[German]The Tenable Research team has uncovered vulnerabilities in the MikroTik RouterOS. In the meantime, the manufacturer MikroTik has provided updated firmware updates to close the vulnerabilities.
A short supplement from last week, in which Tenable told me about the vulnerabilities. Tenable expects half a million potential targets.
Four vulnerabilities in MikroTik RouterOS
In the MikroTik RouterOS there are four vulnerabilities, which the manufacturer has closed only in the version 6.45.7 of the firmware. These are the following vulnerabilities:
- Unauthenticated DNS Requests (The RouterOS terminal supports the resolve command for DNS lookups)
- DNS Cache Poisoning (By default, RouterOS has the DNS server feature disabled)
- Downgrade Attack (RouterOS's upgrade mechanism is conducted entirely over HTTP, the packages themselves are signed, but, due to a bug, routers can be tricked into downgrading to an older version of RouterOS)
- Password Reset (Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.)
By combining these four vulnerabilities, attackers gain root access to the system. You can downgrade the router's OS or reset system passwords. Tenable has published the details of the vulnerabilities in this blog post.
By simply deactivating Winbox, all these attacks are mitigated and probably cannot be executed anymore. Tenable security researchers suggest disabling Winbox and using SSH.
MikroTik RouterOS Updates available
MikroTik has published a blog post about the DNS poisioning vulnerability that exists up to RouterOS 6.45.6. They writes that the router is affected even if DNS is not enabled. A possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks. The resolver can be reached via Winbox by sending messages to the system resolver. If Winbox access from untrusted networks is enabled, an attacker from the Internet can trigger a DNS request from the router that allows the attacker to make arbitrary requests, find the router's internal address (router.lan), or find out what is already in the cache.
The manufacturer MikroTik has provided security updates for its RouterOS. The vulnerabilities (CVE-2019-3978, CVE-2019-3979) are fixed in the following RouterOS versions:
- 6.45.7 [stable]
- 6.44.6 [long-term]
- 6.46beta59 [testing]
Users with MikroTik routers should update the devices as soon as possible and deactivate the Winbox if necessary.
Cookies helps to fund this blog: Cookie settings