Security researchers discovered a vulnerability in an operating system potentially used by companies such as NASA, Vodafone, and Ericsson.
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Server Message Block (SMB) is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.
MikroTik provides hardware and software for Internet connectivity in most of the countries around the world. RouterOS is MikroTik's stand-alone operating system based on Linux v3.3.5 kernel. According to the company’s profile, it services customers such as Vodafone, Ericsson, and NASA, and has over 500 distributors and resellers in 145 countries.
According to the researchers, remote attackers with access to the service can exploit the vulnerability and gain code execution on the system. As the overflow occurs before authentication takes place, Core Security found it possible for an unauthenticated remote attacker to exploit it.
All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 - release 6.41.2 was released on 27 February 2018.
On the Core Security’s blog, the researchers wrote: “The overflow takes place in the function in charge of parsing NetBIOS names, which receives two stack allocated buffers as parameters.
“The first byte of the source buffer is read and used as the size for the copy operation. The function then copies that amount of bytes into the destination buffer. Once that is done, the next byte of the source buffer is read and used as the new size. This loop finishes when the size to copy is equal to zero.
“No validation is done to ensure that the data fits on the destination buffer, resulting in a stack overflow.”
The timeline posted by Core Security showed that MikroTik confirmed it had fixed the vulnerability on 12 March 2018 and released a new version of RouterOS. MikroTik has also suggested disabling the SMB service in cases where installing the update isn’t possible.
This vulnerability was discovered and researched by Juan Caillava and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.