CIA Exploits on Mikrotik Hardware /Software

Mailman List Mirror (Read Only)
1

Hi Lads,

For MikroTik Users in the community there are apparently live exploits
for MikroTik software and apparently this was used by the CIA, if the
tools are released in the wild this would represent a significant
threat to your ISPs for those of you who have MikroTik Routers with
public IPs on them and if they are not adequately filtered,

I would humbly suggest that you apply best practices and filter the
management services and disable any management services that you dont
absolutely need,

for further details please find the following

More Details on the MikroTik CIA Exploits
https://forum.mikrotik.com/viewtopic.php?t=119255

you can disable un needed administration services in
IP/services menu,

and I would suggest filtering access to the management ports and
disabling the web management interface altogether and disable ftp

If you want to protect the Routers apply filters on the input chain of
the Firewall Filter,

tcp dstport 22 for ssh
tcp dstport 8291 for winbox
tcp dstport 23 for telnet
tcp dstport 8729 api
tcp dstport 8728 api
tcp dstport 20,21 ftp
be aware that the api interfaces could have been enabled if you were
upgrading the software from an older version

I have included a sample configuration script below just to help But
make sure to adjust it to suit your own needs...

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=cert1 disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip firewall address-list
add address=5.134.88.0/29 list=Management

#STOP REPLACE the address above with your management ip ranges
#copy the lines to add more ips

/ip firewall filter
add action=accept chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=22
src-address-list=Management_ipprotocol=tcp
add action=accept chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=8291
src-address-list=Management_ipprotocol=tcp

add action=drop chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=23 protocol=tcp
add action=drop chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=21 protocol=tcp
add action=drop chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=8729 protocol=tcp
add action=drop chain=input comment="Drop input Rule to protect
MikroTik Devices" dst-port=8728 protocol=tcp

after running that script on your mikrotik Firewall ensure the rules
that you added are moved straight to the top of the firewall rule set
....

it is important to note that full details on the exploits are not
available but any service that Mikrotik is running could be an entry
point so bear that in mind ,

eg , NTP DNS ... Hotspot , CDP / MNDP / and the long list of VPN
services that can be configured on MikroTik...

2

Hello,
there were 2 typos on that maiil

1) I used lads (sorry force of habit) was meant in the sense of
Gender Neutrality as opposed to excluding ladies,

2) the sample firewall rules had a space missing with the wrong
address list name :confused:

I have corrected them below

From: Tom Smyth <tom.smyth@wirelessconnect.eu>
Date: Wed, Mar 8, 2017 at 3:02 PM
Subject: CIA Exploits on Mikrotik Hardware /Software
To: INEX Members Technical Mailing List <tech@inex.ie>

Hello

3

I got a question from a colleague that highlights an omission / lack of
clarification on my initial mail and i wanted to share...

As far as im aware and from tests i carried out about 7 or 8 years ago The
allowed from ip addresses in ip services menu uses tcp wrapers and
actually allows tcp connections from any address (regardless of what ips
you specified) the decision to allow or deny a user login is taken after
the connection is made so there could be a window for the exploit to be
uploaded.
That is why i recommended using the ip firewall instead to enforce the
policy as the ip firewall will act on connection attempts and prevent an
unauthorised src address from making a connection to the box in the first
place

I hope this helps
Tom Smyth