Mirotik fixed a problem in 6.41.3/6.42rc27 with SMB which was a vulnerability and the question how serious it is and if it is also fixed in the bug fix version?
Current advise is yo switch of SMB if you have it active.
MikroTik closed serious security vulnerability in router software
Friday, March 16, 2018, 2:58 PM by Editors , 1 comments
Router manufacturer MikroTik has released a security update that addresses a serious vulnerability in the RouterOS router software. The vulnerability could allow a remote attacker to take over vulnerable routers remotely if the SMB service is accessible.
RouterOS is the operating system that runs on the MikroTik routers. An attacker could, by sending a specially prepared NetBIOS package, abuse a vulnerability in the SMB service and execute arbitrary code on the system. It is not necessary for the attacker to authenticate first. However, the SMB service must be enabled and accessible.
The vulnerability was reported to MikroTik by security company Core Security on 19 February and resolved by RouterOS version 6.41.3 on 12 March. Core Security then released the details of the vulnerability. Users are advised to update to the latest version or disable the SMB service. Last week, MikroTik was still in the news due to a spy attack where attackers had used hacked MikroTik routers to infect targets with malware.
I am 100% sure I did not see any “vulnerability fixes” in change log for 6.41.3? In fact , Mikrotik stated that you do NOT HAVE TO upgrade to this version if you do not want to?
The advise from Mikrotik is to disable SMB if used, when not using the patched firmwares.
I can’t remember if this advise was also stated by Mikrotik in this forum.
Patch/bug fix:
smb - improved NetBIOS name handling and stability
I don’t understand how that changelog entry wasn’t clear enough for everyone! Just kidding, of course.
I understand that it’s not #1 priority. SMB is disabled by default and even if you enable it, default firewall prevents access from internet. It could be much worse. So it’s ok if the info is not on every page in big red letters. On the other hand, details about it (including that it’s exploitable vulerability) available only elsewhere and not here, is something that could be improved.
This appears to be yet another custom daemon from Mikrotik with remotely exploitable bugs (now a total of three: ssh, http and smb with vulnerabilities). Wonder how many more are lurking in the depths waiting to be found, or are already sold to attackers. There’s a reason why many routers use existing well-tested code instead of writing their own, there’s some serious NIH syndrome going on over at Mikrotik (to avoid the GPL?)
“The first byte of the source buffer is read and used as the size for the copy operation. The function then copies that amount of bytes into the destination buffer. No validation is done to ensure that the data fits on the destination buffer, resulting in a stack overflow.”
This is really low hanging fruit security-wise, unchecked buffer copies should not be happening in 2018. Bugs like this really shake my confidence in RouterOS. The announcement / disclosure was exceptionally bad as well, putting it in the changelog as “improved NetBIOS name handling and stability” when it’s a complete remote exploit is shameful. There really needs to be better disclosure for security vulnerabilities, people shouldn’t have to find out about them through the forum.
When you warn before disclosure then you have risk that hackers try to find the weakness and the they know in what direction they have to search. Secondly not all users of Mikrotik routers are active in forum so they don’t see any warnings.
After disclosure any unpatched devices are free game out there and that should not happen if there was sufficient time to roll out the patch.
Underneath the timeline. 2018-02-19: Core Security sent an initial notification to MikroTik.
2018-02-19: Core Security noticed that a candidate release addresses the vulnerability.
2018-02-21: MikroTik answered saying that they were planning to release a final version with a fix for SMB the week of 26 February and asked for additional information.
2018-02-21: Core Security thanked MikroTik’s answer and sent a draft advisory with a technical description. In addition, Core Security proposed the release date to be March 1st.
2018-02-21: MikroTik confirmed the proposed release date.
2018-02-23: Core Security asked MikroTik for a confirmation about the availability of the fix before the publication date. Also, Core Security sent the CVE-ID request to Mitre.
2018-02-23: MikroTik confirmed the availability of the fix for the publication date.
2018-02-28: Core Security asked MikroTik for a confirmation about the release of the fixed version again.
2018-02-28: MikroTik answered saying that they had some issues and asked for an extension of one week.
2018-02-28: Core Security analyzed the possibility of postponing the publication date and asked MikroTik for a new release date.
2018-03-01: MikroTik answered that they didn´t have a certain release date for their fix.
2018-03-01: Core Security requested a solidified release date for coordinated disclosure. Agreed to postpone till March 8th.
2018-03-01: MikroTik answered saying they understand it’s their fault and if they don’t release the fixed version in time, we might have to release our document.
2018-03-02: Core Security thanked the update and asked again about the planned release date.
2018-03-05: MikroTik answered that they still don’t have a certain release date for their fix.
2018-03-05: Core Security answered saying the one week postponed was proposed by Mikrotik, yet they still cannot commit to a release date. Core Security clarified again the intention is to do a coordinated release, but in order to do that it is needed a tentative release date.
2018-03-12: Core Security noticed that a new version of MikroTik RouterOS were available and asked MikroTik if this version fixed the vulnerability.
2018-03-12: MikroTik confirmed that the published version addressed the reported vulnerability.
2018-03-15: Advisory CORE-2018-0003 published.
RouterOS Current and RC are patched, Bugfix is not patched.
