A new hacking technique has been found affecting MikroTik routers and making use of the CVE-2018-14847 bug. The new findings shows that the bug needs to be reassigned to a critical level. Our article gives an overview of the problem.
CVE-2018-14847 MikroTik Routers Vulnerability Escalated to Critical
MikroTik routers are now being the main target of hackers as a previously-known security bug was escalated to the “critical” level. This is due to a recently posted research giving further details about a new hacking mechanism allowing malicious actors to hijack these devices using a new approach.
The bug in question is tracked in the CVE-2018-14847 advisory which was announced earlier this year and patched in April. When the problem was first reported it impacted the Winbox application which an administrative application and a user interface for the RouterOS system used by the MikroTik devices.
The new security research shows that the new attack technique exploits the same bug, as a result the malicious operators can execute code remotely without being authenticated to the system. The proof-of-concept code demonstrates that malicious operators can remotely acquire a root shell on the devices, as well as bypass the firewall rules. This gives them the ability to intrude onto the internal networks and even plant malware without being detected.
The cause of this problem is a problem in the directory file used by Winbox software which allows remote attackers to read the files without being authenticated. Not only this but the newly discovered tactic also allows the hackers to write to the file. This is possible by triggering a buffer overflow which can allow access to the stored credentials used to enter the restricted menu. The new attack technique follows this two-step process by first acquiring information about the target devices and then exploiting the credentials into accessing them.
The CVE-2018-1484 vulnerability was patched by MikroTik in August however a new scan reveals that only about 30% of all routers have been patched. This leaves thousands of routers vulnerable both to the older issue and the recently announced one. This is a very dangerous instance as malicious actors can use the signatures of the MikroTik routers and easily discover target devices. A sample search shows that many of them are found in the following countries: India, Russian Federation, China, Brazil and Indonesia.
The new attack method at the moment is being exploited using severl attack campaigns against unpatched devices. Following the discovery MikroTik issued a patch fixes all known vulnerabilities encompassed in the CVE-2018-1484 advisory. All device owners are urged to update their equipment to the latest version of the RouterOS system.