MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Training Centre, Toronto, Canada MikroTik Value Added Distributor

T (647) 477-0163
Email: support@wirelessnetware.ca

Wireless Netware Technology LTD.
550 Alden Road, Unti# 210A, Markham, Ontario L3R6A8

Open in Google Maps
  • Home
  • Solutions
  • Services
  • Become a Canadian ISP
    • Business Internet
  • Partners
  • Hardware
  • Training
  • Blog
  • About
  • Contacts
MikroTikSupport
  • Home
  • Blog
  • Blog
  • Slingshot: Fixing the MikroTik vulnerability
Wireless Netware offers advice about MikroTik router security breach
Monday, 02 April 2018 / Published in Blog, RouterOS

Slingshot: Fixing the MikroTik vulnerability

 

If you’ve ever used a MikroTik router at home or work, you’ve probably heard about the recent discovery of a hacking campaign called ‘Slingshot,’ which planted spyware on computers in 11 different countries in Africa and the Middle East.

According to Wired, the campaign appears “…to have exploited routers’ position as a little-scrutinized foothold that can spread infections to sensitive computers within a network, allowing deeper access to spies.” Slingshot seems to exploit MikroTik’s ‘Winbox’ software.

What does this mean for your network?

While Slingshot appears to be a highly targeted campaign designed to reach only 100 targets, mostly in Kenya and Yemen, we wanted to make sure that our clients and customers here in North America knew how to protect themselves.

So we asked MikroTik. Here’s what they said:

This tool isn’t spreading itself.

Windows no longer downloads any DLL files from the device. If you run RouterOS 6.37 or newer, and are using Winbox v3. These releases have been out for more than a year, so make sure to upgrade your RouterOS and Winbox loader.

It’s unclear how the DLL file got into a MikroTik router in the first place. This is likely related to a previously-discovered vulnerability in the www service, which was patched in March 2017.

Please note: The only devices affected were only those which didn’t have the firewall configured.

Fixing Slingshot: A quick disclaimer

As MikroTik experts, we’ve been helping to ensure our clients are protected against Slingshot since news of it first hit the web. So we know what’s been working for us. However, we want to make it clear that our fixes, below, weren’t provided by MikroTik and hadn’t been officially endorsed by them.

Ensuring your network is fixed, Step 1: Firewall

Let’s assume because we are talking to MikroTik then MikroTik RouterOS is their focus, and MikroTik IP Firewall Filter rules need to be set up correctly.

There are two rules on how to secure a network using an edge router “MikroTik Router.

Secure the router itself.
When you sit in an airplane, they tell you to put the oxygen mask on yourself first, before you do anything else. Securing the router is the most important part of setting up a firewall.

—————————

/IP firewall filter

add action=accept chain=input comment=”allow new connections” connection-state=new in-interface=bridge-local

add action=accept chain=input comment=”allow established/related connections” connection-state=established,related

add action=drop chain=input log-prefix=i-drop

—————————

Secure the network “customers.”
To secure the customer, we need to know what types of services we’re hosting in the local network, how that network is designed, and the identity of the trusted customer.

There can be other variables involved, but the rules below would be enough to secure a small basic network.

—————————

add action=accept chain=forward comment=”allow new connections” connection-state=new in-interface=bridge-local

add action=accept chain=forward comment=”allow related/established connections” connection-state=established,related

add action=drop chain=forward comment=”drop invalid connections” connection-nat-state=!dstnat connection-state=invalid

add action=drop chain=forward comment=”deop anything else” connection-nat-state=!dstnat

—————————

Ensuring your network is fixed, Step 2: Use WINBOX 3.x+

MikroTik’s WINBOX software was often installed on PCs or on MAC devices using  ‘Wine Bottler‘.  However, WINBOX has a couple of vulnerability issues – experienced MikroTik network practitioners have long known about these.

When you use unsecured MikroTik WINBOX software, and there is a weak firewall setup on the PC where WINBOX is used, a bad actor can use the WINBOX export file to access all network data. Generally speaking, this only happens when the network manager forgot to use WINBOX secure and set up a password for the saved routers. It may also occur if there is a weak password on the PC where WINBOX is installed.

The old WINBOX software – which appears to be what the hackers used in the case of Slingshot – couldn’t be password-secured. However, as of WINBOX version 3.0, you can set up a password. And it should be the second thing you do, right after setting up the firewall.

Wondering if your network is secure?

As we said, this particular campaign is unlikely to affect MikroTik RouterOS users here in North America. But that doesn’t mean you shouldn’t make sure your network is secure. If you have any questions or think it makes sense to have an expert look at your network, don’t hesitate to get in touch. We’ll be happy to help.

 

 

What you can read next

MikroTik RouterOS Workshop, Load Balancing
Announcing RB4011 series – amazingly powerful routers with ten Gigabit ports, SFP+ 10Gbps interface and IPSec hardware acceleration for a great price!
MikroTik RouterOS

Recent Posts

  • Load-balance using PCC in MikroTik RouterOS v 6.xx

    Introduction PCC “Per Connection Classifi...
  • Audience – a router for those who value both beauty and functionality

    Audience is a tri-band (2.4 GHz & high + lo...
  • DO NOT let the cables limit you, More Throughput over Power!

    PWR-LINE PRO PWR-LINE PRO (PL7510Gi) is a smart...
  • The First MikroTik product with 10G RJ45 Ethernet ports, CRS312-4C+8XG-RM

    CRS312-4C+8XG-RM Switch of the future: the firs...
  • Netflix has identified vulnerabilities in RouterOS.

    Netflix has identified several TCP networking v...

RSS MikroTik Blog

  • Mēris botnet
    In early September 2021 QRATOR labs published an article about a new wave of DDoS attacks, which are originating from a botnet involving MikroTik devices.  As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that…
  • Fragattacks
    In beginning of May  2021, a security research group from Belgium published a set of vulnerabilities they call "Frag Attacks" (from Fragmentation Attack), which affect all modern security protocols of Wi-Fi. Not all the published issues affect MikroTik products, but those that were found to be potentially affecting RouterOS, have…
  • Upgraded package signatures
    The RouterOS package signing procedure has been upgraded, to use new algorithms and utilize state of the art security hardware. It  will also add a possibility to verify the integrity of existing installations. The new updated package signing procedure provides additional security to prevent installation of malicious software. Best security practices: Keep RouterOS updated…
  • MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
    In compliance with our commitment to ensure the safety of our clients, partners, staff, and visitors at all MikroTik events, we have no other choice but to postpone our upcoming events: MUM Europe in Prague, Czech Republic (March 26-27) MTCSA in Riga, Latvia (March 23-24) Train the Trainer in Riga, Latvia (March 30…
  • DNS cache poisoning vulnerability
    Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled. One possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks.…
  • Package validation and upgrade vulnerability
    Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router's installed RouterOS version, possibly lock the…
  • CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
    Summary Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS. The vulnerabilities can trigger denial of service if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue. MikroTik has already applied the necessary patches: fix included in…
  • CVE-2019-3981
    Summary Tenable has published a potential vulnerability in older RouterOS versions where an attacker can retrieve the password hash of a RouterOS username via a complex man-in-the-middle attack over port 8291. The attacker must be able to intercept a valid RouterOS user login attempt, so he must be located in the…
  • CVE-2018-19298 CVE-2018-19299 IPv6 resource exhaustion
    Summary RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries. The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded…
  • MikroTik accelerates the adoption of 60 GHz technologies with Terragraph
    Press Release. 25 February 2019 Riga, Latvia - MikroTik is announcing a collaboration with Facebook to build high-speed connectivity solutions with Terragraph, helping to accelerate the adoption of 60 GHz fixed wireless access technologies to deliver gigabit services and connect more people, faster. The 60 GHz band allows high-speed broadband connectivity…

General information

MikroTik Training Schedules
My Certificate Validation
Who is my local MikroTik Consultant
How to become a MikroTik Consultant
How to become a MikroTik Certified Trainer

Useful URLs

MikroTik Distributor
MikroTik WiKi "Documentation"
MikroTik useful Articles and Examples
The Dude "Monitoring, Notification, Syslog"
User Manager "Free Radius Server"

Legal

  • Privacy Policy
  • General Term
  • Training terms
  • Managed Services Terms
  • Partner term
  • GET SOCIAL
MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

Copyright © 2015 WirelessNetware. All rights reserved.

TOP
Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/tvoippanel/public_html/wp-includes/functions.php on line 5221