Allele Security Alert
Dude agent vulnerability allows firewall and NAT bypass
RouterOS 6.42.11 and below
RouterOS 6.43.11 and below
RouterOS 6.43.12 (2019-02-11 14:39)
RouterOS 6.44beta75 (2019-02-11 15:26)
RouterOS 6.42.12 (2019-02-12 11:46)
Proof of concept
MikroTik RouterOS before 6.43.12 (stable), 6.44beta75 and 6.42.12 (long-term) is vulnerable to an intermediary vulnerability. The software will execute user defined network requests to both WAN and LAN clients. A remote unauthenticated attacker can use this vulnerability to bypass the router’s firewall or for general network scanning activities.
MikroTik’s The Dude has a network discovery feature that sends user defined probes to discover network services. There are various pre-defined probes for HTTP, FTP, Telnet, etc.
This network scanning feature also supports “recursive scanning” in which probes can be proxied through MikroTik’s Winbox port (8291). Tenable discovered that authentication was not enforced on these proxied probe requests. Therefore, an unauthenticated remote attacker could use a MikroTik router to proxy arbitrary traffic. Furthermore, attackers on the WAN can use this feature to send requests to hosts on the LAN.
There are a couple of limitations to MikroTik’s probe functionality. A probe only supports up to three requests and responses. Also, the response is not relayed back to the requesting client. The response is instead matched against a regular expression defined in the probe format.
Jacob Baines (Tenable)
CVE-2019–3924 DUDE AGENT VULNERABILITY
MikroTik RouterOS Unauthenticated Intermediary
MikroTik Firewall & NAT Bypass
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 8, 2019