Security vulnerability with MikroTik routers?

I came across this article - Lack of Patching Leaves 300,000 Routers at Risk for Attack. I don't have one and don't know much about MidroTik router except that the name is familiar to me from my reading forum threads here. Just an FYI for anyone who is interested in the brand's routers for OpenWrt.

This affects 'Tik's RouterOS, not OpenWrt. Still a good heads-up for anyone running RouterOS, but not a concern for OpenWrt.

1 Like

That seems strange: Mikrotik is updating their OS all the time, so I would imagine that those kind of vulnerabilities would be patches.

Their latest 7.1 version is based on a 5.6.3 Linux kernel. See here

Good thing that some Mikrotik devices can be flashed with OpenWrt. I’m using a Hex-S with the latest OpenWrt snapshot and it runs great.

Routers that have been sitting in an Amazon warehouse somewhere may not be updated.

Well, any new device people get, they should at least check if they are running the latest (stable) version. If they don’t it doesn’t matter if the vendor issues updates.

Same goes for OpenWrt: lots of people still using 19.x or even 18.x and not because their specific device is no longer supported.

And I get it: if people use a stable version and install the packages later, vs compile from source with all their packages selected. It could be a hassle to upgrade.

In a perfect world...

Reality is a different story.

Changing “fluff-fluff” and “piff-piff” doesn’t count as security updates!

My whole life experience of these kind of original firmware updates on home routers has nothing to do with security and actual function. They just update the gui color all the time but the actual kernel is still 10years old at best.

And the bigger they get the worse security and functionality gets.

Like I mentioned: their kernel version is 5.6.3. Not the newest but OpenWrt is also still on 5.4 for some targets (with 5.10 as test-kernel). Upgrading to 5.15 will break some stuff in the build system which needs to be addressed.

And I agree: most Vendors don't even bother to update their firmware and a lot of devices are still running on some 3.x kernel. Its just that the article singles out Mikrotik which is in my opinion actual on of the companies that listens to their users and tries to update their firmware (not just to add some bling bling).

I'm not a fan of RouterOS myself and I am actually running OpenWrt on a Mikrotik device. I did notice that their hardware on the same SoC without overclocking is running some stuff better compared to the "same build", same target/SoC from a "Chinese brand". Its probably slightly better board design combined with better (higher speed) RAM.

1 Like

Unfortunately, closing the old vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.

I think this is pretty much what OpenWRT user guide for system hardening say about security…

And how often do we have forum posts here of users trying to have remote access by port 22?