Experts discovered remotely exploitable buffer overflow vulnerability in MikroTik RouterOS
19.3.2018 securityaffairs APT
Security experts at Core Security have disclosed the details of a buffer overflow vulnerability that affects MikroTik RouterOS in versions prior to the latest 6.41.3.
MikroTik is a Latvian vendor that produce routers used by many telco companies worldwide that run RouterOS Linux-based operating system.

The vulnerability, tracked as CVE-2018-7445, could be exploited by a remote attacker with access to the service to execute arbitrary code on the system.

“A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.” reads the advisory published by the company.

“The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it.”

The researchers published a proof of concept exploit code that works with MikroTik’s x86 Cloud Hosted Router.

Core first reported the flaw to MikroTik on February 19, 2018. MikroTik planned to release a fix in the next release on March 1, 2018 and asked Core to do not reveal the details of the flaw. Even if MikroTik was not able to issue a fix for the estimated deadline 2018, Core waited for the release of the new version the occurred on Monday, March 12, 2018.

In case it is not possible to install an update, MikroTik suggested disabling SMB.

A few days ago, security experts at Kaspersky Lab announced to have spotted a new sophisticated APT group that has been operating under the radar at lease since at least 2012. Kaspersky tracked the group and identified a strain of malware it used, dubbed Slingshot, to compromise systems of hundreds of thousands of victims in the Middle East and Africa.

The researchers have seen around 100 victims of Slingshot and detected its modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

Kenya and Yemen account for the largest number of infections to date. Most of the victims are individuals rather than organizations, the number of government organizations is limited.

The APT group exploited zero-day vulnerabilities (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.) in routers used by the Latvian network hardware provider Mikrotik to drop a spyware into victims’ computers.
The attackers first compromise the router, then replace one of its DDLs with a malicious one from the file-system, the library is loads in the target’s computer memory when the user runs the Winbox Loader software, a management suite for Mikrotik routers.

The DLL file runs on the victim’s machine and connects to a remote server to download the final payload, the Slingshot malware in the attacks monitored by Kaspersky.

It is not clear if the Slingshot gang also exploited the CVE-2018-7445 vulnerability to compromise the routers.

Now that a proof of concept exploit for vulnerability CVE-2018-7445 is available online customers need to upgrade RouterOS to version 6.41.3 to avoid problems.