Wikileaks just released some CIA documents, and there appears to be a working exploit against Mikrotik HTTPD, allowing full device compromise.
https://wikileaks.org/ciav7p1/cms/page_16384604.html
https://wikileaks.org/ciav7p1/cms/page_16384512.html
https://wikileaks.org/ciav7p1/cms/page_28049422.html
Looks like a POST exploit:
Saw this today, ugh.
Mikrotik would be wise to reach out to WikiLeaks and try to get a copy of the exploit before they make the source public.
I suppose the smartest thing to do is to block HTTP/HTTPS in the meantime.
General information about the “operation”, https://wikileaks.org/ciav7p1/index.html
“CIA malware targets Windows, OSx, Linux, routers”
Well, nothing digital is secure when have access to internet.
For the record, this is exactly why I brought up weak keys and future crypto in 2014. APTs are targeting this platform and if you’re valuable enough, they’ll expend the neccessary resources.
This is also why the minimum amount of services should be enabled in your network. As a precaution I always remove unnecessary packages and disable all services except SSH and winbox, firewalled to authorized IPs. Winbox does scare me a bit due to the proprietary protocol and I wouldn’t be surprised if an exploit were found there too.
HTTPD of all things being the exploit entry point is quite surprising, did Mikrotik write their own webserver implementation or is it a bug in one of the modules it accesses (of which there should be very few without authentication!)
Not to me. It is actually quite common for http servers, both generic and custom-made, to be full of bugs.
This is also usually the exploit against other routers, cameras, etc.
I’m sure something well-tested like lighttpd could be used as the HTTPD. The problem most likely lies in external CGI scripts etc called by the HTTPD as is usually the case with HTTP based exploits.
This might be interesting reading:
yeah - scary
they use port 8291 and 80 to implant payload –
Often the bugs are also in authentication, parameter parsing, maximal length of parameters, small integers
that are used as index in an array, etc. Routers often use a simple http server that does not perform
very rigid checking before using values.
We are looking into this and will post a more detailed response in a few hours. We will do everything we can to close any weaknesses if there are any. As always, please try to keep the default firewall on, change or close ports and employ secondary security measures such as port knocking to make sure your device is only accessible by yourself. Currently it seems that no tools have been released and the default firewall prevents any unauthorised access. Will update as soon as I know more.
https://www.wired.com/2017/03/wikileaks-cia-hacks-dump/
http://www.independent.co.uk/life-style/gadgets-and-tech/news/wikileaks-cia-what-are-they-explained-vault-7-year-zero-julian-assange-secrets-a7616826.html
Thanks Normis.
Look forward to the detailed response..
Cheers
After reviewing a number of the documents since being made aware of them this morning, this leads me to believe at this time the exploits listed are only possible with access to services on the router.. IE: you should not be vulnerable if you keep your administration services firewalled.
Operator Notes
ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed.
Normis, we all look forward to Mikrotik’s response.
With well over 200 routers in our customers’ possession, this is concerning to us to say the least.
Question; Is there a www package upgrade we could lay on top along with normal /ip service changes to lock down our routers ?
Thanks for your efforts in mitigating this problem.
As others have said, there’s probably no reason to panic if access to the admin interface is itself properly restricted.
But this is definitely a serious problem that needs to be dealt with, especially since it looks like info on this vulnerability have been in circulation outside the US government:
The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
https://wikileaks.org/ciav7p1/
The good news is twofold: the CIA considered Mikrotik to be enough of a challenge that they put a bunch of MT devices in their lab to hack on; and they apparently only came up with just this one exploit. Mikrotik’s employees should be proud, seriously.
Yup. Keep administrative functions OFF the Internet, and you’ll be fine…
You should make sure that the management services on these routers (ftp, telnet, ssh, www, winbox) are only accessible to
the persons that require this access. Depending on your company policy, this may be the customer,
your network management personnel, or both. But certainly not “the entire internet”.
You can do this by defining firewall rules and/or by specifying authorized networks in the settings of the services.
Of course these best-practice measures only help against bugs in the services, not against bugs in the kernel or firewall code.
It is always best to apply as many countermeasures as possible/available:
When you are fully managing your client’s routers, you could, for example, set logging to some syslog server inside your network so you have an event log, and you could run a syslog server with some monitoring for unexpected messages.
Even though a regular firewall (the default config, in fact) will protect you against the CIA malware, this is an excellent guide to follow for any public RouterOS device: https://www.manitonetworks.com/mikrotik/2016/5/24/mikrotik-router-hardening
Official statement: http://forum.mikrotik.com/t/statement-on-vault-7-document-release/106907/1