It was discovered on the 23rd of April 2018, that there was a remote vulnerability being exploited in the wild, that is exploiting the Winbox service on RouterOS based devices (Mikrotik / Routerboard devices). This is currently effecting RouterOS versions v6.29 through to v6.42 in the current channel (and up to v6.43rc3 in the release candidate channel).
Version 6.42.1 for current (and v6.43rc4 for release candidate), has just been released, which has fixed this vulnerability, and should be upgraded to as soon as possible.
While it currently remains uncertain exactly how the exploit works, it would appear that a remote user can connect to the WinBox port (which is port 8291 by default), and download a user database file, without successfully authenticating. The remote user can then log in, and take control of the router.
This will appear in the RouterOS logs, as a WinBox connection attempt that fails, and then a second attempt, which is successful.
This remote exploit relies on the WinBox service being accessible, so if you don’t have that enabled, or you are blocking it via a IP firewall rule, or are restricting users via the WinBox services ‘Available From’ list, you should be safe from this vulnerability effecting you. However, there is a chance that this could be exploited from inside the LAN by a malicious user if your rules allow access on the LAN side.
For more information on the exploit, please read the forum post on the Mikrotik site:
Advisory: Vulnerability exploiting the Winbox port
Here are some options to prevent your RouterOS device from being exploited. You may not need to do all of them to prevent this vulnerability, but the more locked down the router is, the better.
Block WinBox access
If you manage your router using another method, such as SSH, and you don’t actually need WinBox access, you can simply disable the WinBox service.
/ip service set winbox disabled=yes
Restrict WinBox access using the “Available From” list
Sometimes you may need to remotely manage a RouterOS device using WinBox. If the remote device that needs to connect has a static IP address that doesn’t change, you can set up a filter on the WinBox service itself, using an “Available From” list.
You can use the following command to set up a number of allowed IP addresses/networks that can connect to the WinBox service. Once this has been set, only addresses in the specified list of addresses will be able to connect.
/ip service set winbox address="192.168.0.1/24, 10.0.0.44/32"
In this example, the 192.168.0.* network is allowed, as well as the individual 10.0.0.44 IP address.
Keep in mind all IP addresses that you may need to add, to prevent you locking yourself out of the router, as this can prevent access from the LAN side as well.
Restrict WinBox access using the IP firewall
If you are using a version of RouterOS that has address-list functionality:
Create an address list called WinboxAccess and assign IP addresses and networks to the list
/ip firewall address-list add list=WinboxAccess address="192.168.0.0/24" /ip firewall address-list add list=WinboxAccess address="10.0.0.44/32"
Add as many IP addresses/networks as needed to the address list.
Set up a firewall to block WinBox access from any addresses/networks that are not specified in the WinboxAccess address list.
/ip firewall filter add chain=input src-address-list=!WinboxAccess protocol=tcp dst-port=8291 action=drop place-before=0
This will add a filter rule at the very beginning on your firewall, blocking access to the WinBox service from any IP address not in the WinboxAccess address list created above.
In this example, the 192.168.0.* network is allowed, as well as the individual 10.0.0.44 IP address.
Keep in mind all IP addresses that you may need to add, to prevent you locking yourself out of the router, as this can prevent access from the LAN side as well.
Upgrade RouterOS to v6.42.1 or higher
Check your current version, and check for a new version of RouterOS.
/system package update check-for-updates
example output showing a new version available:
channel: current current-version: 6.42 latest-version: 6.42.1 status: New version is available
If you are on a version between (and including) v6.29 through to v6.42, you should upgrade to prevent someone from exploiting this vulnerability.
The following command will download and install the latest update.
/system package update install
The router will download the updated RouterOS packages, install them, and proceed to automatically reboot.
channel: current current-version: 6.42 latest-version: 6.42.1 status: Downloaded 23% (2.3MiB)
You can also upgrade the Firmware if needed.
Check the firmware version, and determine if you need to upgrade.
/system routerboard print
It should print out the version you are on, and if there is a upgraded version available.
routerboard: yes model: 750G serial-number: xxxxxxxxxxxxxx firmware-type: ar7100 factory-firmware: 2.27 current-firmware: 6.42 upgrade-firmware: 6.42.1
To upgrade the firmware, run the following command:
/system routerboard upgrade
You will be prompted as to if you want to upgrade the firmware. Press “y” to proceed.
Do you really want to upgrade firmware? [y/n] y 23:47:59 echo: system,info,critical Firmware upgraded successfully, please reboot for changes to take effect!
Finally, reboot to bring the system up to date:
/system reboot
Press “y” to confirm the reboot.
Reboot, yes? [y/N]: y system will reboot shortly
Your router should now be up to date.
Change the WinBox port
While this wont prevent the attack, it may help in preventing probes, and future automated exploit attempts.
/ip service set winbox port=8299
Please pick a random port number, and take note of it for later.
You will need to enter the port number, after the ip address, in the WinBox “Connect To” field, separated by a colon character.
eg.
192.168.88.1:8299
This option should still be done in conjunction with one of the IP filtering options above.
Please note that if you change the port number, and you are using IP firewall rules to limit access, make sure you update the rules to use the new port number.
Change your passwords
If you believe you may have been vulnerable to this attack, it is strongly recommended that you change your passwords on your device.
If the WinBox service was remotely accessible, its possible for the entire device to be compromised.
Further steps to lock down the device
While exploits like this are found from time to time, its best to keep your router as locked down as possible, to minimize the possible attack surface.
For more info on locking down a Mikrotik RouterOS based device, please have a read of my other article:
Secure MikroTik RouterOS Router via CLI