What I found interesting is the SMB exploit is fixed in 6.41.3.
The only mention of SMB in the Changelog is this:
"*) smb - improved NetBIOS name handling and stability; "
So fixing a buffer overflow which resulted in arbitrary code execution =
"improved [...] stability" ?
Changelog is written by marketing dept maybe?
------ Original Message ------
From: "Colin Stanners" <[email protected]>
To: [email protected]
Sent: 3/26/2018 9:47:31 PM
Subject: Re: [AFMUG] Mikrotik vulnerabilities
Same as the external-drive-file-sharing feature in home routers... it
makes a cheap NAS. The only way you'd have that exposed to the outside
world is through huge inexperience or foolishness, but I'm sure that
you've seen by now that those users exist.
On Mon, Mar 26, 2018 at 8:42 PM, Steve Jones
<[email protected]> wrote:
why in jesus name would you turn that on?
On Mon, Mar 26, 2018 at 8:40 PM, Adam Moffett <[email protected]>
wrote:
If an outsider can't hit the http service on your router then you
should be ok. You'd also be ok if you're keeping up your ROS version
on either the "current" or "bugfix" track.
The second vulnerability I mentioned is only relevant if you've
turned on the SMB service which is off by default.
-Adam
------ Original Message ------
From: "Steve Jones" <[email protected]>
To: [email protected]
Sent: 3/26/2018 9:28:47 PM
Subject: Re: [AFMUG] Mikrotik vulnerabilities
AFAIK (assuming my firewall mastery isnt as awful as i think it is)
I have a drop all input with an office ACL and allow connected
winbox, but i do use romon with passwords. that should essentially
"protect" shouldnt it?
On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <[email protected]>
wrote:
I'm sure everyone here has a super duper uber secure network and
never has to worry about something like this:
http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html
<http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html>
That info is from January. If you have a MIPS BE or x86 mikrotik
on ROS 6.38.4 or lower and have the http service exposed to the
world then you could be hit by this. The remotely executable code
could be anything, even a remote shell which the attacker can use
for any kind of additional ongoing nonsense. Their CPU usage will
show up as "unclassified" in Tool -> Profile. I plead the 5th on
how I know that last part.
Also on March 12 they announced a remote exploit in the SMB
service. I don't imagine most of us use the SMB service though.
