News Stay informed about the latest enterprise technology news and product updates.

Patched MikroTik router vulnerability worse than initially thought

Tenable Research finds new exploits of an already patched MikroTik router vulnerability that could enable hackers to launch remote code execution attacks.

A known MikroTik router vulnerability could be significantly more dangerous than previously believed.

In September, researchers at Qihoo 360 Netlab reported that a MikroTik router vulnerability, tracked as CVE-2018-14847, enabled hackers to infect more than 7,500 routers with malware. The malware logged and transmitted network traffic information to servers under the hackers' control. The vulnerability, initially rated medium severity, was disclosed in the Vault 7 leaks of alleged CIA hacking tools and was patched in April 2018.

Now, researchers at Tenable Research say the MikroTik router vulnerability should be rated critical severity because of a new technique that could further exploit targeted routers. Tenable Research presented the new hacking technique at the DerbyCon 8.0 security conference in Louisville, Ky., earlier this week and said it could enable hackers to perform remote code execution (RCE) attacks on the vulnerable MikroTik routers.

"The authenticated RCE vulnerability could be exploited with default credentials, granting an attacker full system access and allowing them to divert and reroute traffic or gain access to any internal system that uses the router," Tenable Research explained in a blog post.

Because default credentials are often left unchanged on hardware such as routers, attackers could take advantage of this MikroTik router vulnerability and exploit it on a wide scale.

"Based on Shodan analysis, there are hundreds of thousands of MikroTik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India," Tenable Research explained. "As of October 3, 2018, approximately 35,000 - 40,000 devices display an updated, patched version."

Tenable Research discovered several other vulnerabilities in RouterOS, the operating system used on MikroTik routers. They include CVE-2018-1156, which could enable another authenticated RCE attack; CVE-2018-1157, which enables file upload memory exhaustion; CVE-2018-1159, which enables a memory corruption attack against the MikroTik router web server; and CVE-2018-1158, which enables recursive parsing stack exhaustion.

In response to Tenable Research's findings, MikroTik posted a statement on its blog saying that the issues had been fixed.

"The issues only affect authenticated users, meaning, to exploit them, there must be a known username and password on the device," MikroTik said. "Your data, access to the system and configuration are not under risk."

MikroTik fixed all of the vulnerabilities disclosed by Tenable Research by updating RouterOS to versions 6.42.7, 6.40.9 and 6.43.

There have not been any reported exploits of the MikroTik router vulnerability in the wild.

Dig Deeper on Network device security: Appliances, firewalls and switches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Are you concerned about the security issues with MikroTik routers? Why or why not?
So, just an update, after my Mikrotik RB750 had been hacked and was mining Monero Crypto, with the login details not ever being default as well as most ports being closed, i did what MIKROTIK suggested before and after applying the new FW. I even did the same for the development branch of the FW to hopefully resolve issues.

So i reset to default, turned off all remote management other than what was needed and changed PW's for logins. Did it fix the issues, NO, did it stop the mining, NO, is the router still therefore HACKED and open to any other bad future exploits... YES.

Mikrotik lies to its clients, why? 
Possibly, Mikrotik needs to recall the devices, as a safety concern issue. This problem and the amount of HACKED devices, could destroy many peoples lives and futures, as well as many businesses, and MIKROTIK therefore should also be liable since there are numerous replies on even the MIKROTIK forums, stating the "fixes" have not helped.