New vulnerabilities in MikroTik could allow attackers to gain complete system access

• An attacker could exploit a similar vulnerability patched in April, to conduct unauthenticated remote code execution attacks.
• All the vulnerabilities listed can be exploited using default credentials.

Multiple vulnerabilities were found in MikroTik routers, which if exploited, could allow attackers to gain total system access. The bugs also leave devices vulnerable to remote code execution attacks, using a newly discovered exploit technique. The vulnerability exists in the MikroTik routers’ operating system.

While previous vulnerabilities and hacks have left the company’s router open to device failures, cryptojacking, and network eavesdropping, the new flaws sever yet another blow to MikroTik’s security.

“The vulnerabilities include CVE-2018-1156 -- unauthenticated remote code execution (RCE) -- as well as a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158),” security experts at Tenable Research said in a report.

The researchers said that the most critical one of these is the remote code execution (RCE) vulnerability. One of the vulnerabilities - (CVE-2018-14847) - was found and patched in April. However, according to the researchers, the bug could still have been exploited using a new attack technique that allowed attackers to perform unauthenticated remote code execution.

Attack method

All the vulnerabilities listed can be exploited using default credentials. These credentials are often left unchanged by users, which, in turn, make brute forcing them fairly simple.

“If the RCE vulnerability (CVE-2018-1156) is used against the MikroTik router along with the default credentials, an attacker can potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router,” said researchers.

Tenable researcher Jacob Baines, who found the vulnerability, also released a proof-of-concept of a new attack technique that not only allows attackers to read files but goes one step further by allowing them the ability to write files to the router.

“Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system,” Baines wrote.

Attackers exploiting old bug

Although MikroTik patched the (CVE-2018-14847) bug in early August, Tenable researchers suggest that only 30 percent of the vulnerable modems have been patched, leaving approximately 200,000 routers still vulnerable to potential attacks.

“This is as bad as it gets,” Baines told Threatpost. “This bug was reported in April, but we are now able to show how an attacker can use it to get root shell on a system. It uses CVE-2018-14847 to leak the admin credentials first and then an authenticated code path gives us a back door.”

Recent reports also show that the read version of the vulnerability was exploited in various campaigns. In August, over 170,000 MikroTik routers were being abused in a cryptojacking campaign. Last month, it was reported that 7,500 MikroTik routers were forwarding their owner’s traffic to eavesdropping cybercriminals.

Meanwhile, MikroTik has also released patches for the affected RouterOS versions 6.40.9, 6.42.7 and 6.43 to stops all attack techniques associated with CVE-2018-14847 and newer ones.