Mikrotik RouterBoard

RouterBoard is a hardware platform from MikroTik which is applied in routers. Devices based on RouterBoard work running the RouterOS operating system.

Different RouterBoard options allow to solve different options of network tasks on their basis: from simple wireless access point and the managed switch to the powerful router with the firewall and QoS.

Practically all RouterBoard models of devices can eat using PoE and have the connector for connection of the external power source.

History

2019: Four vulnerabilities allowing to create a backdoor are revealed

On October 30, 2019 it became known that researchers from the company Tenable detected four vulnerabilities (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978 and CVE-2019-3979) of century routers MikroTik. According to specialists, not authorized malefactor with access to port 8291 on the router can roll away far off OS RouterOS to the previous versions, reset system passwords and potentially acquire the superuser's rights.

The first stage in a chain of ekspluatation is "poisoning" of cache DNS (DNS cache poisoning). In Router OS setup of the DNS server is by default turned off, but the router still supports own DNS cache. DNS queries are processed by the binary file "resolver" which is connected to the Winbox protocol. Using three commands the unauthorized user can send DNS queries via the router to the DNS server at the choice.

Rollback of RouterOS to version 6.42.12 or more early (starting with version 6.43 MikroTik changed the mechanism of processing of the password) will be the next step in a chain of ekspluatation. According to the magazine of project changes, "lowering to any version till 6:43 a.m. (6.42.12 is also more senior) deletes all user passwords and allows to become authorized without password".

Using harmful the DNS server the malefactor can implement in a router cache a number of the harmful IP addresses, including the loading address. When the router begins updating search, it will get on the malefactor's website, but not on the official site of MikroTik. The harmful website can be used for installation of earlier version which RouterOS will consider the last.

When the user sets "new updating", there is a bypass of normal logic which prohibits transition to earlier versions through updating, and switches to RouterOS 6.41.4. As we managed to roll away RouterOS from version 6.45.6. to 6.41.4, we could receive empty admin password. So attacking can become authorized as the administrator — specialists explain.

The mechanism of processing of.NPK-files means parsing of the added "part info" field that can be used for creation of the directory in any disk space.

The file of support of a backdoor for 6.41.4 represents simply / pckg/option. While the file exists, even in the form of the directory, the backdoor will work — researchers explain.

The above-stated vulnerabilities were corrected by MikroTik company in the version of RouterOS 6.45.7^[1].

2018

Vulnerability of the MikroTik routers allows to raise the rights to a rue

In October, 2018 it became known that the gap found earlier in a firmware of MikroTik routers was much more serious, than was considered. The attack operates vulnerability of CVE-2018-14847 which is present at the utility of administration Winbox. Using it, hackers bypass authentication and get access to any files. Potentially it can lead to remote execution of any code.

According to ThreatPost, malefactors use this vulnerability for receiving the rights of the administrator and a bypass of protection of the firewall, that getting access to network and an opportunity to execute a malicious code.

The previous version of vulnerability was corrected ​​ in April, 2018. However Jacob Bains from Tenable Research found out that vulnerability in Winbox can be used for record of files on the router that is more serious problem.

The description of vulnerability says that the code of the executable file licupgr contains function call of sprintf which is possible for applying to remote activation of buffer overflow. Thanks to information on vulnerability, the attacks which use it become more dangerous: CVE-2018-14847 allows hackers to take credentials of the superuser and to perform any code.

For October, 2018 versions of RouterOS to 6.42.7 and 6.40.9 are subject to the attacks such. By approximate calculations from hundreds of thousands of routers connected to network only 35-40 thousand received updating. Updates of RouterOS of versions 6.40.9, 6.42.7 and 6.43 were released in August, 2018 and eliminate this vulnerability and also correct the error connected with overflow of memory for loading of files and other bugs.

Still the previous version of the attack was used for transformation of routers into devices for mining. At the beginning of August, 2018 it was revealed that about 200,000 vulnerable routers were compromised for this purpose.^[2]

Thousands of the MikroTik routers are united in a botnet with an exploit of the CIA/the NSA

More than 7.5 thousand routers of production of MikroTik company were compromised with the malware which collects data on traffic and redirects them on a remote server, The Register reported on September 4, 2018.

According to outputs of researchers of company 360 Netlab, malefactors used an exploit to vulnerability of CVE-2018-14847. This exploit was published within the campaign WikiLeaks Vault7^[3] and presumably is one of hacker tools of CIA.

In addition to data collection of traffic, through the routers cracked thus on the local computers connected to them cryptominers were installed.^[4]

Geography of distribution of vulnerable MikroTik devices. Source: 360 Netlab

Users suffered from this hacker campaign worldwide, but the greatest number of the victims is the share of Russia (40742 vulnerable devices are fixed), Brazil (42376 vulnerable devices) and Indonesia (22441 vulnerable devices). In top-10 the countries on number of the victims also entered: India, Iran, Italy, Poland, USA, Thailand and Ukraine.

Experts note that the malware installed on routers absolutely quietly endures their reset so the only reliable way to overcome it is updating of a firmware.

For preserving of control of malefactors over the device even after reset (change of IP), in the device the task to periodically report the last IP address on the specific URL belonging to malefactors, said in the report of Netlab is created.

Experts also specify that malefactors continue to look for actively vulnerable routers based on MikroTik RouterOS OS.

What ultimate goal of malefactors, experts do not know yet. That circumstance that hackers for some reason especially are interested in traffic from SNMP ports 161 and 162 pays attention to itself.

There are some questions why malefactors are interested in the network protocol of management in which normal users are interested very seldom? Whether they try to monitor and intercept SNMP data from some specific communities? — argue in Netlab.[5]

SNMP is standard internet- the protocol for device management in IP networks on the basis of architecture TCP/UDP. The protocol is usually used in the systems of network management for control of the devices connected to network regarding conditions which require attention of the administrator.

It looks as the centralized collection of information. It is quite probable that there is a search of points of entry in network infrastructure, perhaps, even in some specific, to parameters known to malefactors — Oleg Galushkin, the Chief information security officer of SEC Consult Services company believes. — All the rest can be "smoke screen" and attempts to profit. But it is, most likely, a minor task.

Notes