If an outsider can't hit the http service on your router then you should
be ok. You'd also be ok if you're keeping up your ROS version on either
the "current" or "bugfix" track.
The second vulnerability I mentioned is only relevant if you've turned
on the SMB service which is off by default.
-Adam
------ Original Message ------
From: "Steve Jones" <[email protected]>
To: [email protected]
Sent: 3/26/2018 9:28:47 PM
Subject: Re: [AFMUG] Mikrotik vulnerabilities
AFAIK (assuming my firewall mastery isnt as awful as i think it is) I
have a drop all input with an office ACL and allow connected winbox,
but i do use romon with passwords. that should essentially "protect"
shouldnt it?
On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <[email protected]>
wrote:
I'm sure everyone here has a super duper uber secure network and never
has to worry about something like this:
http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html
<http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html>
That info is from January. If you have a MIPS BE or x86 mikrotik on
ROS 6.38.4 or lower and have the http service exposed to the world
then you could be hit by this. The remotely executable code could be
anything, even a remote shell which the attacker can use for any kind
of additional ongoing nonsense. Their CPU usage will show up as
"unclassified" in Tool -> Profile. I plead the 5th on how I know that
last part.
Also on March 12 they announced a remote exploit in the SMB service.
I don't imagine most of us use the SMB service though.
