Tenable Research : New router vulns expose half a million+ public-facing targets

Tenable, Inc., the Cyber Exposure company, published details of multiple vulnerabilities it found in MikroTik RouterOS, with an estimated half a million vulnerable public-facing targets.

CVE-2019-3976 : Relative Path Traversal in NPK Parsing

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package’s name field. If an authenticated user installs a malicious package then a directory could be created and the developer shell could be enabled.

CVE-2019-3977 : Insufficient Validation of Upgrade Package’s Origin

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into “upgrading” to an older version of RouterOS and possibly resetting all the system’s usernames and passwords.

CVE-2019-3978: Insufficient Protections of a Critical Resource (DNS Requests/Cache)

RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker’s choice. The DNS responses are cached by the router, potentially resulting in cache poisoning.

CVE-2019-3979: Improper DNS Response Handling

RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below are vulnerable to a DNS unrelated data attack. The router adds all A records to its DNS cache even when the records are unrelated to the domain that was queried. Therefore, a remote attacker controlled DNS server can poison the router’s DNS cache via malicious responses with additional and untrue records.

By chaining these disclosed vulnerabilities (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, and CVE-2019-3979) together, an unauthenticated remote attacker could gain root access on the system, downgrade the router’s OS, reset the system passwords and potentially gain a root shell.

Mikrotik has issued a patch to fix these vulnerabilities and users are urged to upgrade to version 6.45.7 Stable or 6.44.6 Long-term or newer.