MikroTik RouterOS v6.37.5 y v6.38.5 publicados
Desde hace un par de horas han sido publicados los release v6.37.5 y v6.38.5 del RouterOS con un cierre de la vulnerabilidad que sufre el servicio HTTPD, de acuerdo con lo divulgado por Wikileaks:
MikroTik ha tomado los recaudos necesarios de acuerdo a la información disponible y ha publicado los releases de las ramas actuales con el siguiente fix:
- www – fixed http server vulnerability;
Es recomendable actualizar los dispositivos en caso que se requiera del acceso publico del puerto 80 (www service). También es importante utilizar un firewall para denegar los accesos a los servicios que no deben ser públicos.
Las listas de cambios son:
What's new in 6.37.5 (2017-Mar-09 11:54): !) www - fixed http server vulnerability; *) chr - fixed problem when transmit speed was reduced by interface queues; *) dhcp - do not listen on IPv4/IPv6 client to IPv6 MLD packets; *) dude - (changes discussed here: https://wiki.mikrotik.com/wiki/Manual:T ... _changelog); *) export - do not show "read-only" IRQ entries; *) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading; *) firewall - do not allow to set "time" parameter to 0s for "limit" option; *) firewall - fixed import of exported configuration that had updated "limit" setting; *) graphing - fixed graphing crash when high amount of traffic is processed; *) hotspot - fixed rare kernel crash on multicore systems; *) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files); *) hotspot - show Host table commentaries also in Active tab and vice versa; *) interface - do not treat multiple zeros as single zero on name comparison; *) irq - properly detect all IRQ entries; *) l2tp-client - fixed IPSec policy generation after reboot; *) lcd - show fan2 speed only if it is available; *) leds - fixed defaults for RBSXT5HacD2nr2; *) mmips - improved general stability; *) rb3011 - fixed noise from buzzer after silent boot; *) switch - fixed crash when trying to configure second master port on the same chipset (RB3011, RB2011, CCR1009-8G-1S+); *) userman - allow access to User Manager users page only through "/user" URL; *) userman - show warning when no users are selected for CSV file generation; *) winbox - added "add-relay-info" and "relay-info-remote-id" to DHCP relay; *) winbox - added H flag to "/ip arp" ; *) winbox - added missing "use-fan2" and "active-fan2" to "/system health"; *) winbox - allow shorten bytes to k,M,G in bridge firewall just like in "/ip firewall" *) winbox - do not hide "power-cycle-after" option; *) winbox - do not hide 00:00:00:00:00:00 MAC address in unpublished ARPs; *) winbox - fixed matching "connection-state=untracked" connections; *) winbox - fixed typo in "/system resources pci" list; *) winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled; *) winbox - make "power-cycle-after" show correct value; *) winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings; *) winbox - properly show BGP communities in routing filters table filter; *) wireless - fixed scan tool stuck in background; *) wireless - improved compatibility with Intel 2200BG wireless card; *) wireless - update Thailand country frequency settings;
What's new in 6.38.5 (2017-Mar-09 11:32): !) www - fixed http server vulnerability; What's new in 6.38.4 (2017-Mar-08 09:26): *) chr - fixed problem when transmit speed was reduced by interface queues; *) dhcpv6-server - require "address-pool" to be specified; *) export - do not show "read-only" IRQ entries; *) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading; *) firewall - do not allow to set "time" parameter to 0s for "limit" option; *) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files); *) hotspot - show Host table commentaries also in Active tab and vice versa; *) ike1 - fixed "xauth" Radius login; *) ike2 - also kill IKEv2 connections on proposal change; *) ike2 - always limit empty remote selector; *) ike2 - fixed proposal change crash; *) ike2 - fixed responder subsequent new child creation when PFS is used; *) ike2 - fixed responder TS updating on wild match; *) ipsec - deducted policy SA src/dst address from src/dst address; *) ipsec - do not require "sa-dst-address" if "action=none" or "action=discard"; *) ipsec - fixed SA address check in policy lookup; *) ipsec - hide SA address for transport policies; *) ipsec - keep policy in kernel even with bad proposal; *) ipsec - kill ph2 on policy removal; *) ipsec - updated/fixed Radius attributes; *) irq - properly detect all IRQ entries; *) l2tp-client - fixed IPSec policy generation after reboot; *) l2tp-client - require working IPSec encryption if "use-ipsec=yes"; *) lcd - show fan2 speed only if it is available; *) profile - classify ethernet driver activity properly in ARM architecture; *) snmp - added SSID to CAPsMAN registration table; *) snmp - fixed "/tool snmp-get" crash on session timeout; *) snmp - fixed CAPsMAN registration table OID print; *) snmp - fixed situation when SNMP could not read "/system health" values after reboot; *) userman - allow access to User Manager users page only through "/user" URL; *) userman - show warning when no users are selected for CSV file generation; *) winbox - do not hide "power-cycle-after" option; *) winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled; *) winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings; *) winbox - properly show BGP communities in routing filters table filter; *) wireless - fixed scan tool stuck in background; *) wireless - improved compatibility with Intel 2200BG wireless card;
Puede ser descargado desde el sitio de MikroTik en la sección descargas o desde el Winbox en System > Packges.
