US intelligence agencies are attacking vendors. Now MikroTik. Patch is already available
First the news, then my reasoning on this topic.
Remember last year's leaks about vulnerabilities in Cisco and Fotrinet ( one , two , three )? The trend persists. On March 7, the media published information about the next secret data on the developments of the US special services in the field of network technologies - Vault 7 . Among the vendors was MikroTik. MikroTik representatives worked quite quickly. They themselves analyzed these documents and commented on vulnerability data . At the same time releasing an updated version (March 8), closing the vulnerability.
According to MikroTik representatives, there is a vulnerability in the RouterOS (ROS) web interface. No details of the vulnerability yet. There is a recommendation: upgrade version (version 6.38.5 or release candidate - version 6.39rc49). It is also reported that by default, the RouterOS settings prohibit access to the web interface from the Internet (but it is accessible from the local network). Another recommendation is to restrict access by access lists - only to those IP addresses that really need it. Some glands (for example, with mipsle architecture) are no longer supported . Therefore, do not wait for the update to close the vulnerability According to reports from representatives of MikroTik, authorization is not required to exploit the vulnerability .
In the changelog to the updated versions - concise:
Based on my own experience of working with RouterOS (as an amateur, 4 years of service + several years of experience as a pentester), I will sound a couple of thoughts. As for the default configuration, which closes access from the Internet to the web interface. There is a nuance. If we talk about newly purchased pieces of iron, or pieces of iron, updated to certain versions, and then reset the settings to factory settings - yes, everything is not bad there: full-fledged rules that block access from the outside, leaving only access from the local network. But this happens in practice rarely. 2 other situations are much more common:
')
1. Not the latest version of RouterOS 6.x. In this case, the blocking of access from the outside was interpreted by the factory setting exclusively as blocking via the ether1-gateway interface (the first network port, when counting from left to right). At the same time, users whose providers issued a dedicated IP, for example, via a PPP connection, got into a bad situation: they could be “reached” from the Internet. For some time, the default configuration, in addition to the prohibition of incoming traffic on the ether1-gateway interface, includes the prohibition of incoming traffic on all ppp interfaces.
2. Changing the firewall factory settings . In this case, updating to the latest version of RouterOS will not add blocking of incoming traffic on all ppp interfaces. I can assume that this is to save the configuration in the form in which the user created it. Those. if the user intervened in the default configuration and did not bother to add the rules that would prevent access from the outside, the update for him will not.
With regard to access to the piece of iron only from authorized addresses - in practice I prefer to use the port knoking implementation. There are various options for its implementation ( one , two , three ). In my implementation, I have limited the lifetime of such entries (the address-list-timeout parameter) - so as not to litter the list of allowed addresses with entries that are no longer relevant.
News
Remember last year's leaks about vulnerabilities in Cisco and Fotrinet ( one , two , three )? The trend persists. On March 7, the media published information about the next secret data on the developments of the US special services in the field of network technologies - Vault 7 . Among the vendors was MikroTik. MikroTik representatives worked quite quickly. They themselves analyzed these documents and commented on vulnerability data . At the same time releasing an updated version (March 8), closing the vulnerability.
According to MikroTik representatives, there is a vulnerability in the RouterOS (ROS) web interface. No details of the vulnerability yet. There is a recommendation: upgrade version (version 6.38.5 or release candidate - version 6.39rc49). It is also reported that by default, the RouterOS settings prohibit access to the web interface from the Internet (but it is accessible from the local network). Another recommendation is to restrict access by access lists - only to those IP addresses that really need it. Some glands (for example, with mipsle architecture) are no longer supported . Therefore, do not wait for the update to close the vulnerability According to reports from representatives of MikroTik, authorization is not required to exploit the vulnerability .
In the changelog to the updated versions - concise:
fixed http server vulnerability
My IMHO
Based on my own experience of working with RouterOS (as an amateur, 4 years of service + several years of experience as a pentester), I will sound a couple of thoughts. As for the default configuration, which closes access from the Internet to the web interface. There is a nuance. If we talk about newly purchased pieces of iron, or pieces of iron, updated to certain versions, and then reset the settings to factory settings - yes, everything is not bad there: full-fledged rules that block access from the outside, leaving only access from the local network. But this happens in practice rarely. 2 other situations are much more common:
')
1. Not the latest version of RouterOS 6.x. In this case, the blocking of access from the outside was interpreted by the factory setting exclusively as blocking via the ether1-gateway interface (the first network port, when counting from left to right). At the same time, users whose providers issued a dedicated IP, for example, via a PPP connection, got into a bad situation: they could be “reached” from the Internet. For some time, the default configuration, in addition to the prohibition of incoming traffic on the ether1-gateway interface, includes the prohibition of incoming traffic on all ppp interfaces.
2. Changing the firewall factory settings . In this case, updating to the latest version of RouterOS will not add blocking of incoming traffic on all ppp interfaces. I can assume that this is to save the configuration in the form in which the user created it. Those. if the user intervened in the default configuration and did not bother to add the rules that would prevent access from the outside, the update for him will not.
With regard to access to the piece of iron only from authorized addresses - in practice I prefer to use the port knoking implementation. There are various options for its implementation ( one , two , three ). In my implementation, I have limited the lifetime of such entries (the address-list-timeout parameter) - so as not to litter the list of allowed addresses with entries that are no longer relevant.
Source: https://habr.com/ru/post/323658/
All Articles