Four vulnerabilities in MikroTik routers could lead to a backdoor

Tenable specialists discovered four vulnerabilities in MikroTik routers, the joint use of which allows lowering the version of RouterOS and creating a backdoor.

On September 11, 2019 MikroTik specialists discovered and closed two vulnerabilities (CVE-2019-3976 and CVE-2019-3977). Two more they closed on September 13, 2019 (CVE-2019-3978 and CVE-2019-3979).

On their blog, researchers describe a potential attack as follows.

The first step is DNS cache poisoning. Since can be specified the DNS server through which the requests should go, injecting the address becomes a trivial task.

The next step in the attack is to downgrade RouterOS to 6.42.12 or earlier. The fact is that starting with version 6.43, the password processing process has changed. As a result, downgrading to any version earlier than 6.43 (6.42.12 and older) will delete all user passwords and allow authentication without a password.

Read also: Vulnerability in PHP7 threatens nginx server security

Using a malicious DNS server, an attacker could inject a number of IP addresses into the router’s cache, including the address for downloading updates. When the device searches for an update, it will go to the attacker’s website, and not to the real MikroTik resource. This malicious site can be used to provide the router with an earlier version of the software that RouterOS deems to be the latest because of fraud.

“When the user installs a“ new update ”, the usual logic is circumvented, which prohibits the transition to earlier versions through the update, and switches to RouterOS 6.41.4. Since we managed to roll back RouterOS from version 6.45.6. Until 6.41.4, we were able to get an empty administrator password. That is, an attacker can log in as an administrator”, – experts explain.

The researchers chose version 6.41.4 because it contains known vulnerabilities that could be used to create a full-fledged backdoor in the system.

The point is how MikroTik processes .NPK files during updates. Therefore, it parses the “part info” field, which allows you to create a directory in any place on the disk.

“The backdoor support file for 6.41.4 is just / pckg / option. As long as the file exists, even in the form of a directory, the backdoor will work”, – the researchers explain.