Arthur T Knackerbracket has found the following story:
Researchers say a medium severity bug should now be rated critical because of a new hack technique that allows for remote code execution on MikroTik edge and consumer routers.
A new hacking technique used against vulnerable MikroTik routers gives attackers the ability to execute remote code on affected devices. The technique is yet another security blow against the MikroTik router family. Previous hacks have left the routers open to device failures, cyptojacking and network eavesdropping.
The hacking technique, found by Tenable Research and outlined on Sunday at DerbyCon 8.0 in Louisville, Kentucky, is tied to the existing directory traversal bug (CVE-2018-14847) found and patched in April. That vulnerability was rated medium in severity and impacted Winbox, which is a management component and a Windows GUI application for MikroTik's RouterOS software.
Tenable Research says it has found a new attack technique that exploits the same bug (CVE-2018-14847) that allows for unauthenticated remote code execution. "By exploiting the flaw, the remote attacker can get a root shell on the device as well as bypass the router's firewall, gain access to the internal network, and even load malware onto victims' systems undetected," Tenable Research said in a blog post accompanying the presentation.
The underlying flaw is tied to a Winbox Any Directory File that allows threat actors to read files that flow through the router without authentication. The new technique, found by Jacob Baines, researcher at Tenable Research, goes one step further allowing an adversary to write files to the router. Baines also created a proof of concept of the attack outlined Sunday.
"The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:
GET /ssl_conn.php?usrname=%s&passwd=%s&softid=%s&level=%d&pay_typ'e=%d&board=%d HTTP/1.0"Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system," he wrote.
This is as bad as it gets, Baines told Threatpost. "This bug was reported in April, but we are now able to show how an attacker can use it to get root shell on a system. It uses CVE-2018-14847 to leak the admin credentials first and then an authenticated code path gives us a back door."
Also at The Register:
Tenable's blog post noted that: "As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version," discovered through a Shodan.io search. Baines' presentation estimated that 67.8 per cent of MikroTik routers currently remain unpatched.
MikroTik patched the security cockups in Router OS versions 6.42.7, 6.40.9, and 6.43 in late August. So, if you haven't already done so, grab and install those as soon as you can – before your router becomes someone else's router.
-- submitted from IRC
(Score: 1, Funny) by Anonymous Coward on Friday October 12 2018, @12:35AM
Consumers may confuse your company name with MicroSoft, thereby damaging the latter's reputation by suggesting there may be security issues with its products.
(Score: 0) by Anonymous Coward on Friday October 12 2018, @12:58AM (1 child)
The summary sucks.
(Score: 3, Funny) by Gaaark on Friday October 12 2018, @02:15AM
So does Microsoft security.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by KritonK on Friday October 12 2018, @08:13AM (5 children)
The actual summary is: old, already patched Mikrotik bug is much more severe than initially thought; if you haven't already updated your router's firmware, update now!
The real news is that it's possible for someone to check if you are running a patched or unpatched version of the firmware, and that there is a site that does this. This is much more worrying.
(Score: 2) by zocalo on Friday October 12 2018, @09:22AM
UNIX? They're not even circumcised! Savages!
(Score: 2) by isostatic on Friday October 12 2018, @09:59AM (3 children)
Nobody in their right mind would have their management ports open to the web anyway (or to general people on the lan)
(Score: 2) by zocalo on Friday October 12 2018, @02:16PM (2 children)
UNIX? They're not even circumcised! Savages!
(Score: 1) by Chromium_One on Friday October 12 2018, @04:04PM (1 child)
It's always worse than you'd think. Would be interested in a followup on the Internet Census of 2012, and willing to bet there's been little improvement in general practices.
When you live in a sick society, everything you do is wrong.
(Score: 3, Interesting) by zocalo on Friday October 12 2018, @08:12PM
However, since 2012 it does seem like there are more people willing to don a grey hat and step up to the plate where it's possible to do something about it. Mirai and its ilk had The Janit0r and "BrickerBot" [bleepingcomputer.com], and it appears that Mikrotik now has someone called Alexey [zdnet.com] trying to clean up the mess, so there's that at least.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Friday October 12 2018, @05:13PM
Dead mikrotik router here, new out of sealed anti-static bag. They won't/can't fix it. Wanted me to solder on some 402-sized parts. Waste of money. Fuck off, mikrotik!
(Score: 0) by Anonymous Coward on Sunday October 14 2018, @02:02PM
Because this company is now dead.