A chain of vulnerabilities in MikroTik routers could allow an attacker to gain a backdoor. The chain starts with DNS poisoning, goes on to downgrading the installed version of MikroTik’s RouterOS software, and ends with enabling a backdoor.
Tenable found the vulnerabilities and disclosed two to MikroTik on September 11, 2019 (CVE-2019-3976 and CVE-2019-3977) and two more on September 13, 2019 (CVE-2019-3978 and CVE-2019-3979). It said, “By chaining these vulnerabilities, an unauthenticated remote attacker with access to port 8291 on the router, can perform a RouterOS downgrade, reset the system passwords, and potentially gain a root shell.” MikroTik released patches on October 28, 2019.
The first stage is DNS cache poisoning. The default setting for the DNS server is disabled, but the router still maintains its own DNS cache. DNS lookups are handled by a ‘resolver’ binary, which is hooked into the RouterOS’s Winbox protocol. Messages sent to the Winbox port can be sent to different binaries, including resolver. Three available commands can allow an unauthenticated remote user to make DNS requests through the router to a DNS server of their own choice.
“Since we can specify the DNS server the request should go through, it’s trivial to inject bad addresses,” writes a Tenable researcher in a blog post describing the vulnerabilities.
The next step in the chain is to downgrade the software to version 6.42.12 or earlier. From version 6.43, MikroTik password handling changed. The relevant changelog states, “downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication.”
However, using a customized malicious DNS server, an attacker can inject a range of malicious IP addresses into the router’s cache, including the download address. When the router looks for an upgrade, it goes to the attacker’s site rather than the genuine MikroTik download site. This malicious site can be used to provide the earlier version that RouterOS is tricked into believing is the latest version.
“When the user installs the ‘new update’,” says the researcher, “they’ll bypass the normal logic that forbids downgrade via update and switch over to RouterOS 6.41.4… Since we tricked RouterOS to downgrade from 6.45.6 all the way down to 6.41.4, the admin user’s default empty password is back. That means the attacker can log in as the admin user.”
V6.41.4 was chosen by the researcher because it has known vulnerabilities “that enable a backdoor on the system. Using those vulnerabilities I can get a full busybox shell,” said the researcher. However, it isn’t necessary to use an old exploit. Tenable found another vulnerability in the package installation that allowed an attacker to create arbitrary directories on the system.
The way MikroTik handles its .NPK files during updates (it stops computing the package’s SHA-1 once it hits the signature section) means it will parse an appended ‘part info’ field. This can be used to create a directory anywhere on disk. “The backdoor enablement file for 6.41.4,” says the researcher, “is simply /pckg/option. As long as that file exists, even as a directory, the backdoor is enabled.”
These vulnerabilities were fixed by MikroTik in new version 6.45.7, released on September 10, 2019 (well within the 90-days responsible disclosure period set by Tenable). With the attack methodology now made public, it is important for all MikroTik users to upgrade to the latest version (while making sure, of course, that they are not being covertly downgraded to an earlier password-less version).
But it is also worth noting the Tenable researcher’s final comment: “I happen to very much like RouterOS and the features it offers, but, at this point, Winbox seems somewhat of a liability. I suggest disabling it and using SSH instead. Unfortunately, last I looked, there are more than half a million Winbox instances facing the internet.”
Related: Remotely Exploitable Vulnerability Discovered in MikroTik’s RouterOS
Related: MikroTik Routers Exploited in Massive Crypto-Mining Campaign
Related: Tenable Updates Free Vulnerability Assessment Solution
Related: Tenable Adds ‘Predictive Prioritization’ to Vulnerability Management Offering
