ASA-2019-00122 – Mikrotik: Dude agent vulnerability allows firewall and NAT bypass

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00122

Identifier(s)

ASA-2019-00122, CVE-2019–3924

Title

Dude agent vulnerability allows firewall and NAT bypass

Vendor(s)

Mikrotik

Product(s)

RouterOS

Affected version(s)

RouterOS 6.42.11 and below
RouterOS 6.43.11 and below

Fixed version(s)

RouterOS 6.43.12 (2019-02-11 14:39)
RouterOS 6.44beta75 (2019-02-11 15:26)
RouterOS 6.42.12 (2019-02-12 11:46)

Proof of concept

Yes

Description

MikroTik RouterOS before 6.43.12 (stable), 6.44beta75 and 6.42.12 (long-term) is vulnerable to an intermediary vulnerability. The software will execute user defined network requests to both WAN and LAN clients. A remote unauthenticated attacker can use this vulnerability to bypass the router’s firewall or for general network scanning activities.

Technical details

MikroTik’s The Dude has a network discovery feature that sends user defined probes to discover network services. There are various pre-defined probes for HTTP, FTP, Telnet, etc.

This network scanning feature also supports “recursive scanning” in which probes can be proxied through MikroTik’s Winbox port (8291). Tenable discovered that authentication was not enforced on these proxied probe requests. Therefore, an unauthenticated remote attacker could use a MikroTik router to proxy arbitrary traffic. Furthermore, attackers on the WAN can use this feature to send requests to hosts on the LAN.

There are a couple of limitations to MikroTik’s probe functionality. A probe only supports up to three requests and responses. Also, the response is not relayed back to the requesting client. The response is instead matched against a regular expression defined in the probe format.

Credits

Jacob Baines (Tenable)

Reference(s)

CVE-2019–3924 DUDE AGENT VULNERABILITY
https://blog.mikrotik.com/security/cve-20193924-dude-agent-vulnerability.html

MikroTik RouterOS Unauthenticated Intermediary
https://www.tenable.com/security/research/tra-2019-07

CVE-2019-3924
https://www.tenable.com/cve/CVE-2019-3924

The Dude
https://mikrotik.com/thedude

MikroTik Firewall & NAT Bypass
https://medium.com/tenable-techblog/mikrotik-firewall-nat-bypass-b8d46398bf24

CVE-2019–3924
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019–3924

CVE-2019–3924
https://nvd.nist.gov/vuln/detail/CVE-2019–3924

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.