CVE-2022-34960 The container package in MikroTik RouterOS 7.4beta4 allows attackers to create mount points that point to host device locations.

To exploit this issue, an attacker needs to control the path where RouterOS is accessing the file system. If a RouterOS installation is configured to access the file system using a DHCP server, an attacker can create a malicious DHCP server that points to an arbitrary location on the device. An attacker can also create an attacker-controlled mount point on the device that is accessible to RouterOS, such as a network share. An attacker may choose to place a RouterOS image on a network share and instruct the users on the network share to connect to the RouterOS image to access the internet. This may be done by changing the DHCP server configuration or by creating a malicious DHCP server. Users connecting to the RouterOS image would be exposed to the attack. To prevent this, administrators should configure RouterOS to use static IPs or use a different server. In addition, administrators should ensure that DHCP clients do not resolve DNS names to locations on the host, such as an attacker-controlled mount point. IMPORTANT: To reduce the likelihood of this issue being exploited, administrators should ensure that the DHCP server is not configured to provide mount points.

Solutions:

- Configure RouterOS to use static IPs or use a different server
- Ensure that DHCP clients do not resolve DNS names to locations on the host, such as an attacker-controlled mount point

CVE-2021-34959

In the previous example, an attacker could also exploit this issue to gain access to the file system by creating a malicious DHCP server that points to an arbitrary location on the device.

CVE-2023-34969

This issue occurs because the driver's implementation of the I/O stack does not validate that a length value is within the bounds of a buffer. If an attacker can insert data into the buffer, then they may be able to use this issue to read data from an adjacent memory location or cause a denial of service condition.

CVE-2023-24702

The vulnerability can be exploited by an attacker who has access to the interface where RouterOS is accessing the file system. An attacker can create a malicious file on the device, such as one that triggers a buffer overflow when it is written. An attacker may also modify the configuration of RouterOS or create a malicious DHCP server on an interface where RouterOS is accessing the file system, which would allow an attacker to exploit this vulnerability. The remote code execution would occur only if there is authenticated user input. To prevent this issue from being exploited, administrators should ensure that their RouterOS configuration does not allow for authenticated user input on the interface where RouterOS is accessing the file system and that no DHCP servers are running on interfaces where RouterOS may be accessing the file system.

How to Test for RouterOS File System Access

If you are in a position to test whether or not your router is vulnerable, you should test a RouterOS installation that is configured with a DHCP server. To do this, create a DHCP server on your local machine and point it to a path containing the following content:
/mnt/

Timeline

Published on: 08/25/2022 02:15:00 UTC
Last modified on: 08/31/2022 16:35:00 UTC

References

• https://nns.ee/blog/2022/08/05/routeros-container-rce.html
• https://nns.ee/blog/2022/06/21/routeros-container-rce.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34960