Security experts often sound like the worst stuck record ever. “Update your software,” “update your hardware,” “update your operating system,” are said verbatim and on repeat constantly. The reason for all the repetition is that users to do not follow this simple advice. Updates are seen as an inconvenience rather than a security essential. If you are the owner of a MikroTik router it is most certainly time to patch your router. Security researchers on Twitter, including Kira 2.0, sounded the warning sirens showing that nearly 12,000 MikroTik routers are currently infected with various malware strains. Researchers began investigating further and it was discovered that a known vulnerability in the firmware of MikroTik routers is potentially far more dangerous than previously believed. The vulnerability in question, CVE-2018-14847, is present in the Winbox administration utility of MikroTik's RouterOS. According to research done by Tenable, the vulnerability allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.
Sifting through all the jargon, the key take away is that the vulnerability allows for remote code execution attacks. Such attacks can best be explained as the attacker executing code while not actually needing to be in front of the target computer. Such code can run from a remote server, which means that the attack can originate from anywhere around the world giving the attacker access to the computer. Once a hacker gains access to a system, they’ll be able to make changes within the target computer.
To make matters worse researchers at ThreatPost discovered that the above-mentioned vulnerability can be used to gain root shell access and bypass router firewall protections, leading to unauthorized network access and the installation and execution of malware. This led researchers to state that the situation is “as bad as it gets.” Getting an exact number of how many routers are vulnerable is difficult. What is known is that Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9 are impacted. That could mean that as many as 200,000 routers are vulnerable.
Such vulnerabilities are serious business
It cannot be overstated how serious patching these vulnerabilities can be. Millions of users are potentially at risk of being susceptible to device hijacking and potential spying. These have massive financial costs associated if exploited by an attacker. This is not a new phenomenon and recently researchers from 360 Netlab uncovered evidence of CVE-2018-14847 actively being used to compromise unpatched devices. This discovery was made in September.
Currently, no hard evidence can be provided as to the full nature of active attackers exploiting vulnerabilities found in the routers in question. Such information can only be determined after an attack. It is, however, believed that the vulnerability is being used to turn routers into slave devices for the purpose of cryptocurrency mining. While this might be as bad as it gets for router vulnerabilities users are not powerless to prevent their routers from being infected. The vulnerability mentioned above and another, CVE-2018-1156 which is classified as a stack buffer overflow security vulnerability, have been patched by MikroTik. According to the company the stack overflow vulnerability worked as follows,
“The licupgr binary has a sprintf call that an authenticated user can use to trigger a remote stack buffer overflow…Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system.”
How to patch your router
Despite patches for these vulnerabilities been available for download since August, it is estimated that nearly two-thirds of MikroTik users have not patched their routers. It is one thing to state that router owners must patch their routers immediately but many users might not know how. According to the MikroTik manual users can set their system to automatically upgrade the latest patches or they can opt to manually download and install the patches if they so choose. For users, the easiest option would be to set automatic updates. In order to do this, the user needs to simply click the upgrade button found within the router’s settings. According to MikroTik,
“The automatic upgrade feature connects to the MikroTik download servers and checks if there is a new RouterOS version for your device. If yes, a changelog is displayed, and the Upgrade button is shown. Clicking the upgrade button, software packages are automatically downloaded, and the device will be rebooted. Even if you have a custom set of packages installed, only the correct packages will be downloaded.”
If you wish to manually patch your router it is advised that you read the manual linked above as there are a number of options available to the user in order to do this. Upgrading the RouterOS is not only important for security but can also improve hardware stability and performance.
While some users may feel that preventing crypto mining campaigns from using their router is one of the least of their worries, there is absolutely no guarantee that the attackers will remain content just to mine Monero. Researchers are continually seeing that attackers are blurring the lines between malware variants and creating kits that incorporate trojans, ransomware, spyware, and others. More than ever users need to be proactive in defending their computers and other devices. The simple task of keeping software and hardware up to date greatly increases your defensive posture. More importantly, it denies attackers an easy way of gaining access to your system.