MikroTik RouterOS v6.37.5 y v6.38.5 publicados

Desde hace un par de horas han sido publicados los release v6.37.5 y v6.38.5 del RouterOS con un cierre de la vulnerabilidad que sufre el servicio HTTPD, de acuerdo con lo divulgado por Wikileaks:

MikroTik ha tomado los recaudos necesarios de acuerdo a la información disponible y ha publicado los releases de las ramas actuales con el siguiente fix:

  • www – fixed http server vulnerability;

Es recomendable actualizar los dispositivos en caso que se requiera del acceso publico del puerto 80 (www service). También es importante utilizar un firewall para denegar los accesos a los servicios que no deben ser públicos.

Las listas de cambios son:

What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;
*) chr - fixed problem when transmit speed was reduced by interface queues;
*) dhcp - do not listen on IPv4/IPv6 client to IPv6 MLD packets;
*) dude - (changes discussed here: https://wiki.mikrotik.com/wiki/Manual:T ... _changelog);
*) export - do not show "read-only" IRQ entries;
*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;
*) firewall - do not allow to set "time" parameter to 0s for "limit" option;
*) firewall - fixed import of exported configuration that had updated "limit" setting;
*) graphing - fixed graphing crash when high amount of traffic is processed;
*) hotspot - fixed rare kernel crash on multicore systems;
*) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files);
*) hotspot - show Host table commentaries also in Active tab and vice versa;
*) interface - do not treat multiple zeros as single zero on name comparison;
*) irq - properly detect all IRQ entries;
*) l2tp-client - fixed IPSec policy generation after reboot;
*) lcd - show fan2 speed only if it is available;
*) leds - fixed defaults for RBSXT5HacD2nr2;
*) mmips - improved general stability;
*) rb3011 - fixed noise from buzzer after silent boot;
*) switch - fixed crash when trying to configure second master port on the same chipset (RB3011, RB2011, CCR1009-8G-1S+);
*) userman - allow access to User Manager users page only through "/user" URL;
*) userman - show warning when no users are selected for CSV file generation;
*) winbox - added "add-relay-info" and "relay-info-remote-id" to DHCP relay;
*) winbox - added H flag to "/ip arp" ;
*) winbox - added missing "use-fan2" and "active-fan2" to "/system health";
*) winbox - allow shorten bytes to k,M,G in bridge firewall just like in "/ip firewall"
*) winbox - do not hide "power-cycle-after" option;
*) winbox - do not hide 00:00:00:00:00:00 MAC address in unpublished ARPs;
*) winbox - fixed matching "connection-state=untracked" connections;
*) winbox - fixed typo in "/system resources pci" list;
*) winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled;
*) winbox - make "power-cycle-after" show correct value;
*) winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings;
*) winbox - properly show BGP communities in routing filters table filter;
*) wireless - fixed scan tool stuck in background;
*) wireless - improved compatibility with Intel 2200BG wireless card;
*) wireless - update Thailand country frequency settings;
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

What's new in 6.38.4 (2017-Mar-08 09:26):
*) chr - fixed problem when transmit speed was reduced by interface queues;
*) dhcpv6-server - require "address-pool" to be specified;
*) export - do not show "read-only" IRQ entries;
*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;
*) firewall - do not allow to set "time" parameter to 0s for "limit" option;
*) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files);
*) hotspot - show Host table commentaries also in Active tab and vice versa;
*) ike1 - fixed "xauth" Radius login;
*) ike2 - also kill IKEv2 connections on proposal change;
*) ike2 - always limit empty remote selector;
*) ike2 - fixed proposal change crash;
*) ike2 - fixed responder subsequent new child creation when PFS is used;
*) ike2 - fixed responder TS updating on wild match;
*) ipsec - deducted policy SA src/dst address from src/dst address;
*) ipsec - do not require "sa-dst-address" if "action=none" or "action=discard";
*) ipsec - fixed SA address check in policy lookup;
*) ipsec - hide SA address for transport policies;
*) ipsec - keep policy in kernel even with bad proposal;
*) ipsec - kill ph2 on policy removal;
*) ipsec - updated/fixed Radius attributes;
*) irq - properly detect all IRQ entries;
*) l2tp-client - fixed IPSec policy generation after reboot;
*) l2tp-client - require working IPSec encryption if "use-ipsec=yes";
*) lcd - show fan2 speed only if it is available;
*) profile - classify ethernet driver activity properly in ARM architecture;
*) snmp - added SSID to CAPsMAN registration table;
*) snmp - fixed "/tool snmp-get" crash on session timeout;
*) snmp - fixed CAPsMAN registration table OID print;
*) snmp - fixed situation when SNMP could not read "/system health" values after reboot;
*) userman - allow access to User Manager users page only through "/user" URL;
*) userman - show warning when no users are selected for CSV file generation;
*) winbox - do not hide "power-cycle-after" option;
*) winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled;
*) winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings;
*) winbox - properly show BGP communities in routing filters table filter;
*) wireless - fixed scan tool stuck in background;
*) wireless - improved compatibility with Intel 2200BG wireless card;

Puede ser descargado desde el sitio de MikroTik en la sección descargas o desde el Winbox en System > Packges.