Re: [AFMUG] Mikrotik vulnerabilities
What I found interesting is the SMB exploit is fixed in 6.41.3. The only mention of SMB in the Changelog is this: "*) smb - improved NetBIOS name handling and stability; " So fixing a buffer overflow which resulted in arbitrary code execution = "improved [...] stability" ? Changelog is written by marketing dept maybe? -- Original Message -- From: "Colin Stanners" <cstann...@gmail.com> To: af@afmug.com Sent: 3/26/2018 9:47:31 PM Subject: Re: [AFMUG] Mikrotik vulnerabilities Same as the external-drive-file-sharing feature in home routers... it makes a cheap NAS. The only way you'd have that exposed to the outside world is through huge inexperience or foolishness, but I'm sure that you've seen by now that those users exist. On Mon, Mar 26, 2018 at 8:42 PM, Steve Jones <thatoneguyst...@gmail.com> wrote: why in jesus name would you turn that on? On Mon, Mar 26, 2018 at 8:40 PM, Adam Moffett <dmmoff...@gmail.com> wrote: If an outsider can't hit the http service on your router then you should be ok. You'd also be ok if you're keeping up your ROS version on either the "current" or "bugfix" track. The second vulnerability I mentioned is only relevant if you've turned on the SMB service which is off by default. -Adam -- Original Message -- From: "Steve Jones" <thatoneguyst...@gmail.com> To: af@afmug.com Sent: 3/26/2018 9:28:47 PM Subject: Re: [AFMUG] Mikrotik vulnerabilities AFAIK (assuming my firewall mastery isnt as awful as i think it is) I have a drop all input with an office ACL and allow connected winbox, but i do use romon with passwords. that should essentially "protect" shouldnt it? On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com> wrote: I'm sure everyone here has a super duper uber secure network and never has to worry about something like this: http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html <http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html> That info is from January. If you have a MIPS BE or x86 mikrotik on ROS 6.38.4 or lower and have the http service exposed to the world then you could be hit by this. The remotely executable code could be anything, even a remote shell which the attacker can use for any kind of additional ongoing nonsense. Their CPU usage will show up as "unclassified" in Tool -> Profile. I plead the 5th on how I know that last part. Also on March 12 they announced a remote exploit in the SMB service. I don't imagine most of us use the SMB service though.
Re: [AFMUG] Mikrotik vulnerabilities
Same as the external-drive-file-sharing feature in home routers... it makes a cheap NAS. The only way you'd have that exposed to the outside world is through huge inexperience or foolishness, but I'm sure that you've seen by now that those users exist. On Mon, Mar 26, 2018 at 8:42 PM, Steve Jones <thatoneguyst...@gmail.com> wrote: > why in jesus name would you turn that on? > > On Mon, Mar 26, 2018 at 8:40 PM, Adam Moffett <dmmoff...@gmail.com> wrote: > >> If an outsider can't hit the http service on your router then you should >> be ok. You'd also be ok if you're keeping up your ROS version on either >> the "current" or "bugfix" track. >> >> The second vulnerability I mentioned is only relevant if you've turned on >> the SMB service which is off by default. >> >> -Adam >> >> >> -- Original Message -- >> From: "Steve Jones" <thatoneguyst...@gmail.com> >> To: af@afmug.com >> Sent: 3/26/2018 9:28:47 PM >> Subject: Re: [AFMUG] Mikrotik vulnerabilities >> >> AFAIK (assuming my firewall mastery isnt as awful as i think it is) I >> have a drop all input with an office ACL and allow connected winbox, but i >> do use romon with passwords. that should essentially "protect" shouldnt it? >> >> On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com> >> wrote: >> >>> I'm sure everyone here has a super duper uber secure network and never >>> has to worry about something like this: >>> http://seclist.us/chimayred-reverse-engineering-of-mikrotik- >>> exploits-from-vault-7-cia-leaks.html >>> >>> That info is from January. If you have a MIPS BE or x86 mikrotik on ROS >>> 6.38.4 or lower and have the http service exposed to the world then you >>> could be hit by this. The remotely executable code could be anything, even >>> a remote shell which the attacker can use for any kind of additional >>> ongoing nonsense. Their CPU usage will show up as "unclassified" in Tool >>> -> Profile. I plead the 5th on how I know that last part. >>> >>> Also on March 12 they announced a remote exploit in the SMB service. I >>> don't imagine most of us use the SMB service though. >>> >> >> >
Re: [AFMUG] Mikrotik vulnerabilities
why in jesus name would you turn that on? On Mon, Mar 26, 2018 at 8:40 PM, Adam Moffett <dmmoff...@gmail.com> wrote: > If an outsider can't hit the http service on your router then you should > be ok. You'd also be ok if you're keeping up your ROS version on either > the "current" or "bugfix" track. > > The second vulnerability I mentioned is only relevant if you've turned on > the SMB service which is off by default. > > -Adam > > > -- Original Message -- > From: "Steve Jones" <thatoneguyst...@gmail.com> > To: af@afmug.com > Sent: 3/26/2018 9:28:47 PM > Subject: Re: [AFMUG] Mikrotik vulnerabilities > > AFAIK (assuming my firewall mastery isnt as awful as i think it is) I have > a drop all input with an office ACL and allow connected winbox, but i do > use romon with passwords. that should essentially "protect" shouldnt it? > > On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com> wrote: > >> I'm sure everyone here has a super duper uber secure network and never >> has to worry about something like this: >> http://seclist.us/chimayred-reverse-engineering-of-mikrotik- >> exploits-from-vault-7-cia-leaks.html >> >> That info is from January. If you have a MIPS BE or x86 mikrotik on ROS >> 6.38.4 or lower and have the http service exposed to the world then you >> could be hit by this. The remotely executable code could be anything, even >> a remote shell which the attacker can use for any kind of additional >> ongoing nonsense. Their CPU usage will show up as "unclassified" in Tool >> -> Profile. I plead the 5th on how I know that last part. >> >> Also on March 12 they announced a remote exploit in the SMB service. I >> don't imagine most of us use the SMB service though. >> > >
Re: [AFMUG] Mikrotik vulnerabilities
If an outsider can't hit the http service on your router then you should be ok. You'd also be ok if you're keeping up your ROS version on either the "current" or "bugfix" track. The second vulnerability I mentioned is only relevant if you've turned on the SMB service which is off by default. -Adam -- Original Message -- From: "Steve Jones" <thatoneguyst...@gmail.com> To: af@afmug.com Sent: 3/26/2018 9:28:47 PM Subject: Re: [AFMUG] Mikrotik vulnerabilities AFAIK (assuming my firewall mastery isnt as awful as i think it is) I have a drop all input with an office ACL and allow connected winbox, but i do use romon with passwords. that should essentially "protect" shouldnt it? On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffett <dmmoff...@gmail.com> wrote: I'm sure everyone here has a super duper uber secure network and never has to worry about something like this: http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html <http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html> That info is from January. If you have a MIPS BE or x86 mikrotik on ROS 6.38.4 or lower and have the http service exposed to the world then you could be hit by this. The remotely executable code could be anything, even a remote shell which the attacker can use for any kind of additional ongoing nonsense. Their CPU usage will show up as "unclassified" in Tool -> Profile. I plead the 5th on how I know that last part. Also on March 12 they announced a remote exploit in the SMB service. I don't imagine most of us use the SMB service though.
Re: [AFMUG] Mikrotik vulnerabilities
AFAIK (assuming my firewall mastery isnt as awful as i think it is) I have a drop all input with an office ACL and allow connected winbox, but i do use romon with passwords. that should essentially "protect" shouldnt it? On Mon, Mar 26, 2018 at 8:24 PM, Adam Moffettwrote: > I'm sure everyone here has a super duper uber secure network and never has > to worry about something like this: > http://seclist.us/chimayred-reverse-engineering-of- > mikrotik-exploits-from-vault-7-cia-leaks.html > > That info is from January. If you have a MIPS BE or x86 mikrotik on ROS > 6.38.4 or lower and have the http service exposed to the world then you > could be hit by this. The remotely executable code could be anything, even > a remote shell which the attacker can use for any kind of additional > ongoing nonsense. Their CPU usage will show up as "unclassified" in Tool > -> Profile. I plead the 5th on how I know that last part. > > Also on March 12 they announced a remote exploit in the SMB service. I > don't imagine most of us use the SMB service though. >
[AFMUG] Mikrotik vulnerabilities
I'm sure everyone here has a super duper uber secure network and never has to worry about something like this: http://seclist.us/chimayred-reverse-engineering-of-mikrotik-exploits-from-vault-7-cia-leaks.html That info is from January. If you have a MIPS BE or x86 mikrotik on ROS 6.38.4 or lower and have the http service exposed to the world then you could be hit by this. The remotely executable code could be anything, even a remote shell which the attacker can use for any kind of additional ongoing nonsense. Their CPU usage will show up as "unclassified" in Tool -> Profile. I plead the 5th on how I know that last part. Also on March 12 they announced a remote exploit in the SMB service. I don't imagine most of us use the SMB service though.