Re: [AFMUG] Mikrotik vulnerabilities

2018-03-26 Thread Adam Moffett 

What I found interesting is the SMB exploit is fixed in 6.41.3.

The only mention of SMB in the Changelog is this:
"*) smb - improved NetBIOS name handling and stability; "


So fixing a buffer overflow which resulted in arbitrary code execution = 
"improved [...] stability" ?


Changelog is written by marketing dept maybe?


-- Original Message --
From: "Colin Stanners" <cstann...@gmail.com>
To: af@afmug.com
Sent: 3/26/2018 9:47:31 PM
Subject: Re: [AFMUG] Mikrotik vulnerabilities

Same as the external-drive-file-sharing feature in home routers... it 
makes a cheap NAS. The only way you'd have that exposed to the outside 
world is through huge inexperience or foolishness, but I'm sure that 
you've seen by now that those users exist.


On Mon, Mar 26, 2018 at 8:42 PM, Steve Jones 
<thatoneguyst...@gmail.com> wrote:

why in jesus name would you turn that on?

On Mon, Mar 26, 2018 at 8:40 PM, Adam Moffett <dmmoff...@gmail.com> 
wrote:
If an outsider can't hit the http service on your router then you 
should be ok.  You'd also be ok if you're keeping up your ROS version 
on either the "current" or "bugfix" track.


The second vulnerability I mentioned is only relevant if you've 
turned on the SMB service which is off by default.


-Adam


-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 3/26/2018 9:28:47 PM
Subject: Re: [AFMUG] Mikrotik vulnerabilities

AFAIK (assuming my firewall mastery isnt as awful as i think it is) 
I have a drop all input with an office ACL and allow connected 
winbox, but i do use romon with passwords. that should essentially 
"protect" shouldnt it?


On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com> 
wrote:
I'm sure everyone here has a super duper uber secure network and 
never has to worry about something like this:
http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html 
<http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html>


That info is from January.  If you have a MIPS BE or x86 mikrotik 
on ROS 6.38.4 or lower and have the http service exposed to the 
world then you could be hit by this.  The remotely executable code 
could be anything, even a remote shell which the attacker can use 
for any kind of additional ongoing nonsense.  Their CPU usage will 
show up as "unclassified" in Tool -> Profile.  I plead the 5th on 
how I know that last part.


Also on March 12 they announced a remote exploit in the SMB 
service.  I don't imagine most of us use the SMB service though.

Re: [AFMUG] Mikrotik vulnerabilities

2018-03-26 Thread Colin Stanners 
Same as the external-drive-file-sharing feature in home routers... it makes
a cheap NAS. The only way you'd have that exposed to the outside world is
through huge inexperience or foolishness, but I'm sure that you've seen by
now that those users exist.

On Mon, Mar 26, 2018 at 8:42 PM, Steve Jones <thatoneguyst...@gmail.com>
wrote:

> why in jesus name would you turn that on?
>
> On Mon, Mar 26, 2018 at 8:40 PM, Adam Moffett <dmmoff...@gmail.com> wrote:
>
>> If an outsider can't hit the http service on your router then you should
>> be ok.  You'd also be ok if you're keeping up your ROS version on either
>> the "current" or "bugfix" track.
>>
>> The second vulnerability I mentioned is only relevant if you've turned on
>> the SMB service which is off by default.
>>
>> -Adam
>>
>>
>> -- Original Message --
>> From: "Steve Jones" <thatoneguyst...@gmail.com>
>> To: af@afmug.com
>> Sent: 3/26/2018 9:28:47 PM
>> Subject: Re: [AFMUG] Mikrotik vulnerabilities
>>
>> AFAIK (assuming my firewall mastery isnt as awful as i think it is) I
>> have a drop all input with an office ACL and allow connected winbox, but i
>> do use romon with passwords. that should essentially "protect" shouldnt it?
>>
>> On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com>
>> wrote:
>>
>>> I'm sure everyone here has a super duper uber secure network and never
>>> has to worry about something like this:
>>> http://seclist.us/chimayred-reverse-engineering-of-mikrotik-
>>> exploits-from-vault-7-cia-leaks.html
>>>
>>> That info is from January.  If you have a MIPS BE or x86 mikrotik on ROS
>>> 6.38.4 or lower and have the http service exposed to the world then you
>>> could be hit by this.  The remotely executable code could be anything, even
>>> a remote shell which the attacker can use for any kind of additional
>>> ongoing nonsense.  Their CPU usage will show up as "unclassified" in Tool
>>> -> Profile.  I plead the 5th on how I know that last part.
>>>
>>> Also on March 12 they announced a remote exploit in the SMB service.  I
>>> don't imagine most of us use the SMB service though.
>>>
>>
>>
>

Re: [AFMUG] Mikrotik vulnerabilities

2018-03-26 Thread Steve Jones 
why in jesus name would you turn that on?

On Mon, Mar 26, 2018 at 8:40 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

> If an outsider can't hit the http service on your router then you should
> be ok.  You'd also be ok if you're keeping up your ROS version on either
> the "current" or "bugfix" track.
>
> The second vulnerability I mentioned is only relevant if you've turned on
> the SMB service which is off by default.
>
> -Adam
>
>
> -- Original Message --
> From: "Steve Jones" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Sent: 3/26/2018 9:28:47 PM
> Subject: Re: [AFMUG] Mikrotik vulnerabilities
>
> AFAIK (assuming my firewall mastery isnt as awful as i think it is) I have
> a drop all input with an office ACL and allow connected winbox, but i do
> use romon with passwords. that should essentially "protect" shouldnt it?
>
> On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com> wrote:
>
>> I'm sure everyone here has a super duper uber secure network and never
>> has to worry about something like this:
>> http://seclist.us/chimayred-reverse-engineering-of-mikrotik-
>> exploits-from-vault-7-cia-leaks.html
>>
>> That info is from January.  If you have a MIPS BE or x86 mikrotik on ROS
>> 6.38.4 or lower and have the http service exposed to the world then you
>> could be hit by this.  The remotely executable code could be anything, even
>> a remote shell which the attacker can use for any kind of additional
>> ongoing nonsense.  Their CPU usage will show up as "unclassified" in Tool
>> -> Profile.  I plead the 5th on how I know that last part.
>>
>> Also on March 12 they announced a remote exploit in the SMB service.  I
>> don't imagine most of us use the SMB service though.
>>
>
>

Re: [AFMUG] Mikrotik vulnerabilities

2018-03-26 Thread Adam Moffett 
If an outsider can't hit the http service on your router then you should 
be ok.  You'd also be ok if you're keeping up your ROS version on either 
the "current" or "bugfix" track.


The second vulnerability I mentioned is only relevant if you've turned 
on the SMB service which is off by default.


-Adam


-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 3/26/2018 9:28:47 PM
Subject: Re: [AFMUG] Mikrotik vulnerabilities

AFAIK (assuming my firewall mastery isnt as awful as i think it is) I 
have a drop all input with an office ACL and allow connected winbox, 
but i do use romon with passwords. that should essentially "protect" 
shouldnt it?


On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com> 
wrote:
I'm sure everyone here has a super duper uber secure network and never 
has to worry about something like this:
http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html 
<http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html>


That info is from January.  If you have a MIPS BE or x86 mikrotik on 
ROS 6.38.4 or lower and have the http service exposed to the world 
then you could be hit by this.  The remotely executable code could be 
anything, even a remote shell which the attacker can use for any kind 
of additional ongoing nonsense.  Their CPU usage will show up as 
"unclassified" in Tool -> Profile.  I plead the 5th on how I know that 
last part.


Also on March 12 they announced a remote exploit in the SMB service.  
I don't imagine most of us use the SMB service though.

Re: [AFMUG] Mikrotik vulnerabilities

2018-03-26 Thread Steve Jones 
AFAIK (assuming my firewall mastery isnt as awful as i think it is) I have
a drop all input with an office ACL and allow connected winbox, but i do
use romon with passwords. that should essentially "protect" shouldnt it?

On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett  wrote:

> I'm sure everyone here has a super duper uber secure network and never has
> to worry about something like this:
> http://seclist.us/chimayred-reverse-engineering-of-
> mikrotik-exploits-from-vault-7-cia-leaks.html
>
> That info is from January.  If you have a MIPS BE or x86 mikrotik on ROS
> 6.38.4 or lower and have the http service exposed to the world then you
> could be hit by this.  The remotely executable code could be anything, even
> a remote shell which the attacker can use for any kind of additional
> ongoing nonsense.  Their CPU usage will show up as "unclassified" in Tool
> -> Profile.  I plead the 5th on how I know that last part.
>
> Also on March 12 they announced a remote exploit in the SMB service.  I
> don't imagine most of us use the SMB service though.
>

[AFMUG] Mikrotik vulnerabilities

2018-03-26 Thread Adam Moffett 
I'm sure everyone here has a super duper uber secure network and never 
has to worry about something like this:

http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html

That info is from January.  If you have a MIPS BE or x86 mikrotik on ROS 
6.38.4 or lower and have the http service exposed to the world then you 
could be hit by this.  The remotely executable code could be anything, 
even a remote shell which the attacker can use for any kind of 
additional ongoing nonsense.  Their CPU usage will show up as 
"unclassified" in Tool -> Profile.  I plead the 5th on how I know that 
last part.


Also on March 12 they announced a remote exploit in the SMB service.  I 
don't imagine most of us use the SMB service though.