Tenable Research’s cybersecurity researcher has released “By The way,” which is a new PoC (proof-of-concept) RCE attack after identifying a new attack method to exploit an already discovered vulnerability in MikroTik routers.
The vulnerability, identified as CVE-2018-14847, is an old directory traversal flaw, which was patched the same day it was detected in April, 2018. It is being touted as a much more dangerous flaw than it is being perceived.
Initially, the vulnerability was rated as of medium severity and researchers believed it affected Winbox management component and a GUI application for Windows in the RouterOS software for MikroTik devices. RouterOS software powers the company’s business-grade RouterBOARD brand and ISP/carrier-grade gear.
However, later it was categorized as critical because of the identification of new hacking technique that allowed attackers to carry out remote code execution on affected devices to obtain a root shell.
The new attack identified by Jacon Baines works on MikroTik’s edge and consumer routers. Needless to say, it poses yet another serious threat to the MikroTik router family, which is already exposed to a variety of other issues including cryptojacking and network snooping.
Tenable Research revealed the new findings at the DerbyCon 8.0, held in Louisville, Kentucky, on Sunday. In a blog post published soon after the presentation at DerbyCon, Tenable Research explained the consequences of the newly identified attack method:
“By exploiting the flaw, the remote attacker can get a root shell on the device as well as bypass the router’s firewall, gain access to the internal network, and even load malware onto victims’ systems undetected.”
The flaw is linked to a Winbox Any Directory File. It allows attackers to read files flowing through the router without any verification. Moreover, it allows an attacker to write files to the router. The read flaw was fixed in April but the Write flaw hasn’t been patched yet.
“The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system,” wrote Baines.
CVE-2018-14847 is exploited to leak the “admin credentials” and then the authenticated code path that creates a backdoor. The write vulnerability was patched by MikroTik in August but Tenable Research’s latest scan revealed that just 30% of exploitable modems were patched and nearly 200,000 routers are still vulnerable to attack.
“Based on Shodan analysis, there are hundreds of thousands of MikroTik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation, and India. As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version,” revealed Tenable Research.
It is high time you update the RouterOS, if you own a MikroTik router. Also, change the default credentials on your router, in case you haven’t as yet. Ideally, you should keep a lengthy, complex password. It must be noted that all versions before 6.42.7 and 6.40.9 RouterOS firmware are impacted.