MikroTik routers made the headlines again, the company disclosed this week technical details about a year-old vulnerability that exposes the device to remote attacks.
Attackers could exploit the vulnerability to trigger a denial-of-service (DoS) condition on devices running RouterOS.
“The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded and stopped responding”
The Latvian vendor already released security updates for the RouterOS that addressed the flaw (CVE-2018-19299), but according to the experts, some of the affected devices continue to be vulnerable.
The CVE-2018-19299 vulnerability affects
“After that reboot was fixed, another issue caused the memory to be filled, because IPv6 route cache size could be bigger than the available RAM. This also was fixed, by introducing automatic cache size calculation based on available memory.” continues the post.
Experts discovered that the fix for the DoS flaw only works only devices with more than 64MB of RAM.
“I have done several tests with GNS3 using CHR 6.44.2 (stable) and as long as the router has enough memory, it doesn’t crash. In my tests, the attack ‘steals’ around 180 MiB.” explained Prieto.
“Using a CHR with 256 MB, system resources shows a total memory of 224 MiB and free-memory of 197 MiB before
The flaw was reported by several experts, including Isalski, back on April 16, 2018. The expert explained that the vendor acknowledged the flaw, but that it did not classify it as a security vulnerability.
In March Isalski reported the flaw to several emergency response team and disclosed evidence of the exploitation of the vulnerability in attacks in the wild.
Isalski confirmed that the CVE-2018-19299 flaw “affects almost any of MikroTik’s devices, even those used as ‘core’ or ‘backhaul’ routers.”
“More than 20 RouterOS versions have been released since MikroTik learned about the vulnerability.” reported Bleeping computer. “One reason for this, besides dismissing its security risk, is that flaw is at
Experts believe that the vendor will introduce some optimizations in the next beta version of RouterOS for hardware with low RAM resource.
(SecurityAffairs – CVE-2018-19299, MikroTik)