Firmware security firm Eclypsium and the Synopsys Cybersecurity Research Center (CyRC) last week issued reports about global hardware flaws and multiple API holes discovered in a call center software suite.
The separate reports come on the heels of news from F-Secure that 150 different HP multifunction printer (MFP) products are loaded with security holes. With HP’s estimated 40 percent of the hardware peripheral market, many companies throughout the globe are likely using vulnerable devices, according to F-Secure.
Latvia-based MikroTik, a supplier of routers and wireless ISP devices since 1996, has more than two million devices deployed worldwide. These devices are powerful. Eclypsium’s research released Dec. 9 shows they are also often highly vulnerable.
CyRC on Dec. 7 disclosed the weak application programming interface (API) router can be exploited remotely to read system settings without authentication. It can also allow arbitrary code execution for any authenticated user via an unrestricted file upload. The affected software leaves employees and customers vulnerable to stolen passwords, phishing emails, and other stolen data from the server.
Eclypsium Blog Fosters Report
MikroTik devices are a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka “C2”), traffic tunneling, and more, according to the Eclypsium’s MikroTik research titled “When Honey Bees Become Murder Hornets,” which forms the basis of the report.
Part of the research shines a light on this problem. The report maps the supplier’s attack surface and then provides researchers and security teams with tools they can use to find both vulnerable and already-compromised devices.
Since such a vast percentage of these devices have been in a vulnerable state for many years, the researchers also decided to leverage the same tactics, techniques, and procedures (TTPs) the attackers use. This lead to the discovery as to whether a given device might already be compromised and determine if it is patched or not.
The report looks at 1) why these devices are being targeted, 2) known threats and capabilities, 3) plotting the attack surfaces in the wild, and 4) what enterprise security teams can do about it.
MikroTik Prime Target
The increase in users working from home gives attackers a wealth of easily discoverable, vulnerable devices that can provide attackers with easy access to the employee’s home devices and resources of the enterprise.
“In effect, the perimeter has as many holes as a bee’s nest has hexagons,” according to the report. “Threat actors have the tools to find vulnerable MikroTik devices, many enterprises do not.”
Researchers found MikroTik devices are prone to vulnerabilities. They often come with default credentials of admin/empty passwords. Even devices that are intended for corporate environments come without default settings for the WAN port.
MikroTik’s auto-upgrade feature is rarely enabled. Many devices are simply never updated. They have a complex configuration interface, so users can easily make risky mistakes.
Researchers detected thousands of vulnerable and end-of-life devices easily discoverable on the internet, some of those over a decade old. Collectively, attackers have many opportunities to gain full control over very powerful devices. They can target devices behind the LAN port as well as on the internet.
How To Mitigate Vulnerable Devices
Eclypsium customers can use its network devices scanner to fingerprint MikroTik devices. This process uses the devices’ HTTP and UPnP responses down to the specific version.
The platform also provides automated analysis of MikroTik devices to identify vulnerabilities and threats. That will locate devices needing upgrades or patches.
MikroTik customers without Eclypsium can download a free MikroTik assessment tool. This tool will check MikroTik devices to see if a scheduler script exists or if the device contains the critical vulnerability CVE-2018-14847.
MikroTik published information on hardening its devices. It includes a response to the Meris botnet, as well as instructions to secure MikroTik devices and identify and resolve any compromises.
Serious Software Flaw
The CyRC Vulnerability Advisory reported the discovery of multiple vulnerabilities in GOautodial call center software suite.
GOautodial, which claims to have 50,000 call center users in locations around the world, is open source and freely available to download. It is also available as a paid cloud service from multiple providers.
The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution for any authenticated user via an unrestricted file upload.
“The good news is that unless the GOautodial system is exposed directly to the internet — which seems unlikely — an attacker would first need to gain access to the network to exploit either of these vulnerabilities,” Scott Tolley, sales engineer on the Synopsys research team, told bluehillco.
There are confirmed damage incidents from the MikroTik vulnerabilities, confirmed Scott Scheferman, principal cyber strategist at Eclypsium.
How much power a botnet like this has is evidenced in this example he provided.
“The Yandex layer 7 DDOS attack witnessed ~22m RPS (requests per second). Even at a conservative 100 requests per second, the 287,000 vulnerable devices (Winbox-vulnerable), should they be used in such a DDoS attack, would result in ~28m RPS, which is very close to the ~22m RPS observed during the Meris Yandex DDoS attack.”
Two Key Vulnerabilities
The first issue — CVE-2021-43 Synopsys Cybersecurity Research Center (CyRC)175: Broken authentication — falls under the A01 Broken Access Control category on the OWASP Top 10 list. With this vulnerability, any attacker with access to the internal network hosting GOautodial could steal sensitive configuration data.
Stolen data could include default passwords from the GOautodial server. Attackers would not need any credentials such as a username or password to connect to other related systems on the network such as VoIP phones or services.
The second issue — CVE-2021-43176: Local file inclusion with path traversal — allows any authenticated user at any level, including contact center employees, to gain remote code execution. This would allow them to gain complete control over the GOautodial application on the server.
Attackers could steal the data from all fellow employees and customers and even rewrite the application to introduce malicious behavior such as stealing passwords or spoofing communications. Spoofing is sending messages or emails that look like they come from someone else.
Versions of the GOautodial API at or prior to commit b951651 on Sept. 27 appear to be vulnerable. This includes the latest publicly available ISO installer GOautodial-4-x86_64-Final-20191010-0150.iso.
Both vulnerabilities were patched Oct. 20 as of commit 15a40bc.
GOautodial users can patch the vulnerabilities by upgrading to the latest version available on GitHub. This is advised by the GOaudodial team, according to Tolley.
Users should be motivated to upgrade because the implications for the integrity of the GOautodial server are severe, Tolley warned.
“Any authenticated user such as a regular call center worker can gain control of the entire server-side application. In addition to the insider threat, any attacker that gains control of a single, regular user account could leverage this,” he said.
It is also possible to steal default passwords and other sensitive configuration data without any valid credentials whatsoever, he added.