New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[MIKROTIK] Update your gear right now! All routers vulnerable!
You've read the title. Go and either update your gear or at least block port 8291 (open by default).
The vulnerability applies to all software versions from 6.29 to 6.43rc3 inclusive. It is necessary to update to the v6.42.1 or v6.43rc4.
Moreover you can't check if you were affected as per their words:
Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks, assume that you are affected and upgrade + change password + add firewall. The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses.
The vulnerability is actively exploited since at least 3 days before the post on forums.
Source: https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
Comments
This will be interesting in all these pro DCs proudly using Mikrotik.
Mikrotik = single routing engine = service affecting maintainance, assuming one even does it.
CIA has also hacked these and other routers installing their backdoor code. Might be worth buying Chinese routers instead :-)
Prove or it didn’t happen.
Snowden files? They (CIA) were intercepting packages with hardware, uploading their backdoors and sending them back to the guy that ordered this stuff. If I remember correctly their favorites to intercept where cisco and mikrotik.
En masse ?
Prove or it didn’t happen.
Guilty until proven innocent.
What a lovely era.
Well, why only install one, when you can have two? Those boxes of course support boring stuff like dynamic routing, vrrp etc. So if done right, one should be able to perform maintenance work with little downtime also in Mikrotik environments, even if they do not support "real HA" as such.
about CIA thing
https://forum.mikrotik.com/viewtopic.php?t=119255
and lt looks like somebody reversed engineered the expolit itself from leaked documents
https://github.com/BigNerd95/Chimay-Red
These 2 is enough to avoid it in business use.
I asked for the prove with regards to en masse infecting routers.
https://forum.mikrotik.com/viewtopic.php?f=21&t=119308&p=587512#p587512
mikrotik released new patch (8.38.5) as reaction to it next day of wikileak release. (2017 mar)
and looks like someone could reverse-engineered and rediscovered the expoit after few months.
https://github.com/BigNerd95/Chimay-Red
In regards to the CIA;
The CIA would exploit any software that they found with a massive security hole, especially one with internet monitoring capabilities. This isn't an "American" issue in regards to where it is made.
The CIA would exploit a Russian, Chinese, Canadian, European, and any other countries router if they found a way.
The goal of every intelligence agency is to collect data from valuable sources.
In regards to Cisco, they found out about said exploits by the CIA. They started making changes to the way they delivered packages. Including to drop dead sites. Or physical pick-ups of the devices for certain customers.
... or put a non-mikrotik firewall in front of your mikrotic box, haha ...
off-topic: Regarding older exploit(s).
There was something some time ago: CIA exploits against Mikrotik hardware
Actually I think everything is hacked but the point is "as and when we (public) become aware of it,we say oh shits!!!"
as always people derailing the thread with all kind of imaginable shit.
Just upgrade the damn routers and shut your mouth / fingers.