CVE-2018-7445
published 2018-03-19CVE-2018-7445: A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
61.02%
99.0th percentile
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 are vulnerable.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikrotik | routeros | < 6.41.3 | 6.41.3 |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
| mikrotik | routeros | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
NETBIOS_SESSION_MESSAGE + "\x00\xeb\x02" repeated 4000 times followed by "\x90" * 16 + shellcode
- →Detect CVE-2018-7445 exploitation by monitoring for large TCP streams to port 139 on MikroTik RouterOS devices containing repeated NETBIOS_SESSION_MESSAGE frames (pattern \x00\xeb\x02) sent thousands of times — this is the heap spray stage preceding the overflow. ↗
- →Detect the buffer overflow trigger: a NetBIOS Session Request message to port 139 with a payload starting with 83 bytes of 0xFF followed by register values and a ROP chain. ↗
- →The exploit requires two sequential TCP connections to port 139: the first stores shellcode on the heap, the second sends the overflow. Detect two rapid connections from the same source IP to port 139 on RouterOS. ↗
- →The exploit is pre-authentication; any unauthenticated TCP connection to port 139 on RouterOS that sends oversized NetBIOS Session Request messages should be treated as suspicious. ↗
- →The ROP chain uses a vDSO gadget (int 0x80) at a fixed address 0xffffe42e not affected by ASLR to invoke mprotect with PROT_READ|PROT_WRITE|PROT_EXEC on the heap before jumping to shellcode. ↗
- →The exploit targets the SMB daemon (SMB service) on MikroTik RouterOS. All architectures are affected on versions before 6.41.3/6.42rc27; use version detection on port 139 banners to identify unpatched devices. ↗
- ·The vDSO gadget used in the ROP chain (int 0x80 at 0xffffe42e) is explicitly noted as not affected by ASLR on the targeted RouterOS builds, making the exploit reliable without an ASLR leak. ↗
- ·The exploit sprays shellcode via socket-based heap spray before triggering the overflow; the heap address used for the ROP chain jump (0x08075802) is described as '(always?) contain[ing] user controlled data', suggesting heap layout may vary slightly across devices. ↗
- ·The overflow offset to saved registers is fixed at 83 bytes, implying this PoC targets a specific SMB daemon build; different RouterOS versions or architectures may require adjusted offsets. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v596-x9hf-63gj: A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages
ghsa_unreviewed·2022-05-14
CVE-2018-7445 [CRITICAL] CWE-119 GHSA-v596-x9hf-63gj: A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 are vulnerable.
VulnCheck
MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-7445 [CRITICAL] CWE-119 MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.
Affected: MikroTik RouterOS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/a4ebb4cef4b7
Remediation Due: 2022-09-29
CISA
MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
cisa·2022-09-08·CVSS 9.8
CVE-2018-7445 [CRITICAL] CWE-119 MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
Vulnerability: MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
Affected: MikroTik RouterOS
In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.
Required Action: Apply updates per vendor instructions.
Notes: https://www.coresecurity.com/core-labs/advisories/mikrotik-routeros-smb-buffer-overflow#vendor_update, https://mikrotik.com/download; https://nvd.nist.gov/vuln/detail/CVE-2018-7445
Remediation Due Date: 2022-09-29
No detection rules found.
Trailofbits
A deep dive into Linux’s new mseal syscall
blogs_trailofbits·2024-10-25
A deep dive into Linux’s new mseal syscall
If you love exploit mitigations, you may have heard of a new system call named `mseal` landing into the Linux kernel’s 6.10 release, providing a protection called “memory sealing.” Beyond notes from the authors, very little information about this mitigation exists. In this blog post, we’ll explain what this syscall is, including how it’s different from prior memory protection schemes and how it works in the kernel to protect virtual memory. We’ll also describe the particular exploit scenarios that `mseal` helps stop in Linux userspace, such as stopping malicious permissions tampering and preventing memory unmapping attacks.
### What mseal is (and isn’t)
Memory sealing allows developers to make memory regions immutable from illicit modifications during program runtime. When a virtual memo
Trailofbits
A deep dive into Linux’s new mseal syscall
blogs_trailofbits·2024-10-25
A deep dive into Linux’s new mseal syscall
mseal
mseal
## What mseal is (and isn’t)
Memory sealing allows developers to make memory regions immutable from illicit modifications during program runtime. When a virtual memory address (VMA) range is sealed, an attacker with a code execution primitive cannot perform subsequent virtual memory operations to change the VMA’s permissions or modify how it is laid out for their benefit.
If you’re like me and followed the spicy discourse surrounding this syscall in the kernel mailing lists, you may have observed that Chrome’s Security team introduced it to support their V8 CFI strategy , initially for Linux-based ChromeOS. After some lengthy deliberation and several rewrites, it finally landed in the kernel, with plans to expand its use case beyond browsers with its integration into glibc,
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
Mikhail Kuzin
Yaroslav Shmelev
Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypot
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
- Mikhail Kuzin
- Yaroslav Shmelev
- Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our hone
Securelist
APT Trends report Q1 2018
blogs_securelist·2018-04-12
APT Trends report Q1 2018
Authors
- GReAT
In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.
These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on
Securelist
APT Trends report Q1 2018
blogs_securelist·2018-04-12
APT Trends report Q1 2018
Authors
GReAT
In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.
These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on a
arXiv
Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)
arxiv_fulltext·2020-11-03
Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)
empty
## Introduction
Network infrastructure devices have been actively exploited by cyber
actors . A variety of
attacks can be carried out by abusing such devices. In 2018, more than
half a million low-cost routers were infected by the VPNFilter
malware . With a view to disrupting that malware
campaign, the Federal Bureau of Investigation
(FBI) issued an urgent request for users to reboot
their routers. In the same year, there were several other campaigns
aimed at low-cost routers (e.g. GhostDNS malware, Navidade and
SonarDNS) . Infrastructure devices can be used
for last-mile access as well as to manage interdomain routing (BGP).
Half of the core routers used in one of the biggest internet exchanges
in the world (connecting 1467 autonomous
systems) are manufactured by MikroTik. This
m
http://seclists.org/fulldisclosure/2018/Mar/38http://www.securityfocus.com/bid/103427https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflowhttps://www.exploit-db.com/exploits/44290/http://seclists.org/fulldisclosure/2018/Mar/38http://www.securityfocus.com/bid/103427https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflowhttps://www.exploit-db.com/exploits/44290/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7445
2018-03-19
Published
2022-09-08
Added to CISA KEV
Exploited in the wild