A vulnerability exists in MikroTik's RouterOS in versions prior to the latest 6.41.3, released Monday, March 12, 2018. Details were discovered February and disclosed by Core Security on Thursday.
MikroTik is a Latvian manufacturer that develops routers and software used throughout the world. RouterOS is its Linux-based operating system.
The vulnerability, a MikroTik RouterOS SMB buffer overflow flaw, allows a remote attacker with access to the service to gain code execution on the system. Since the overflow occurs before authentication, an unauthenticated remote attacker can exploit it.
Remotely Exploitable Vulnerability Discovered in MikroTik's RouterOS
The vulnerability exists because the first byte of the source buffer is read and used as the size for the copy operation to the destination buffer -- but ultimately, no validation is performed to ensure that the data fits into the destination buffer, potentially allowing a stack overflow.
Core's vulnerability advisory includes a proof of concept exploit against MikroTik's x86 Cloud Hosted Router. The function is reached by sending a NetBIOS session request message. Data execution prevention (DEP) is bypassed with a return-oriented programming (ROP) chain that calls 'mprotect' to mark a memory region as both writable and executable. Address space layout randomization (ASLR) can be neutralized because the base address of the heap is not randomized. This allows a payload on the heap to jump to a fixed location.
"Our testing," says Core's advisory, "showed this approach to be extremely reliable." The reserved CVE number is CVE-2018-7445.
Core sent its initial vulnerability notice to MikroTik on February 19, 2018. On the same day, Core noticed the flaw was already scheduled for a fix by MikroTik in a new software release candidate. Core asked for a coordinated publication of the new version and its own advisory. It proposed March 1, 2018, which was confirmed by MikroTik. MikroTik then asked for an extension to Thursday, March 8, 2018, and then told Core it still wouldn't be ready.
On Monday, March 12, 2018, it released the new version. It did not inform Core, and there is no apparent mention of the flaw or the fix in its new version announcement to customers -- but it subsequently confirmed that the flaw has been fixed. MikroTik's advice for customers that cannot upgrade is that they should turn off SMB.
Last week, Kaspersky Lab released a report on a hacking group it calls Slingshot. It has identified around 100 victims. The attackers gain access by first getting control of MikroTik routers, and using that position to download DLL files to the target computer via MikroTik's Winbox management tool.
It is not clear at this point whether the Slingshot group gained access to the MikroTik routers using the CVE-2018-7445 vulnerability, but it is tempting to think so. Kaspersky Lab informed the company about its research prior to its own publication.
While the router vulnerability would be the first stage of the attack, the second stage would be the use of Winbox to get the malicious downloads. MikroTik claims on its support forum that Winbox is secure. In a thread started by a customer disturbed at learning about Slingshot from reports in the media rather than from MikroTik, MikroTik responded, "There is NO insecure Winbox v3. Winbox v3 was released in 2014. Even if somebody was using a really old Winbox v2, they still had to have an unsecured RouterOS device so that somebody could compromise it (firewall had to be removed). This is why they found only 120 affected machines since 2012."
The bottom line is that MikroTik is quick fix to issues it knows about, but prefers to maintain a low profile over those problems. The danger here is that existing customers might not be aware of the issues, and be in no hurry to upgrade. MikroTik customers should be aware that a proven proof of concept exploit for vulnerability CVE-2018-7445 is in the public domain, and the 'patch' for this exploit is to upgrade RouterOS to version 6.41.3