Tenable Research Advisory: Multiple Vulnerabilities Discovered in MikroTik's RouterOS

Tenable Research

Tenable Research has discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers, the most critical of which would allow attackers to potentially gain full system access.

Tenable Research has discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers. Jacob Baines, the Tenable researcher who made the discovery, presented the talk "Bug Hunting in RouterOS" at Derbycon on October 7. The vulnerabilities include CVE-2018-1156 -- an authenticated remote code execution (RCE) -- as well as a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158). The most critical of these vulnerabilities is the authenticated RCE, which would allow attackers to potentially gain full system access. They were tested against RouterOS 6.42.3 (release date: 05-25-2018) using the x86 ISO.

  • What do you need to know? Tenable Research has discovered multiple vulnerabilities in a proprietary operating system, RouterOS, used by MikroTik routers. The vulnerabilities include an authenticated RCE, a file upload memory exhaustion and a recursive parsing stack exhaustion.
  • What’s the attack vector? Attackers could use default credentials, frequently left unchanged on routers, to exploit these vulnerabilities.
  • What’s the business impact? The authenticated RCE vulnerability could be exploited with default credentials, granting an attacker full system access and allowing them to divert and reroute traffic or gain access to any internal system that uses the router.
  • What’s the solution? MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 to address these vulnerabilities.

Background

RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by Internet Service Providers (ISPs), such as Border Gateway Protocol (BGP), IPv6, Open Shortest Path First (OSPF) or Multiprotocol Label Switching (MPLS). RouterOS, supported by MikroTik and its user community, provides a wide variety of configuration examples. RouterOS is embedded in MikroTik’s RouterBOARD product line, focused on small- and medium-sized internet access providers that typically provide broadband access in remote areas. MikroTik is headquartered in Riga, Latvia.

Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. As of October 3, 2018, approximately 35,000 - 40,000 devices display an updated, patched version.

Analysis

All of these vulnerabilities require authentication (essentially legitimate credentials). If the authenticated RCE vulnerability (CVE-2018-1156) is used against routers with default credentials, an attacker can potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router.

MikroTik routers were identified as being compromised by a Russian threat actor (APT28/Sofacy/FancyBear) in the recent VPNFilter malware, which received extensive media coverage. VPNFilter reportedly targets default credentials, the standard usernames and passwords enabled on the device out of the box, which users often leave unchanged. The actual vulnerabilities being used by VPNFilter are not fully known. Reports have stated that no zero-days were used, but this vulnerability could be a valid attack vector.

Proof of Concept

The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:

GET /ssl_conn.php?usrname=%s&passwd=%s&softid=%s&level=%d&pay_typ'e=%d&board=%d HTTP/1.0

Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system.

Solution

MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 to address these vulnerabilities. Users should also be sure to change the default credentials wherever possible.

Additional information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Oct 7, 2018

People also viewed

Customer Success Manager - ANZ

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

Field and Channel Marketing Manager, Nordics and Benelux

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

Finance & Investor Relations Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

Senior Data Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

Technical Support Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.