On February 21, Tenable published a new CVE, describing a vulnerability that allows to proxy a TCP/UDP request through the router’s Winbox port if it's open to the internet. Tenable had previously contacted MikroTik about this issue, so a fix has already been released on February 11, 2019 on all RouterOS release channels.
The issue does not affect RouterBOARD devices with default configuration if the "Firewall router" checkbox was left enabled. The issue DOES NOT pose any risk to the router itself, the file system is not vulnerable; the issue only allows redirection of connections if the port is open. The device itself is safe.
The issue is fixed in:
- 6.43.12 (2019-02-11 14:39)
- 6.44beta75 (2019-02-11 15:26)
- 6.42.12 (2019-02-12 11:46)
As always, MikroTik urges all users to keep their devices up to date to be protected against all known vulnerabilities and make sure their routers’ administrative ports are firewalled from untrusted networks. The "IP Services" menu, where you can protect the "Winbox" service, also affects the "Dude Agent" service, so if you have limited access with this menu, it also protects you from this issue.
Here you can find the original MikroTik blog post:
For queries or assistance with the implementation of these important updates, please do not hesitate to contact us.
Gladly, we will call you back in case you need help or have questions about the MikroTik firmware update.