/publicationL...

Point is, keep things patched and upgraded, for pretty much everything.
Standard User caffn8me
(eat-sleep-adslguide) Sun 03-Jun-18 09:18:07
Print Post

Re: Milrotik router vulnerability


[re: ukhardy07] [link to this post]
 
The point I'm making here is that a company which claims to have expertise in a particular product, in network security and even a Cyber Essentials certification really should have updated its own routers. Keeping things patched is a requirement of Cyber Essentials.

They're not even slightly out of date. The affected router runs a version of RouterOS that is forty eight versions out of date - and was released in July 2015. I would imagine that it's running the version if was when it came out of the box.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
  Print Thread

Jump to