Fwd: CIA Exploits on Mikrotik Hardware /Software
---------- Forwarded message ---------- From: Tom Smyth <tom.smyth@wirelessconnect.eu> Date: Wed, Mar 8, 2017 at 3:02 PM Subject: CIA Exploits on Mikrotik Hardware /Software To: INEX Members Technical Mailing List <tech@inex.ie> Hi Lads, For MikroTik Users in the community there are apparently live exploits for MikroTik software and apparently this was used by the CIA, if the tools are released in the wild this would represent a significant threat to your ISPs for those of you who have MikroTik Routers with public IPs on them and if they are not adequately filtered, I would humbly suggest that you apply best practices and filter the management services and disable any management services that you dont absolutely need, for further details please find the following More Details on the MikroTik CIA Exploits https://forum.mikrotik.com/viewtopic.php?t=119255 you can disable un needed administration services in IP/services menu, and I would suggest filtering access to the management ports and disabling the web management interface altogether and disable ftp If you want to protect the Routers apply filters on the input chain of the Firewall Filter, tcp dstport 22 for ssh tcp dstport 8291 for winbox tcp dstport 23 for telnet tcp dstport 8729 api tcp dstport 8728 api tcp dstport 20,21 ftp be aware that the api interfaces could have been enabled if you were upgrading the software from an older version I have included a sample configuration script below just to help But make sure to adjust it to suit your own needs... /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set www-ssl certificate=cert1 disabled=yes set api disabled=yes set api-ssl disabled=yes /ip firewall address-list add address=5.134.88.0/29 list=Management #STOP REPLACE the address above with your management ip ranges #copy the lines to add more ips /ip firewall filter add action=accept chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=22 src-address-list=Management_ipprotocol=tcp add action=accept chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8291 src-address-list=Management_ipprotocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=22 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8291 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=23 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=21 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8729 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8728 protocol=tcp after running that script on your mikrotik Firewall ensure the rules that you added are moved straight to the top of the firewall rule set .... it is important to note that full details on the exploits are not available but any service that Mikrotik is running could be an entry point so bear that in mind , eg , NTP DNS ... Hotspot , CDP / MNDP / and the long list of VPN services that can be configured on MikroTik... -- Kindest regards, Tom Smyth Mobile: +353 87 6193172 --------------------------------- PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
Hello, there were 2 typos on that maiil 1) I used lads (sorry force of habit) was meant in the sense of Gender Neutrality as opposed to excluding ladies, 2) the sample firewall rules had a space missing with the wrong address list name :/ I have corrected them below On Wed, Mar 8, 2017 at 3:17 PM, Tom Smyth <tom.smyth@wirelessconnect.eu> wrote:
---------- Forwarded message ---------- From: Tom Smyth <tom.smyth@wirelessconnect.eu> Date: Wed, Mar 8, 2017 at 3:02 PM Subject: CIA Exploits on Mikrotik Hardware /Software To: INEX Members Technical Mailing List <tech@inex.ie>
Hello
For MikroTik Users in the community there are apparently live exploits for MikroTik software and apparently this was used by the CIA, if the tools are released in the wild this would represent a significant threat to your ISPs for those of you who have MikroTik Routers with public IPs on them and if they are not adequately filtered,
I would humbly suggest that you apply best practices and filter the management services and disable any management services that you dont absolutely need,
for further details please find the following
More Details on the MikroTik CIA Exploits https://forum.mikrotik.com/viewtopic.php?t=119255
you can disable un needed administration services in IP/services menu,
and I would suggest filtering access to the management ports and disabling the web management interface altogether and disable ftp
If you want to protect the Routers apply filters on the input chain of the Firewall Filter,
tcp dstport 22 for ssh tcp dstport 8291 for winbox tcp dstport 23 for telnet tcp dstport 8729 api tcp dstport 8728 api tcp dstport 20,21 ftp be aware that the api interfaces could have been enabled if you were upgrading the software from an older version
I have included a sample configuration script below just to help But make sure to adjust it to suit your own needs...
/ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set www-ssl certificate=cert1 disabled=yes set api disabled=yes set api-ssl disabled=yes
/ip firewall address-list add address=5.134.88.0/29 list=Management
#STOP REPLACE the address above with your management ip ranges #copy the lines to add more ips
/ip firewall filter add action=accept chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=22 src-address-list=Management protocol=tcp add action=accept chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8291 src-address-list=Management protocol=tcp
add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=22 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8291 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=23 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=21 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8729 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8728 protocol=tcp
after running that script on your mikrotik Firewall ensure the rules that you added are moved straight to the top of the firewall rule set ....
it is important to note that full details on the exploits are not available but any service that Mikrotik is running could be an entry point so bear that in mind ,
eg , NTP DNS ... Hotspot , CDP / MNDP / and the long list of VPN services that can be configured on MikroTik...
-- Kindest regards, Tom Smyth
Mobile: +353 87 6193172 --------------------------------- PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
-- Kindest regards, Tom Smyth Mobile: +353 87 6193172 --------------------------------- PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
I got a question from a colleague that highlights an omission / lack of clarification on my initial mail and i wanted to share... As far as im aware and from tests i carried out about 7 or 8 years ago The allowed from ip addresses in ip services menu uses tcp wrapers and actually allows tcp connections from any address (regardless of what ips you specified) the decision to allow or deny a user login is taken after the connection is made so there could be a window for the exploit to be uploaded. That is why i recommended using the ip firewall instead to enforce the policy as the ip firewall will act on connection attempts and prevent an unauthorised src address from making a connection to the box in the first place I hope this helps Tom Smyth On 8 Mar 2017 3:31 PM, "Tom Smyth" <tom.smyth@wirelessconnect.eu> wrote:
Hello, there were 2 typos on that maiil
1) I used lads (sorry force of habit) was meant in the sense of Gender Neutrality as opposed to excluding ladies,
2) the sample firewall rules had a space missing with the wrong address list name :/
I have corrected them below
On Wed, Mar 8, 2017 at 3:17 PM, Tom Smyth <tom.smyth@wirelessconnect.eu> wrote:
---------- Forwarded message ---------- From: Tom Smyth <tom.smyth@wirelessconnect.eu> Date: Wed, Mar 8, 2017 at 3:02 PM Subject: CIA Exploits on Mikrotik Hardware /Software To: INEX Members Technical Mailing List <tech@inex.ie>
Hello
For MikroTik Users in the community there are apparently live exploits for MikroTik software and apparently this was used by the CIA, if the tools are released in the wild this would represent a significant threat to your ISPs for those of you who have MikroTik Routers with public IPs on them and if they are not adequately filtered,
I would humbly suggest that you apply best practices and filter the management services and disable any management services that you dont absolutely need,
for further details please find the following
More Details on the MikroTik CIA Exploits https://forum.mikrotik.com/viewtopic.php?t=119255
you can disable un needed administration services in IP/services menu,
and I would suggest filtering access to the management ports and disabling the web management interface altogether and disable ftp
If you want to protect the Routers apply filters on the input chain of the Firewall Filter,
tcp dstport 22 for ssh tcp dstport 8291 for winbox tcp dstport 23 for telnet tcp dstport 8729 api tcp dstport 8728 api tcp dstport 20,21 ftp be aware that the api interfaces could have been enabled if you were upgrading the software from an older version
I have included a sample configuration script below just to help But make sure to adjust it to suit your own needs...
/ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set www-ssl certificate=cert1 disabled=yes set api disabled=yes set api-ssl disabled=yes
/ip firewall address-list add address=5.134.88.0/29 list=Management
#STOP REPLACE the address above with your management ip ranges #copy the lines to add more ips
/ip firewall filter add action=accept chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=22 src-address-list=Management protocol=tcp add action=accept chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8291 src-address-list=Management protocol=tcp
add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=22 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8291 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=23 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=21 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8729 protocol=tcp add action=drop chain=input comment="Drop input Rule to protect MikroTik Devices" dst-port=8728 protocol=tcp
after running that script on your mikrotik Firewall ensure the rules that you added are moved straight to the top of the firewall rule set ....
it is important to note that full details on the exploits are not available but any service that Mikrotik is running could be an entry point so bear that in mind ,
eg , NTP DNS ... Hotspot , CDP / MNDP / and the long list of VPN services that can be configured on MikroTik...
-- Kindest regards, Tom Smyth
Mobile: +353 87 6193172 --------------------------------- PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
-- Kindest regards, Tom Smyth
Mobile: +353 87 6193172 --------------------------------- PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
participants (1)
-
Tom Smyth