This post summerizes the facts around the www service vulnerability in RouterOS which was published by Wikileaks as part of the Vault 7 document release. The vulnerability affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it. MikroTik fixed the vulnerability in the following RouterOS releases:
- 6.37.5 in the Bugfix channel
- 6.38.5 in the Current channel
Both were released on 2017-Mar-09.
The vulnerability in question was later exploited by several malicious tools and affected users of RouterOS who had not upgraded RouterOS above the mentioned versions, and had opened the www service port (TCP port 80) to untrusted networks.
MikroTik was informed by Cisco Talos research group on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including devices made by MikroTik. We are highly certain that this malware was installed on these devices through the above mentioned vulnerability in the www service.
Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Upgrading RouterOS is done by a few clicks and takes only a minute. To be safe against any kinds of attacks in future, make sure you secure access to your devices.
If you were running a RouterOS version released before March 2017 (6.37.5 in the Bugfix channel, or 6.38.5 in the Current channel) and had allowed access to the device web interface from the internet, we suggest the following steps:
- Upgrade RouterOS
- Change your password
- Protect your device according to our official guide
The name VPNfilter is only a code name of the malware that was found (more specifically, a fake executable name). The modus operandi of this tool has no relation to VPN tunnels.
It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit the above described vulnerability. Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so within the last year.
Your devices are safe if the port 80 is firewalled, or if you have upgraded to v6.38.5 or newer. If you are using our home access point devices with default configuration, they are firewalled from the factory, and you should also be safe, but please upgrade never the less.
What is affected?
- Webfig with standard port 80 and no firewall rules
- Winbox has nothing to do with the vulnerability, Winbox port is only used by the scanners to identify MikroTik brand devices. Then it proceeds to exploit Webfig through port 80.
Am I safe?
- If you upgraded your router in the last ~12 months, you are safe
- If you had "ip service" "www" disabled: you are safe
- If you had firewall configured for port "80": you are safe
- If you only had Hotspot in your LAN, but Webfig was not available: you are safe.
- If you only had User Manager in your LAN, but Webfig was not available: you are safe.
- If you had other Winbox port before this: you are safe from the scan, but not from the infection.
- If you had "winbox" disabled, you are safe from the scan, not from the infection.
- If you had "ip service" "allowed-from" set to specific network: you are safe if that network was not infected.
- If you had "Webfig" visible to LAN network, you could be infected by an infected device in your LAN.
How to detect and cure?
- Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.
- If you upgrade device and you still see attempts to access Telnet from your network - run Tool/Torch and find out a source of the traffic. It will not be router itself, but another device in local network which also is affected and requires an upgrade.