We point out that a dangerous botnet is currently randomly scanning public IP addresses to find open Winbox (8291) and WWW (80) ports to exploit a vulnerability in the RouterOS WWW server that was patched over a year ago (in RouterOS v6.38.5, March 2017).
Since all RouterOS devices offer free upgrades with just two clicks, we urge you to update your devices using the “Check for updates” button if you have not already done so within the last year.
Your devices are not at risk if port 80 is protected by a firewall or if you have already updated to v6.38.5 or newer. If you use our home access points with the standard configuration, they are protected by a firewall at the factory and you should not be endangered either. Please update your devices anyway.
[info_kasten]
The vulnerability in question was fixed in March 2017:
Current changelog:
What’s new in 6.38.5 (March 9th 2017, 11:32 am):
- !) WWW – fixed vulnerability on HTTP server;
And also Bugfix release chain:
What’s new in 6.37.5 (March 9th 2017, 11:54 am):
- !) WWW – fixed vulnerability on HTTP server;
[/info_kasten]
At the moment the botnet is just spreading and scanning – other activities are not carried out. However, we recommend that you change your password and update your firewall for security. Recommendations for securing your router: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
FAQ:
What is affected?
- WebFig with standard port 80 and without firewall rules
- Winbox has nothing to do with the vulnerability, Winbox is only used by the scanners to identify MikroTik branded devices. Then they go over to using WebFig through port 80.
Am i protected?
- If you’ve updated your router in the past 12 months, you are protected.
- If “ip service” “www” was deactivated for you, you are protected.
- If your firewall was configured for port 80, you are protected.
- If you only had one HotSpot on your LAN but WebFig was not available, you are protected.
- If you only had User Manager on your LAN but WebFig was not available, you are protected.
- If you previously had a different Winbox port, you are protected from the scan, but not from infection.
- If “winbox” was deactivated for you, you are protected from the scan, but not from infection.
- If you set “ip service” “allowed-from” to a specific network, you are protected when the network has not been infected.
- If “WebFig” was visible to you on the LAN network, you could have been infected by an infected device on your LAN.
How can I identify and remedy the risk?
- Updating to v6.38.5 or later removes the malicious files, stops the infection and prevents similar incidents in the future.
- If you continue to see attempts to access Telnet from your network after upgrading your device, run Tool / Torch to find the source of the traffic. It will not be the router itself, but another device on the local network that is also affected and needs an update.
More information can be found here: https://forum.mikrotik.com/viewtopic.php?f=21&t=132499 .
Please do not hesitate to contact us for any questions or assistance in implementing the important updates.
Get further information and support:
We would be happy to call you back for assistance.
[contact-form-7 id=”2670″ title=”Rückruf MikroTik Post 4330″]