CyberWisdom Safe Harbor Commentary
The vulnerability is tracked as CVE-2018-7445, and a remote attacker can use the service to access the service to execute arbitrary code on the system.
“A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. A remote attacker accessing the service could exploit this vulnerability and obtain code execution rights on the system.” Read the advisory issued by the company.
“The overflow occurred before the authentication occurred, so an unauthenticated remote attacker could exploit this vulnerability.”
The researchers released proof-of-concept proofs for use with MikroTik’s x86 cloud hosting router.
The core first reported this vulnerability to MikroTik on February 19, 2018. MozroTik plans to release the next version of the fix on March 1, 2018, and asked the Core not to disclose the details of the vulnerability. Even if MikroTik could not issue a fix by the 2018 deadline, Core is still waiting for the release of a new version released on Monday, March 12, 2018.
MikroTik recommends disabling SMB if the update cannot be installed.
A few days ago, Kaspersky Lab’s security experts announced that they had discovered a new complex APT organization that had been operating at least in radar since at least 2012. Kaspersky tracked the organization and determined that it uses a series of malware called Slingshot to compromise the systems of hundreds of thousands of victims in the Middle East and Africa.
Researchers have discovered about 100 Slingshot victims and discovered their modules in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania.
Kenya and Yemen have so far infected the most. Most victims are individuals, not organizations, and the number of government organizations is limited.
The APT team used spyware in the victim’s computer using a zero-day vulnerability in the router used by Latvia’s network hardware provider Mikrotik (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824).
The attacker first destroys the router and then replaces one of its DDLs with malicious code in the file system. When the user runs the Winbox Loader software (Mikrotik Router Management Suite), the library is loaded into the target computer’s memory.
The DLL file runs on the victim’s machine and connects to the remote server to download the final payload, the Slingshot malware in Kaspersky-monitored attacks.
It is unclear whether the Slingshot gang also exploited the CVE-2018-7445 vulnerability to compromise the router.
Since the concept of the vulnerability CVE-2018-7445 vulnerabilities proves usable, customers need to upgrade RouterOS to version 6.41.3 to avoid problems.
Security experts at Core Security have disclosed the details of a buffer overflow vulnerability that affects MikroTik RouterOS in versions prior to the latest 6.41.3. MikroTik is a Latvian vendor that produce routers used by many telco companies worldwide that run RouterOS Linux-based operating system. The vulnerability, tracked as CVE-2018-7445, could be exploited by a remote attacker with Engaging post, Read More…
thumbnail courtesy of securityaffairs.co
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »