Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

MikroTik Router Vulnerabilities Can Lead to Backdoor Creation

A chain of vulnerabilities in MikroTik routers could allow an attacker to gain a backdoor. The chain starts with DNS poisoning, goes on to downgrading the installed version of MikroTik’s RouterOS software, and ends with enabling a backdoor.

A chain of vulnerabilities in MikroTik routers could allow an attacker to gain a backdoor. The chain starts with DNS poisoning, goes on to downgrading the installed version of MikroTik’s RouterOS software, and ends with enabling a backdoor.

Tenable found the vulnerabilities and disclosed two to MikroTik on September 11, 2019 (CVE-2019-3976 and CVE-2019-3977) and two more on September 13, 2019 (CVE-2019-3978 and CVE-2019-3979). It said, “By chaining these vulnerabilities, an unauthenticated remote attacker with access to port 8291 on the router, can perform a RouterOS downgrade, reset the system passwords, and potentially gain a root shell.” MikroTik released patches on October 28, 2019.

The first stage is DNS cache poisoning. The default setting for the DNS server is disabled, but the router still maintains its own DNS cache. DNS lookups are handled by a ‘resolver’ binary, which is hooked into the RouterOS’s Winbox protocol. Messages sent to the Winbox port can be sent to different binaries, including resolver. Three available commands can allow an unauthenticated remote user to make DNS requests through the router to a DNS server of their own choice.

“Since we can specify the DNS server the request should go through, it’s trivial to inject bad addresses,” writes a Tenable researcher in a blog post describing the vulnerabilities. 

The next step in the chain is to downgrade the software to version 6.42.12 or earlier. From version 6.43, MikroTik password handling changed. The relevant changelog states, “downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication.”

However, using a customized malicious DNS server, an attacker can inject a range of malicious IP addresses into the router’s cache, including the download address. When the router looks for an upgrade, it goes to the attacker’s site rather than the genuine MikroTik download site. This malicious site can be used to provide the earlier version that RouterOS is tricked into believing is the latest version.

“When the user installs the ‘new update’,” says the researcher, “they’ll bypass the normal logic that forbids downgrade via update and switch over to RouterOS 6.41.4… Since we tricked RouterOS to downgrade from 6.45.6 all the way down to 6.41.4, the admin user’s default empty password is back. That means the attacker can log in as the admin user.”

V6.41.4 was chosen by the researcher because it has known vulnerabilities “that enable a backdoor on the system. Using those vulnerabilities I can get a full busybox shell,” said the researcher. However, it isn’t necessary to use an old exploit. Tenable found another vulnerability in the package installation that allowed an attacker to create arbitrary directories on the system.

The way MikroTik handles its .NPK files during updates (it stops computing the package’s SHA-1 once it hits the signature section) means it will parse an appended ‘part info’ field. This can be used to create a directory anywhere on disk. “The backdoor enablement file for 6.41.4,” says the researcher, “is simply /pckg/option. As long as that file exists, even as a directory, the backdoor is enabled.”

These vulnerabilities were fixed by MikroTik in new version 6.45.7, released on September 10, 2019 (well within the 90-days responsible disclosure period set by Tenable). With the attack methodology now made public, it is important for all MikroTik users to upgrade to the latest version (while making sure, of course, that they are not being covertly downgraded to an earlier password-less version).

But it is also worth noting the Tenable researcher’s final comment: “I happen to very much like RouterOS and the features it offers, but, at this point, Winbox seems somewhat of a liability. I suggest disabling it and using SSH instead. Unfortunately, last I looked, there are more than half a million Winbox instances facing the internet.”

Related: Remotely Exploitable Vulnerability Discovered in MikroTik’s RouterOS 

Related: MikroTik Routers Exploited in Massive Crypto-Mining Campaign 

Related: Tenable Updates Free Vulnerability Assessment Solution 

Related: Tenable Adds ‘Predictive Prioritization’ to Vulnerability Management Offering

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).