While the full nature of active attackers was unclear, it is believed that the bug is being used to turn routers into slave devices for the purpose of cryptocurrency mining. In September, researchers from 360 Netlab uncovered evidence of CVE-2018-14847 actively being used to compromise unpatched devices. Vulnerabilities in RouterOS are serious business due to the millions of users that are potentially at risk of device hijack or eavesdropping. TechRepublic: Cybersecurity investments: Why ROI calculations may not tell the whole story
"Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system."Ī file upload memory exhaustion bug, CVE-2018-1157, a www memory corruption issue, CVE-2018-1159, and a recursive parsing stack exhaustion security flaw CVE-2018-1158, have also been resolved, all of which were disclosed by Tenable Research over the weekend. "The licupgr binary has a sprintf call that an authenticated user can use to trigger a remote stack buffer overflow," the company says. MikroTik's RouterOS versions 6.40.9, 6.42.7 and 6.43 security releases - published in August - address these vulnerabilities.Ī stack buffer overflow security vulnerability, CVE-2018-1156, has also been resolved. "Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation, and India," Tenable Research says, "As of October 3, 2018, approximately 35,000 - 40,000 devices display an updated, patched version." It is believed that as many as 200,000 routers are still unpatched and therefore vulnerable.ĬNET: Amazon fires employee for allegedly sharing customer email addresses Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9 are impacted.
However, Tenable Research's Jacob Baines discovered that the Winbox flaw can be exploited further to write files to the router, leading to a far more dangerous security issue.īaines told the publication that the attack chain is "as bad as it gets," as CVE-2018-14847 can be used to leak admin credentials and create an authenticated code path for further exploit.
The read version of the vulnerability was patched in April. See also: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day While classified as a directory traversal bug of medium severity, researchers from Tenable Research say the vulnerability can be used to remotely execute code due to a new attack method.Īs reported by ThreatPost, the vulnerability can actually be used to gain root shell access and bypass router firewall protections, leading to unauthorized network access and the deployment of malware payloads. The bug in question, CVE-2018-14847, is present in the Winbox administration utility of MikroTik's RouterOS through 6.42 and allows "remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID."
Log4j threat: What you need to know and how to protect yourself.In 2022, security will be priority #1 for Linux and open-source developers.