Patched MikroTik router vulnerability worse than initially thought

A known MikroTik router vulnerability could be significantly more dangerous than previously believed.

In September, researchers at Qihoo 360 Netlab reported that a MikroTik router vulnerability, tracked as CVE-2018-14847, enabled hackers to infect more than 7,500 routers with malware. The malware logged and transmitted network traffic information to servers under the hackers' control. The vulnerability, initially rated medium severity, was disclosed in the Vault 7 leaks of alleged CIA hacking tools and was patched in April 2018.

Now, researchers at Tenable Research say the MikroTik router vulnerability should be rated critical severity because of a new technique that could further exploit targeted routers. Tenable Research presented the new hacking technique at the DerbyCon 8.0 security conference in Louisville, Ky., earlier this week and said it could enable hackers to perform remote code execution (RCE) attacks on the vulnerable MikroTik routers.

"The authenticated RCE vulnerability could be exploited with default credentials, granting an attacker full system access and allowing them to divert and reroute traffic or gain access to any internal system that uses the router," Tenable Research explained in a blog post.

Because default credentials are often left unchanged on hardware such as routers, attackers could take advantage of this MikroTik router vulnerability and exploit it on a wide scale.

"Based on Shodan analysis, there are hundreds of thousands of MikroTik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India," Tenable Research explained. "As of October 3, 2018, approximately 35,000 - 40,000 devices display an updated, patched version."

Tenable Research discovered several other vulnerabilities in RouterOS, the operating system used on MikroTik routers. They include CVE-2018-1156, which could enable another authenticated RCE attack; CVE-2018-1157, which enables file upload memory exhaustion; CVE-2018-1159, which enables a memory corruption attack against the MikroTik router web server; and CVE-2018-1158, which enables recursive parsing stack exhaustion.

In response to Tenable Research's findings, MikroTik posted a statement on its blog saying that the issues had been fixed.

"The issues only affect authenticated users, meaning, to exploit them, there must be a known username and password on the device," MikroTik said. "Your data, access to the system and configuration are not under risk."

MikroTik fixed all of the vulnerabilities disclosed by Tenable Research by updating RouterOS to versions 6.42.7, 6.40.9 and 6.43.

There have not been any reported exploits of the MikroTik router vulnerability in the wild.