Researchers have warned that a known vulnerability in the firmware of MikroTik routers is potentially far more dangerous than previously believed.
The bug in question, CVE-2018-14847, is present in the Winbox administration utility of MikroTik's RouterOS through 6.42 and allows "remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID."
While classified as a directory traversal bug of medium severity, researchers from Tenable Research say the vulnerability can be used to remotely execute code due to a new attack method.
As reported by ThreatPost, the vulnerability can actually be used to gain root shell access and bypass router firewall protections, leading to unauthorized network access and the deployment of malware payloads.
The read version of the vulnerability was patched in April. However, Tenable Research's Jacob Baines discovered that the Winbox flaw can be exploited further to write files to the router, leading to a far more dangerous security issue.
Baines told the publication that the attack chain is "as bad as it gets," as CVE-2018-14847 can be used to leak admin credentials and create an authenticated code path for further exploit.
Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9 are impacted. It is believed that as many as 200,000 routers are still unpatched and therefore vulnerable.
"Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation, and India," Tenable Research says, "As of October 3, 2018, approximately 35,000 -- 40,000 devices display an updated, patched version."
MikroTik's RouterOS versions 6.40.9, 6.42.7 and 6.43 security releases -- published in August -- address these vulnerabilities.
A stack buffer overflow security vulnerability, CVE-2018-1156, has also been resolved.
"The licupgr binary has a sprintf call that an authenticated user can use to trigger a remote stack buffer overflow," the company says. "Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system."
A file upload memory exhaustion bug, CVE-2018-1157, a www memory corruption issue, CVE-2018-1159, and a recursive parsing stack exhaustion security flaw CVE-2018-1158, have also been resolved, all of which were disclosed by Tenable Research over the weekend.
Vulnerabilities in RouterOS are serious business due to the millions of users that are potentially at risk of device hijack or eavesdropping. In September, researchers from 360 Netlab uncovered evidence of CVE-2018-14847 actively being used to compromise unpatched devices.
While the full nature of active attackers was unclear, it is believed that the bug is being used to turn routers into slave devices for the purpose of cryptocurrency mining. A month previously, it was found that roughly 200,000 vulnerable MikroTik routers were being compromised in order to mine for Monero via the Coinhive script, a process known as cryptojacking.
A recent study conducted by the American Consumer Institute (ACI) has found that five out of six home routers are inadequately protected against cyberthreats.
Update 16.50 BST: Article updated to clarify that the stack buffer overflow vulnerability is not connected to the new attack vector and unauthenticated RCE, which does not have a CVE assignment.
The worst cyberattacks undertaken by nation-state hackers
Previous and related coverage
- Thousands of MikroTik routers are snooping on user traffic
- Critical ADB router, modem firmware vulnerabilities finally fixed
- New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers