Protect Winbox From Exploit (VULNERABILITY) - Mikrotik Script RouterOS
This post summarises the Winbox server vulnerability in RouterOS, discovered and fixed in RouterOS on April 23, 2018.
Note that although Winbox was used as point of attack, the vulnerabilitty was in RouterOS. This issue was later assigned a universal identifier CVE-2018-14847.
How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.
Affected all bugfix releases from 6.30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 2018-Apr-23
Affected all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on on 2018-Apr-23
Am I affected? Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks,
assume that you are affected and upgrade + change password + add firewall according to our guidelines. Make sure that you change password after an upgrade.
The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses.
How to Protect?
/ip firewall filter
add action=reject chain=input comment="PROTECT ROUTER" in-interface=ether1 content=user.dat reject-with=icmp-network-unreachable
add action=drop chain=input in-interface=ether1 content="user.dat"