Mikrotik Security: The Forgotten Things: Michael Takeuchi
Mikrotik Security: The Forgotten Things: Michael Takeuchi
Mikrotik Security: The Forgotten Things: Michael Takeuchi
MikroTik Security :
The Forgotten Things
Contoso Ltd.
3
What is Security? (in Computer Network)
Contoso Ltd.
4
Continuing
○ After we talk about what security is, now I will explain some
forgotten things about your own router security that skipped by
common junior network engineer
○ We will focused on the router because that so many
vulnerabilities appears because we forgot something with our
router security
Contoso Ltd.
5
Router Login – Users
Contoso Ltd.
6
Router Login – Groups
Contoso Ltd.
7
Router Login – Policies
Contoso Ltd.
8
Router Login – Policies
Contoso Ltd.
10
Enough?
Contoso Ltd.
11
RouterOS Vulnerabilities in 2012 – 2015
CVE # Description
CVE-2015-2350 Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS 5.0 and
earlier allows remote attackers to hijack the authentication of administrators
for requests that change the administrator password via a request in the status
page to /cfg.
CVE-2012-6050 he winbox service in MikroTik RouterOS 5.15 and earlier allows remote
attackers to cause a denial of service (CPU consumption), read the router
version, and possibly have other impacts via a request to download the router's
DLLs or plugins, as demonstrated by roteros.dll.
CVE # Description
CVE-2017-8338 A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated
remote attacker to exhaust all available CPU via a flood of UDP packets on port
500 (used for L2TP over IPsec), preventing the affected router from accepting
new connections; all devices will be disconnected from the router and all logs
removed automatically.
CVE-2017-7285 A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-
03-09 could allow an unauthenticated remote attacker to exhaust all available
CPU via a flood of TCP RST packets, preventing the affected router from
accepting new TCP connections.
CVE-2017-6297 The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not
enable IPsec encryption after a reboot, which allows man-in-the-middle
attackers to view transmitted data unencrypted and gain access to networks on
the L2TP server by monitoring the packets for the transmitted data and
obtaining the L2TP secret.
CVE # Description
CVE-2018-1156 MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer
overflow through the license upgrade interface. This vulnerability could
theoretically allow a remote authenticated attacker execute arbitrary code on
the system.
CVE-2018-1157 MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory
exhaustion vulnerability. An authenticated remote attacker can crash the HTTP
server and in some circumstances reboot the system via a crafted HTTP POST
request.
CVE-2018-1158 MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion
vulnerability. An authenticated remote attacker can crash the HTTP server via
recursive parsing of JSON.
CVE-2018-1159 MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory
corruption vulnerability. An authenticated remote attacker can crash the HTTP
server by rapidly authenticating and disconnecting.
CVE # Description
CVE-2018-7445 A buffer overflow was found in the MikroTik RouterOS SMB service when
processing NetBIOS session request messages. Remote attackers with access
to the service can exploit this vulnerability and gain code execution on the
system. The overflow occurs before authentication takes place, so it is
possible for an unauthenticated remote attacker to exploit it. All architectures
and all devices running RouterOS before versions 6.41.3/6.42rc27 are
vulnerable.
CVE-2018-14847 MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to
read arbitrary files and remote authenticated attackers to write arbitrary files
due to a directory traversal vulnerability in the WinBox interface.
Forgotten #2
Contoso Ltd.
16
Good Things to Know
Forgotten #4
Contoso Ltd.
18
Upgrade to Patched Version
Contoso Ltd.
19
Upgrade to Patched Version – Tips (RouterOS After 6.31)
Contoso Ltd.
20
Upgrade to Patched Version – Tips (RouterOS Until 6.31)
Contoso Ltd.
21
Upgrade to Patched Version – Tips (Deploying)
Contoso Ltd.
22
Protect All Services
Contoso Ltd.
23
Protect All Services (Router Access & Discovery)
○ Neighbor Discovery
○ Services
○ MAC-Server
(Extra Security for
Layer 2 Networks)
Contoso Ltd.
24
Protect All Services (Router Feature)
○ DNS
○ UPNP
○ SOCKS
○ Bandwidth Test Server
Contoso Ltd.
25
Protect All Services (Router Feature)
○ Proxy
Contoso Ltd.
26
Protect All Services (Whitelisting)
Contoso Ltd.
27
Protect All Services (Securing)
Contoso Ltd.
28
Layered Security (Port Knocking)
○ Log with note everything router do, mostly hacker with clear log
after they do something with our router, so I will recommend to
use syslog server to save your log
/system logging action set [find name=remote]
remote=[syslog_server]
/system logging add topics=info action=remote
Contoso Ltd.
30
Layered Security (Physical – LCD)
Contoso Ltd.
31
Layered Security (Physical – Bootloader)
○ Protected bootloader
https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Prot
ected_bootloader
○ EXTREMELY DANGEROUS, will disabled reset button & netinstall. If
you forget the RouterOS password, the only option is to perform a
complete reformat of both NAND and RAM with the following
method, but you have to know the reset button hold time in
seconds.
Contoso Ltd.
32
Layered Security (Physical – Power)
Contoso Ltd.
33
Layered Security (Physical – Interfaces)
Contoso Ltd.
34
Layered Security (Backup)
Forgotten #5
Contoso Ltd.
35
Layered Security (Backup Types)
Contoso Ltd.
36
Conclusion
Secure ≠ Easy
Forgotten #6
Contoso Ltd.
37
Feel so hard to securing your infrastructure?
Let me help you!
michael@takeuchi.id
https://www.facebook.com/mict404
https://www.linkedin.com/in/michael-takeuchi/
Contoso Ltd.
38
Question & Answer
Contoso Ltd.
39
Slide is available in my GitHub repository
https://github.com/mict404/slide/
Contoso Ltd.
40
Add a footer