MikroTik CVE-2019-3924 Firewall & NAT Bypass: Exploitation from WAN to LAN

Cant believe the time it takes to do simple stuff on these devices, like a simple dual wan load balance/fail over you wuld have to write scripts to get it to fail over the way ubnt/pfsense does, yes they are cheep I also think thats why people love them but you pay for them with your time or by config errors as complication leads to mistakes, all I can say in my experience I replaced some Mikrotik routers that were causing huge problems in the networks that where installed by other IT companies, I do not know if they were miss configured or just bugs, all I know the companies I replaced there Mikrotik with Untangle or edge routers all are much much happier and never had a single complaint again.

MikroTIk become very popular because the offer the same powerful OS in a large variety of appliances.

RouterOS is very flexible and you can use It for Home to an ISP. That’s why sometimes seems a little complicated. If you got nework knowledge and you speed a few hours, then everything make Sense.

I can’t believe how easy people have opinion about a product that they just took a quick 10min look.

Even Tom in his Videos keep saying things that are not true. MikroTIk are not shipped with insecure settings.
Every MikroTik device is shipped with a default configuration.

Try to guess got hacked on the previews CVE?
People who remove the default configuration, and were to lazy to apply proper firewall rules for protecting their network or they did not had the proper knowledge to do that.

If you do not know to secure your network, just use the default configuration.

As a MikroTik Certified Trainer, I always say to my students to concern about security and to build a security policy for their firewall installation.

MikroTik is not the 1 Click Setup product. If you do not have high requirements from your firewall and you want to finish your setup in 10 min without knowing what is going on under the hood, MikroTik is not for you.

1 Like

As I noted in the video, their current shipped configuration is secure and people opening up the ports is where the problem starts. But it is also true they used to ship the system with a default config that had that port open on the WAN side. The part I completely agree with you on is that these are not the system for an amateur that wants an easy setup.