MikroTik routers with default credentials can be easily compromised

If you own a MikroTik router and you haven’t updated its RouterOS in the last month, you should do so now: Tenable Research has released details about four vulnerabilities they found in the OS, including an authenticated remote code execution flaw that can be leveraged against routers with default credentials.

About MikroTik

MikroTik is headquartered in Riga, Latvia, and routers they manufacture are used by ISPs providers across the world.

“Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India,” the researchers noted.

Mikrotik’s routers were among those targeted by the VPNFilter malware and in an extensive cryptojacking campaign flagged a few months ago.

About the vulnerabilities

The four vulnerabilities discovered by Tenable researcher Jacob Baines are:

• CVE-2018-1156: A stack buffer overflow flaw that could allow remote code execution.
• CVE-2018-1157: A file upload memory exhaustion that cause the www binary to consume all memory.
• CVE-2018-1158: A recursive JSON parsing stack exhaustion flaw that could cause a crash of the www service.
• CVE-2018-1159: A memory corruption in the www binary that can be caused by rapidly authenticating and disconnecting.

All of the flaws require the attacker to be authenticated, i.e., the attacker must known the username and password set up on the device, and that’s the reason why routers with default credentials are easy targets.

“If the authenticated RCE vulnerability (CVE-2018-1156) is used against routers with default credentials, an attacker can potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router,” Tenable explained.

The solution to the problem is easy: users should update their routers’ OS to version 6.42.7, 6.40.9, or 6.43 (or later). And for those that never changed the device’s default credentials, now is the perfect time to do it: change the default username (if you can) and choose a unique, long and complex password (instructions).

Default passwords are the reason why many IoT devices get conscripted into botnets and legislators are slowly trying to do something about that. Unlike many router makers, MikroTik seems invested in fixing flagged vulnerabilities quickly, so regularly updating your MikroTik router should help ward off most attackes.

UPDATE (October 8, 2018, 7:35 a.m. PT)

MikroTik has told Help Net Security that only a (hopefully small) subset of users are vulnerable to a remote device hijack attack via CVE-2018-1156: those that kept the default credentials and went out of their way to manually turn off the device’s firewall, which is on by default.

Still, there is another issue that users should be aware of and deal with if they haven’t already: CVE-2018-14847. This vulnerability, patched by MikroTik in April, allowed remote attackers to bypass authentication, get root access and read arbitrary files (and thus, get the device’s credentials).

But Baines recently revealed a new exploitation technique for it that can allow an adversary to write files to the router, trigger a stack buffer overflow (e.g., CVE-2018-1156), and ultimately enable a root shell on the target device.

The problem is that there are approximately 200,000 MikroTik routers out there that still haven’t been patched for CVE-2018-14847 or for more recently discovered vulnerabilities, which makes them wide open to exploitation if the users turned the device’s firewall off (e.g., to make it accessible from other networks).

So, one more time: users are advised to RouterOS versions 6.40.9, 6.42.7 or 6.43, as they stop all attack techniques associated with CVE-2018-14847 and plug the four recently revealed holes.