If you haven't installed a batch of patches for bugs in your MikroTik routers – and two thirds of owners apparently haven't – then stiffen the sinews and summon up the blood: you really need to update your firmware.
The vulnerabilities, which were addressed by the manufacturer way back in August in software updates, can lead all the way up to remote code execution (RCE) if exploited. We're told that roughly 68 per cent of vulnerable MikroTik gear facing the internet remain unpatched, though.
The sad list of flaws Tenable Security's Jacob Baines presented to the Derbycon hacking conference on Sunday includes an authenticated RCE, CVE-2018-1156; a file upload memory exhaustion bug, CVE-2018-1157; a memory corruption bug, CVE-2018-1159; and a recursive parsing stack exhaustion bug, CVE-2018-1158.
At first glance, readers might dismiss an RCE only accessible to an authenticated user. After all, nobody uses weak default passwords, do they? However, an older directory traversal bug, CVE-2018-14847, let attackers read arbitrary files from the victim's system, and that includes accessing credentials from
user.dat, according to the presentation slides posted [PDF] at GitHub. In other words, you can exploit one bug to get the login info required to exploit the other really bad bug, which allows you to run malicious code on someone's internet gateway.
In Tenable's blog post this week, the organization noted that an authenticated attacker can “potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router.”
MikroTik routers grab their pickaxes, descend into the crypto minesREAD MORE
While spifflicating MikroTik's RouterOS, Baines also turned up an extra dimension to the CVE-2018-14847 hole: he found a command that allows arbitrary writes, which “gives a remote attacker root terminal access to the underlying operating system (Linux) without requiring prior knowledge of credentials.”
Tenable's blog post noted that: “As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version,” discovered through a Shodan.io search. Baines' presentation estimated that 67.8 per cent of MikroTik routers currently remain unpatched.
MikroTik patched the security cockups in Router OS versions 6.42.7, 6.40.9, and 6.43 in late August. So, if you haven't already done so, grab and install those as soon as you can – before your router becomes someone else's router. ®