New RouterOS Vulnerability?
-
- Trainer
- Posts: 144
- Joined: Sat Jul 11, 2009 2:36 pm
- Location: Cordoba - Argentina
New RouterOS Vulnerability?
Hello guys! It's been a long since I don't write in this forum.
Yesterday I got contacted by 4 different users, all with the same problem: all the full users became read-only and there is a new "X" user with full privileges.
So far I've seen it on RouterOS versions 6.49.7, 6.49.10, 6.48.5 and 6.48.6. The only service exposed to public interfaces is Winbox in the default port.
Can't tell if the admin pass was weak.
Has anyone else experienced the same?
The only thing we can do is netinstall the unit and restore latest backup (and add more restricted firewall now, of course).
Thanks in advanced!
Yesterday I got contacted by 4 different users, all with the same problem: all the full users became read-only and there is a new "X" user with full privileges.
So far I've seen it on RouterOS versions 6.49.7, 6.49.10, 6.48.5 and 6.48.6. The only service exposed to public interfaces is Winbox in the default port.
Can't tell if the admin pass was weak.
Has anyone else experienced the same?
The only thing we can do is netinstall the unit and restore latest backup (and add more restricted firewall now, of course).
Thanks in advanced!
You do not have the required permissions to view the files attached to this post.
-
- Forum Guru
- Posts: 2060
- Joined: Wed Jun 12, 2013 11:59 am
- Location: Netherlands
Re: New RouterOS Vulnerability?
Besides the described restore plan, you might as well want to consider closing the Winbox port. Using vpn would add an additional layer of security.
And disable the admin account, after creating the correct accounts.
And disable the admin account, after creating the correct accounts.
-
- Forum Veteran
- Posts: 828
- Joined: Thu Nov 12, 2020 11:07 am
Re: New RouterOS Vulnerability?
Does the system log contain a successful login by admin user before all that happened what your history shows?
-
- Trainer
- Posts: 144
- Joined: Sat Jul 11, 2009 2:36 pm
- Location: Cordoba - Argentina
Re: New RouterOS Vulnerability?
Yes! Disabling IP Services, moving the default ports to new ones, protect them from unknown IP Addresses, improve firewall. All of this will be done now, but the question is... is this a new vulnerability / attack or has anyone seen this before?
-
- Forum Guru
- Posts: 19944
- Joined: Sun Feb 18, 2018 10:28 pm
- Location: Nova Scotia, Canada
Re: New RouterOS Vulnerability?
Your post is somewhat confusing you are asking for assistance on routers that dont appear to be under your monitoring or config responsibilities......
Why is this your problem???
In any case, without knowing how the configs were setup with some detail, it is not really possible to say much.
Yes, netinstall is the only way to proceed at this point for each router.
6.49.13 long term stable or the latest 7 version for better security, if you want to switch versions.
Why is this your problem???
In any case, without knowing how the configs were setup with some detail, it is not really possible to say much.
Yes, netinstall is the only way to proceed at this point for each router.
6.49.13 long term stable or the latest 7 version for better security, if you want to switch versions.
Last edited by anav on Tue May 14, 2024 12:05 pm, edited 1 time in total.
-
- MikroTik Support
- Posts: 26445
- Joined: Fri May 28, 2004 9:04 am
- Location: Riga, Latvia
Re: New RouterOS Vulnerability?
some obvious red flags
1. old version
2. winbox port open to world
3. "admin" user used
1. old version
2. winbox port open to world
3. "admin" user used
-
- Trainer
- Posts: 144
- Joined: Sat Jul 11, 2009 2:36 pm
- Location: Cordoba - Argentina
Re: New RouterOS Vulnerability?
You do not have the required permissions to view the files attached to this post.
-
- Forum Guru
- Posts: 19944
- Joined: Sun Feb 18, 2018 10:28 pm
- Location: Nova Scotia, Canada
Re: New RouterOS Vulnerability?
CONSIDER?, are you mad?
Let me rephrase that LOL
CONSIDER? You are bongo nutso!
This is a MUST SHALL DO, it a probably the vector for compromise.
The only secure method of accessing winbox, aka the config, is internally from the LAN, via LAN user or incoming VPN users (as in wireguard for example )
-
- MikroTik Support
- Posts: 26445
- Joined: Fri May 28, 2004 9:04 am
- Location: Riga, Latvia
Re: New RouterOS Vulnerability?
we need as many supout.rif files as you can get. send them to support, not the forum
-
- Forum Guru
- Posts: 19944
- Joined: Sun Feb 18, 2018 10:28 pm
- Location: Nova Scotia, Canada
Re: New RouterOS Vulnerability?
If the router has been compromised, assuming NORMIS or others would know??
I mean besides netinstall and using VPN to access config externally, and
a. changing admin user to something not default
b. changing winbox port so something not default
What actions may have to be done on all devices behind that router?
People PCs for example?
What are the ramifications to the users behind the router and what actions they should take ???
I mean besides netinstall and using VPN to access config externally, and
a. changing admin user to something not default
b. changing winbox port so something not default
What actions may have to be done on all devices behind that router?
People PCs for example?
What are the ramifications to the users behind the router and what actions they should take ???
-
- MikroTik Support
- Posts: 26445
- Joined: Fri May 28, 2004 9:04 am
- Location: Riga, Latvia
Re: New RouterOS Vulnerability?
Generic advice:
Obviously there are no known vulnerabilities right now. It does not mean something will not be discovered in the future. So always make a new user, and delete admin. Disable all services to internet, only allow strong VPN. and also protect the router from LAN if there are regular users there. Some Windows malware can also be used to bruteforce your router login.
Mario: send your RIF files to support@ please
Obviously there are no known vulnerabilities right now. It does not mean something will not be discovered in the future. So always make a new user, and delete admin. Disable all services to internet, only allow strong VPN. and also protect the router from LAN if there are regular users there. Some Windows malware can also be used to bruteforce your router login.
Mario: send your RIF files to support@ please
-
- Member
- Posts: 329
- Joined: Thu Jan 05, 2017 9:38 am
- Location: Kyiv, UA
Re: New RouterOS Vulnerability?
Mikrotik certified trainer with telnet exposed from WAN.
Say no more...
Say no more...
-
- MikroTik Support
- Posts: 26445
- Joined: Fri May 28, 2004 9:04 am
- Location: Riga, Latvia
Re: New RouterOS Vulnerability?
to be fair, he said those are not his routers, but random people that contacted him
-
- Trainer
- Posts: 144
- Joined: Sat Jul 11, 2009 2:36 pm
- Location: Cordoba - Argentina
-
- Trainer
- Posts: 144
- Joined: Sat Jul 11, 2009 2:36 pm
- Location: Cordoba - Argentina
-
- Member Candidate
- Posts: 284
- Joined: Fri Aug 27, 2021 7:16 pm
Re: New RouterOS Vulnerability?
It happened to me accidentally that by leaving the admin user and blank password I created a pppoe and they logged in with admin via API and created a new user and disabled the admin one. I was distracted by something else and it happened right under my nose. but I unplugged the routerboard and recovered. you need to have an extra eye on safety. After you enter the house before you succeed, secure everything so that only you can enter when you return.
-
- MikroTik Support
- Posts: 26445
- Joined: Fri May 28, 2004 9:04 am
- Location: Riga, Latvia
Re: New RouterOS Vulnerability?
if they have read-only, they can make a full verbose export in the terminal and send us the config at least
-
- Forum Veteran
- Posts: 828
- Joined: Thu Nov 12, 2020 11:07 am
Re: New RouterOS Vulnerability?
To be fair, you didn't mention anywhere that these "4 users" are not in an existing customer relationship with you, and therefore, the routers in question are not ones you are managing or have configured.
-
- Forum Veteran
- Posts: 828
- Joined: Thu Nov 12, 2020 11:07 am
Re: New RouterOS Vulnerability?
Well, Logins via WinBox say "logged in via winbox". So the public facing Winbox port was not the entrypoint? Or has WinBox some hidden feature to connect as telnet?
So most probably telnet port (23) was open as well - when login was via telnet from a public IP 81.x.x.x....
-
- MikroTik Support
- Posts: 26445
- Joined: Fri May 28, 2004 9:04 am
- Location: Riga, Latvia
Re: New RouterOS Vulnerability?
There could be various reasons for this
1. router passwords were compromised in earlier versions. now some bot just used a leaked database
2. customer is not truthful about their config
3. some new unknown vulnerability is not out of question, but it would be strange, if it only affects a few people
1. router passwords were compromised in earlier versions. now some bot just used a leaked database
2. customer is not truthful about their config
3. some new unknown vulnerability is not out of question, but it would be strange, if it only affects a few people
-
- Forum Veteran
- Posts: 716
- Joined: Mon Dec 26, 2022 1:57 pm
Re: New RouterOS Vulnerability?
telnet user/password sniffed on some network while connecting from WAN