On Sunday, Tenable Research also announced it had discovered additional MikroTik RouterOS vulnerabilities.
MICROTECH ROUTER PATCH
He said MikroTik’s patch for affected RouterOS versions 6.40.9, 6.42.7 and 6.43 stops all attack techniques associated with CVE-2018-14847. Tenable researcher Baines said he is not aware of the technique being exploited in the wild. MikroTik routers have also been targeted by threat actors behind the malware VPNFilter who also used CVE-2018-14847. Last month, 360 Netlab reported that 7,500 MikroTik were forwarding their owners’ traffic to eavesdropping cybercriminals.
![microtech router microtech router](https://f.hubspotusercontent30.net/hubfs/2990530/Blogheader_Monitoring-MikroTik-Router.jpg)
In August, it was reported 3,700 MikroTik routers were being abused in a cyptojacking campaign. The read version of the vulnerability is currently being exploited by a number of different campaigns. As of the October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version,” Tenable Research wrote. “Based on Shodan analysis, there are hundreds of thousands of MikroTik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. MikroTik’s RouterOS powers the company’s business-grade RouterBOARD brand, as well as ISP/carrier-grade gear from the vendor. While MikroTik patched CVE-2018-14847 in early August, a recent scan by Tenable Research revealed only approximately 30 percent of vulnerable modems have been patched, which leaves approximately 200,000 routers vulnerable to attack.
MICROTECH ROUTER CODE
It uses CVE-2018-14847 to leak the admin credentials first and then an authenticated code path gives us a back door.” “This bug was reported in April, but we are now able to show how an attacker can use it to get root shell on a system. This is as bad as it gets, Baines told Threatpost.
MICROTECH ROUTER PASSWORD
“Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system,” he wrote. The sprintf is used on the following string: “The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. Baines also created a proof of concept of the attack outlined Sunday. The new technique, found by Jacob Baines, researcher at Tenable Research, goes one step further allowing an adversary to write files to the router. The underlying flaw is tied to a Winbox Any Directory File that allows threat actors to read files that flow through the router without authentication. “By exploiting the flaw, the remote attacker can get a root shell on the device as well as bypass the router’s firewall, gain access to the internal network, and even load malware onto victims’ systems undetected,” Tenable Research said in a blog post accompanying the presentation. Tenable Research says it has found a new attack technique that exploits the same bug (CVE-2018-14847) that allows for unauthenticated remote code execution.
MICROTECH ROUTER WINDOWS
That vulnerability was rated medium in severity and impacted Winbox, which is a management component and a Windows GUI application for MikroTik’s RouterOS software.
![microtech router microtech router](https://i.mt.lv/cdn/rb_images/1630_m.png)
![microtech router microtech router](https://i.pcmag.com/imagery/articles/05AGEzgh8pIpTeRpef9ptiU-1..1569470713.png)
The hacking technique, found by Tenable Research and outlined on Sunday at Derb圜on 8.0 in Louisville, Kentucky, is tied to the existing directory traversal bug (CVE-2018-14847) found and patched in April.
![microtech router microtech router](https://intellitech.co.ke/wp-content/uploads/2019/08/rb-2011srm_6-2.jpg)
Previous hacks have left the routers open to device failures, cyptojacking and network eavesdropping. The technique is yet another security blow against the MikroTik router family. A new hacking technique used against vulnerable MikroTik routers gives attackers the ability to execute remote code on affected devices.