Security researchers have discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers, the most critical of which would allow attackers to potentially gain full system access.
According to a blog post by Tenable Research, the flaws were discovered by security research Jacob Baines. He found several problems including CVE-2018-1156 -- an authenticated remote code execution (RCE) -- as well as a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158).
Researchers said that the most critical of these vulnerabilities is the authenticated RCE, which would allow attackers to potentially gain full system access.
The most likely attack vector would see hackers using default credentials, frequently left unchanged on routers, to exploit these vulnerabilities.
"The authenticated RCE vulnerability could be exploited with default credentials, granting an attacker full system access and allowing them to divert and reroute traffic or gain access to any internal system that uses the router," said researchers.
According to analysis using the Shodan search engine, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. "As of 3 October, 2018, approximately 35,000 - 40,000 devices display an updated, patched version," researchers said.
Researchers said that MikroTik routers were identified as being compromised by a Russian threat actor (APT28/Sofacy/FancyBear) in the recent VPNFilter malware.
"The actual vulnerabilities being used by VPNFilter are not fully known. Reports have stated that no zero-days were used, but this vulnerability could be a valid attack vector," said researchers.
One proof of concept detailed by researchers was in the licupgr binary that has an sprintf that an authenticated user can use to trigger a stack buffer overflow.
"Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system," said researchers.
Since the disclosure of the bugs, MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 to address these vulnerabilities. Users were urged to change the default credentials wherever possible.
Jake Moore, cybersecurity expert from ESET UK, told SC Media UK that hackers will always look for a way to get access to the router.
"This research is typical of what they are attempting on a daily basis so router manufactures need to put in multiple layers of security by design to better protect their products and users. Most people never change their routers' default admin password," he said.
Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that manufacturers should ensure that each out-of-the-box router a unique authentication credentials, as it guarantees that even if they’re plugged into the infrastructure with minimum configurations, they’re still immune to brute-force attacks or default credential use.
"Considering that routers are internet gateways for all devices connected to it, securing them with strong authentication credentials should be the first step towards increasing their resilience towards cyber-criminals," he said.