CVE-2024-54772

Issue Summary

A vulnerability has been identified in the WinBox service, where a discrepancy in response size between connection attempts with valid and invalid usernames allows attackers to confirm if user accounts exists via brute forcing the login process. In other words, when attacker tries to log into the device, by examining the response, the attacker can deduce if such a user exists on the device. Even if username is found, password still needs to be guessed as well.

Affected Versions

RouterOS versions prior to 6.49.18 and 7.18.

Recommended Actions

Update RouterOS – Upgrade to 6.49.18, 7.18, or a newer version to patch the vulnerability. Monitor for unusual login attempts – Review router logs for suspicious authentication activity and take action accordingly.

Mitigation strategies for devices that cannot be updated immediately

Restrict WinBox Access. Firewall the WinBox port on public interfaces and untrusted networks. Limit connections to trusted IP addresses using the “IP → Services” menu to specify allowed sources (e.g., your LAN and trusted public IPs).

Use additional protection methods if access from untrusted networks is necessary

Port Knocking: https://help.mikrotik.com/docs/spaces/ROS/pages/154042369/Port+knocking

Brute-Force Prevention: https://help.mikrotik.com/docs/spaces/ROS/pages/268337176/Bruteforce+prevention

Secure MAC-WinBox Connections: Restrict MAC-WinBox connections to trusted interfaces using:

/tool mac-server mac-winbox set allowed-interface-list=<trusted-interface-list>

If your device is running the default configuration with firewall enabled, WinBox service is already limited to LAN access. In this case, the only potential attack vector would be internal network threats.

For more details, please see:

https://help.mikrotik.com/docs/spaces/ROS/pages/167706788/Default+configurations