DoS attack on the line of MikroTik equipment and virtual RouterOS / Geektimes

We did not manage to patch the vulnerability in the article out of the CIA hackers in MikroTik as it was discovered that Denial Of Service can be used for remote equipment running on RouterOS (pre-attack All versions of the OS are affected).

The vulnerability allows the RouterOS CPU to load 100% by sending a heap of TCP RST packets to port 8291 which is used by Winbox to default. By default, access to this port is closed by a firewall Microtikhttps://blog.blogdash.com/guest-blogging/information-about-telecom-spectrum-bandwidth-and-broadband/https://blog.blogdash.com/guest-blogging/information-about-telecom-spectrum-bandwidth-and-broadband/ but if you opened it to manage your ticks via the Internet, you should at least change the default port as soon as possible, and at best register a permission to access the winbox port only for certain ip (although not The fact that it will save):

 ip firewall filter add chain = input action = accept protocol = tcp src-address = ADMIN_IP dst-port = 8291 comment = Allow_Winbox 

According to the discussion on the off. Site vulnerabilities are susceptible as hardware devices (tested on: RB751, hEX lite, RB951, RB2011, CCR1036 and even RB3011) and virtual CHRs (tested on 8x Xeon).

An example of a working exploit is publicly available.

The official representative of MikroTik advises to disable all services on the Ip service menu (be careful), change the standard ports, use the router, restrict access to these services only from the internal network via vpn on a third-party device, or To buy a more productive router. And in general it is with his words “normal situation” that the CPU performance is not enough to handle such a count of packages …