Most MikroTik routers fail to get patched a month after severe security issues disclosed

The company says there is little more it can do to push firmware upgrades beyond ‘knocking on doors’

The majority of consumer and enterprise routers produced by MikroTik are at risk of device hijacking and remote DNS cache poisoning, a security researcher has warned.

This is despite the release of a batch of security updates last month for the issues impacting MikroTik RouterOS 6.45.6 and below.

The security flaws include unauthenticated remote DNS cache poisoning via Winbox even when DNS is not enabled.

An insufficient package validation issue is also affecting the RouterOS packaging and upgrade systems, potentially exposing them to man-in-the-middle (MitM) attacks.

According to the hardware manufacturer, “an attacker can abuse these vulnerabilities to downgrade a router’s installed RouterOS version, possibly lock the user out of the system, [and] possibly disable the system.”

The vulnerabilities have been tracked as CVE-2019-3978, CVE-2019-3979, CVE-2019-3976, and CVE-2019-3977.

What’s the point of a patch?

After being reported by Tenable researchers on September 11, MikroTik developed fixes and released RouterOS version 6.45.7 Stable and 6.44.6 Long-term on October 28 to resolve the security flaws.

However, Jacob Baines, a reverse engineer at Tenable, says that roughly 85% of consumer and enterprise-grade routers remain unpatched.

In a blog post published late last week (December 12), Baines said he performed a search on Shodan to examine the progress made by administrators to patch vulnerable routers.

While a preliminary search on Shodan only revealed 10 vulnerable devices, the researcher wrote his own scanner to find 578,456 MikroTik routers with port 8291 open – MikroTik recommends that this port is kept closed.

By searching through this port alone, Baines was able to extract OS data from the available routers, finding that only 15% have been upgraded over a month after the patch release.

Tenable has already spotted attack attempts targeting these vulnerabilities hitting honeypot systems. A Shodan search on a limited sample suggests that 9 out of 10 unpatched open routers are enterprise-grade.

Speaking to The Daily Swig, Baines said that ten months after the discovery of a previous vulnerability by Tenable, CVE-2019-3924, less than 50% of routers have been upgraded. He estimates it will take a year before reaching “50 - 60% [of] patch application against our latest set of vulnerabilities.”

“On the other hand, it’s hard to say exactly what the overall patch application for all MikroTik routers is,” the researcher added.

“Our scan could only pick up routers whose port 8291 was open to the Internet [...] there are many more MikroTik routers out there that we simply don’t have access to and therefore can’t count.”

MikroTik told The Daily Swig that customers were informed online and via email, in user conferences, and through both social media and app push notifications.

“Apart from knocking on doors and helping people do the upgrade, there is not much else we could have done,” the company said.

Baines, who gave MikroTik credit for its patch release, may have some ideas.

“I do have two suggestions: Automatic RouterOS upgrade should be a feature and it should be enabled by default. This feature wouldn’t be desirable for a significant chunk of their user base, but they could simply disable it; and that the system ships with a default user and blank password. That should be eliminated.” 

YOU MIGHT ALSO LIKE Remote code execution bug resolved in D-Link storage device