Tenable Researcher Reveals Extended MikroTik Router Vulnerability

At Derbycon, a Tenable security researcher disclosed a new attack vector for a previously disclosed vulnerability in a widely deployed router platform.

Vulnerabilities

Routers represent an attractive target for hackers to build botnets and spread malware, especially when the routers have known, unpatched remote code execution vulnerabilities.

In April, the CVE-2018-14847 vulnerability was first reported in MikroTik routers that have millions of users worldwide. That initial report indicated the scope of the vulnerability was limited and only had moderate impact, but that's not what Tenable researcher Jacob Baines found. On Oct. 7 at the Derbycon conference, Baines disclosed how attackers can remotely exploit that flaw without the need for any authentication.

"The fact that we could use a developer back door to root the system and expose the internal network of a company … was the most surprising thing for me," Baines told eWEEK.

MikroTik has a large user base, and its routers are deployed in both consumer and enterprise environments, Baines said. MikroTik actually patched the CVE-2018-14847 issue in April, though the initial exploit vector was only given a moderate impact rating. He explained that with the additional exploit vectors he uncovered, MikroTik routers were leaking information that enabled him to get a root shell on vulnerable systems.

"The CVE-2018-14847 vulnerability is a directory traversal on specific command that enables users to read commands," Baines explained.

In a directory traversal attack, hackers run automated tools to get a map of all hidden files and directories. The risk with directory traversal attacks is that files that normally are not exposed can be discovered and mined for sensitive information such as passwords and configuration settings. Baines said he discovered a directory traversal on a different command than what was first reported in April, one that enables a file writing capability that can then be abused to create a root shell. With a root shell, an attacker can have full remote access to a vulnerable device.

While the attack vector that Baines discovered is a modification and extension of what had previously been disclosed, he said the same patch that MikroTik released in April will protect against the issue he disclosed on Oct. 7. The challenge, he said, is that a lot of users have not patched their devices, perhaps because the initial advisory did not rate the vulnerability as being severe.

According to Baines, there are still many unpatched MikroTik routers at risk, with as many as 70 percent of vulnerable routers not yet patched.

Detection

Baines said Tenable already has plug-ins as part of its security scanning platform to detect the MikroTik router OS vulnerability. Tenable's security platform includes Security Center for on-premises deployments and tenable.io for the cloud, both of which enable organization to evaluate and manage vulnerabilities.

As part of his Derbycon talk, Baines released a series of tools on GitHub to help researchers and penetration testers exploit the vulnerability he detailed. He said the tools he released could potentially be ported into the open-source Metasploit framework, making it easier for researchers to test.

"You're not supposed to be able to get full root access on these [MikroTik] systems, so a normal user will never be able to tell if they've been exploited just by looking at the router," Baines said. "Users will need some kind of network IDS [intrusion detection system] to be watching traffic for that specific payload."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.