During early March 2022, Microsoft released a security tool to scan for vulnerabilities associated with Mikrotik devices which run RouterOS.
The tool is a credentialed scanner written in Python which logs in via SSH to run a variety of commands to gather information. The tool & code is available on Microsoft’s git repo for RouterOS-Scanner.
Once you have downloaded the code, you can run the program by executing:
./main.py -i [addr_of_router] -p [ssh_port] -u [admin_user] -ps [admin_password]
Overview of Commands
According to the source code, the following commands are performed:
- Version() – Compares the RouterOS version against list of CVEs, and displays relevant vulnerabilities.
- Scheduler() – Checks if suspicious tasks are scheduled.
- Files() – Checks if suspicious files are stored in NVRAM.
- FWNat() – Checks if NAT is misconfigured, where public IPs might be used for malicious activity.
- Proxy() – Checks if proxy service is enabled.
- Socks() – Checks if SOCKS is enabled.
- DNS() – Checks if router is susceptible to DNS cache poisoning.
- Users() – Checks if the username is default and whether an ACL exists to permit login only from allowed IP range.
- Ports() – Checks to see if default ports have been suspiciously changed. Also suggests to change the default SSH port.
- FW() – Shows firewall configuration.
When I ran this against the device used at home, it alerted me to some potential changes I could make to harden my router.
I do not use the DNS feature in RouterOS, so I disabled it.
While I obviously changed the default password, the scanner suggested creating a new user, adding it to the full group, and deleting the default user.
Finally, the last suggestion to review was the list of CVEs affecting the device. All of them were associated with Denial of Service attacks from authenticated users (internal to the network), mostly in the form of memory corruption exploits and a couple of crafted packet exploits. These were easily fixed by upgrading to the latest firmware.