Statement on Vault 7 document release

On March 7th, 2017, Wikileaks made public a set of documents that is being referred to as “Vault 7”. This is a large collection of documents purported to belong to the United States Central Intelligence Agency (CIA) Center for Cyber Intelligence. According to Wikileaks, this disclosure is the first one, additional disclosures will be coming in the near future.

According to the released documents, the CIA supposedly has tools that can inject malicious tools into RouterOS devices, if the public interface of the RouterOS device has no firewall on port 80. The exploit is called “ChimayRed”.

Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20250630.html:

“ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed”

Also, it seems that this exploit may not be functional in RouterOS version above v6.30.1 (released 2015-07-15).

Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20251203.html:

“Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2”

Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.5 ‘current’ and 6.37.5 ‘bugfix’ or newer). We will continue to strengthen RouterOS services and have already released RouterOS version 6.38.5 which removes any malicious files in devices that have been compromised. MikroTik will follow Wikileaks for any new information on this exploit.

Most RouterBOARD products come with default firewall rules that already protect against malicious access from the public interface. If you have disabled these rules, or have cleared the default config, please apply firewall rules on the public interfaces of your devices to block access to port 80, upgrade RouterOS to the latest version and follow general router protection guides in our documentation, like limiting access only to your own IP address and disabling unused services.

UPDATE 1: Hotspot is not affected by the vulnerabilities outlined above.

UPDATE 2: v6.38.5 and 6.39rc49 has been released, this version fixes the vulnerabilities outlined in the above documents, and cleans any files installed by the tools described.

UPDATE 3: As of November 2017, Wikileaks have NOT followed up their claims and have not provided any tools for our inspection.

Thanks for the update.

Thanks for the update. Have Mikrotik reached out to Wikileaks in order to obtain an early release of the ChimayRed tool?

“Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2”

The reason it doesn’t work with 6.30.2 is most likely due to memory or executable offsets changing between versions. Exploits tend to be very sensitive to the layout of memory and executables, so every time a new RouterOS release is made, the exploit authors will have to code in offsets specifically for that version (this is why the exploit appears to query the version from the httpd). So while it sounds like > 6.30.2 are unaffected, I do not believe this to be the case unless some vulnerable code was patched in 6.30.2.

Thanks for the information Normis. We will be attentive to the updates.
regards

Hi,

thank you very much normis!
This is a real professional handling of the situation.

Regards,
Ape

‘‘the CIA supposedly has tools that can inject malicious tools into RouterOS devices,’’
it’s not possible to do that without admin password second ROS kernel is closed not like Ubq source code
That’s why CIA ‘‘supposedly’’ has tools

Any way how can I find if, how or ‘‘supposedly’’ my router is infected with so called “ChimayRed”?

Normis, Mikrotik should release a tool to check if there is any suspicious file.
If the router was infected running an exploitable version, maybe the trojan continues in the system.

From what i read:
There is no solid information about that yet, without hacking tools themselves, they need to have ‘supposedly’’ hacked router on their hands to determine and create precise method of detection, at this point firewall log rule for TCP/80 ( maybe TCP/8291) port from and to router (input/output) will work just as well , just look if there are some out-of-ordinary traffic - persistent connections that don’t suppose to be there.

It looks like MT just released 6.38.4, that, just in case, clears all file system from any stuff unrelated to RouterOS.

*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;

And in fact with given set of information that is all they can do atm.

FYI, the current download page still indicates the bugfix version as 6.37.4. Not sure if 6.37.5 was a typo, or if the page needs to be updated.

I think that is on purpose, bugfix probably takes more time to be released.

The obvious question is: does it report the presence of such files if any are detected?

Thanks for the update Normis.

So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?

Thank you.

Please could you confirm this Normis ?

In the documents provided by wikileaks it details this - you can ask MikroTik but they are (like the rest of us) just working off the information that has been made available thus far.

Source: https://wikileaks.org/ciav7p1/cms/page_20250869.html

Operator Notes
ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed.

Whilst we block most of our client routers from the Internet to all but our own IP address for management, there are some clients who want to have the graphs publicly available.

I would like to see a separate port for graphing if possible so that this functionality can be available to anyone without leaving port 80 open for management. Alternatively, have an option to remove management capability from the internal web server so it has no access to ROS and config, leaving all management to Winbox and CLI.

You can limit the IP addresses for defined users. Just make sure that any user IDs that have anything more than read capability can log in only from the LAN side of the network.

Yeah I know I can limit IP on the graphing, but what I would like to see is open to world graphing. From my understanding the ChimayRed hack is not dependent on authenticating to the box. Although the issue is fixed with current ROS releases,it would be nice to have the web server for graphing isolated from the router core so any future compromise leads nowhere.

Normis, thank you for the posting and info on Vault 7 and how it might affect a Mikrotik device as well as having the upgrade.

Have Mikrotik reached out to Wikileaks

Yes, but as you can imagine, all the big tech companies are probably doing the same.

most likely due to memory or executable offsets changing between versions

Likely, maybe, but nothing is definite. We are researching.

Mikrotik should release a tool to check if there is any suspicious file.

We have so far not seen a single affected device, we are only working based on the released text documents, so it is not yet possible to create a tool with high accuracy. All we can do is clean the system upon upgrade to 6.38.4

page still indicates the bugfix version as 6.37.4. Not sure if 6.37.5 was a typo, or if the page needs to be updated.

We plan to release it later today

does it report the presence of such files if any are detected

No. We clean the system as such, we do not speculate if a certain file came from this malware or from elsewhere.

So as far as you can tell or are aware, the only way to exploit a router is if port 80 is open to the internet and the HTTP service is enabled?

Please could you confirm this Normis ?

Yes

here are some clients who want to have the graphs publicly available.

You can open the port 80 for the specific customer IP address, or use graphing on external services through SNMP until we provide alternate solutions