MikroTik RouterOS vulnerability

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

2:50pm, 29 March 2018

TLP Rating: Clear

MikroTik RouterOS vulnerability

CERT NZ has been informed of an active attack targeting MikroTik RouterOS devices.

Attackers are identifying these devices by scanning for public IP addresses running specific RouterOS ports and using older versions of the operating system. Once the vulnerability is exploited, malware is downloaded to the compromised devices. The device is then being used to scan for other IP addresses and spread.

CERT NZ is aware that this attack is active. We strongly recommend investigating and patching any RouterOS devices on your network as soon as possible to prevent them from being compromised.

What's happening

Systems affected

MikroTik RouterOS devices that are internet-accessible/have public IP addresses are affected by this vulnerability. These devices can be identified in a number of ways, including checking for devices running Winbox (8291) which is a MikroTik-specific port.

Exploiting this vulnerability requires the devices to be unpatched. It is prudent to work on the basis that all MikroTik RouterOS devices are vulnerable if they are running versions older than 6.41.3.

MikroTik RouterOS devices that are running versions older than 6.41.3 should be patched immediately and the passwords for all user accounts should be changed. Logs should be reviewed to identify any suspicious activity, such as connections to unknown IPs.

Read details about this vulnerability on the MikroTik website External Link

What this means

All affected devices need to be patched to version 6.41.3 to prevent the device from being compromised.

What to look for

How to tell if you're at risk

If you are using a MikroTik RouterOS device you are at risk of being compromised.

This device may be provided by your internet service provider (ISP).

What to do

Mitigation

Ensure that any MikroTik RouterOS devices are patched to version 6.41.3.

If these devices cannot be patched, the use of the devices should be re-considered as there are no other controls to prevent this vulnerability.

Configure the device using the vendor’s recommended practices.

Read MikroTik's patch documentation and access the patch files. External Link

Read MikroTik's configuration recommendations.  External Link

More information

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ