Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847

In the course of preparing his Derbycon 8.0 presentation on RouterOS vulnerabilities, Tenable Researcher Jacob Baines discovered more to CVE-2018-14847 than originally known. Here’s how it could allow an unauthenticated remote attacker to gain access to the underlying operating system of MikroTik routers.

While preparing for his Oct. 7 Derbycon 8.0 presentation on RouterOS vulnerabilities, Tenable Researcher Jacob Baines discovered more to CVE-2018-14847 than originally known, and the new findings elevate the severity of the vulnerability to critical. Baines also found multiple other vulnerabilities unrelated to CVE-2018-14847 in RouterOS, MikroTik’s proprietary operating system.

CVE-2018-14847 can be used not only for reading files, but for writing them as well. An unauthenticated remote attacker could gain access to the routers’ underlying operating system, giving it a CVSSv2 score of 10.0.

MikroTik released a patch and an advisory for this vulnerability back in April. However, consumers have been slow to patch their systems. Based on Shodan results, Tenable estimates nearly 70 percent of the routers that could be fingerprinted remain unpatched. MikroTik released a new advisory on Oct. 9.

CVE-2018-14847 is being used to steal the routers’ administrator credentials, which allow attackers to gain access to the routers’ various configuration interfaces. Based on the information available initially, the National Vulnerability Database (NVD) had scored this vulnerability as a 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) on the CVSSv2 scale. Here’s how NVD describes CVE-2018-14847:

Winbox for MikroTik RouterOS through 6.42 allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.

Active exploits underway

Talos has found VPNFilter malware using this exploit. Other active campaigns exploiting this vulnerability, include:

Confused customers are even taking to Reddit when they discover that their ISP’s MikroTik gateway has been compromised.

Highlights from Derbycon

At Derbycon 8.0 in Louisville, Kentucky, in a talk titled “Bug Hunting in RouterOS” (slides available here), Baines revealed how CVE-2018-14847 can be used for more than reading files. It can also be used for writing files. An unauthenticated remote attacker can leverage this capability to obtain a root shell on the router’s underlying operating system. This changes the CVSSv2 score for CVE-2018-14847 from a 5.0 to a 10.0.

Little information existed about CVE-2018-14847 besides a couple of exploits on Exploit DB. These exploits appear to rely on hex blobs whose purpose wasn’t entirely clear.

Little information existed about CVE-2018-14847 besides a couple of exploits on Exploit DB.

As part of Tenable’s research, we mapped these hex blobs to MikroTik’s message protocol.

As part of Tenable’s research, we mapped these hex blobs to MikroTik’s message protocol.

Previous analysis appears to have focused on the network traffic generated by the WinBox client and not necessarily on how RouterOS actually works. When analyzing CVE-2018-14847, Tenable realized that command 7, which is the command used in the Exploit DB exploit mentioned above, shares the path traversal vulnerability with commands 1 and 3.

It turns out using command 1 allows the remote user to open a file for writing at any location due to the path traversal. Furthermore, RouterOS contains some logic that allows for a root busybox shell over SSH or Telnet if a certain file can be found on disk. Tenable leveraged that logic to use command 1 to create the file and then log into the root shell. Our proof of concept is available on Github.

Tenable proof of concept is available on Github.

Tenable RouterOS proof of concept is available on Github

Conclusion

While this vulnerability was patched in April 2018, adoption rates have been very slow. It’s critical for administrators to patch these systems as soon as possible. If you are a Nessus, SecurityCenter or Tenable.io user, the following plugins will help identify MikroTik routers and recent vulnerabilities.

Plugin ID Title
112114 MikroTik RouterOS < 6.40.9 / 6.42.7 / 6.43 multiple vulnerabilities.

Additional information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training