Vulnerability Mikrotik allows you to get a list of all users through the winbox

Mikrotik devices have become widespread because of their price relative to functionality. But the mistakes in the software has not been canceled. And this time I got a serious bug.

On March 25, one of the users of the Mikrotik forum reported on the detection of suspicious activity of mikrotik routers using telnet (TCP port 23), TR-069 (TCP port 7547) and WINBOX (TCP 8291) ports.

Employees of the company referred to a bug that was closed a year ago. Later it turned out that this was a new vulnerability, and on April 23, the company Mikrotik announced the release of firmware, where this vulnerability was removed.

Despite the fact that the company rather quickly released a bugfix, devices exposed to a network vulnerability amount to thousands.

I recommend all RouterOS users to upgrade to at least version 6.40.8 [bugfix] or 6.42.1 [current]

Also in the public domain appeared tools that allow ordinary users to gain access to devices that are not protected by the firewall or not updated to the current version.

In view of the recent events, I suggest that all users of the Mikrotik and CHR devices make at least the minimum setting.

Minimum security settings

Analyzing devices with a bug, I noticed that almost everyone ignores the firewall settings, despite the fact that it is the most effective tool to protect your network infrastructure. And 90% of devices have an "admin" account with full rights. Straight dream for brodforserov.

Regarding RouterOS protection, take a few simple steps to ensure minimum security:

Make sure you have the latest firmware.
You should not hope for the absence of bugs in the new firmware and configure the firewall:
2.1. In the INPUT chain, access to the device is allowed only from trusted ip addresses. For example, the range of the home network or ip addresses of network administrators.
Note that the INPUT chain applies only to packets addressed directly to this router. Transit packages belong to the FORWARD chain.
2.2. Drop all packages that do not match the allowed ones.
2.3. In case you need to periodically access from dynamic addresses, use "port knocking" to add your ip to the allowed for a certain time.
Turn off all services that you do not use (api, ssh, telnet etc.)
After setting up the firewall and updating the firmware, change the password.

If you use the account name "admin", also create your account, for example, "Vasya". Go under it, check permissions and block the "admin".

Firewall

With the use of the terminal.
Create a list of addresses that will be allowed to connect to the router
/ip firewall address-list
add address=192.168.1.0/24 list=allow-ip
add address=192.168.88.10/32 list=allow-ip

Add a rule that allows all actions from these addresses

/ip firewall filter
add action=accept chain=input comment="Allow Address List" src-address-list=allow-ip

If I need access from unknown addresses, I wait for the icmp packet (ping) of a certain size. If such a package arrives, the source address is added to the allow-ip list with a time of 1 hour. If desired, you can make a cascade of such packages.

/ip firewall filter
add action=add-src-to-address-list address-list=allow-ip address-list-timeout=1h chain=input packet-size=783 protocol=icmp

Pay attention to the packet size of 783 bytes. But when pinging, you should indicate 28 bytes less. In this case, ping from windows:

ping -l 755 myhostname.domain

Denying access to all ports that are not allowed above:

/ip firewall filter add action=drop chain=input

Services,

which you do not use, too, must be turned off for these are extra points of failure.
/ip service
set api disabled=yes
set api-ssl disabled=yes
and so on.