Scanning Results

The port 8291 scan ran from November 30, 2019 through December 2, 2019. The scan found 578,456 MikroTik routers with port 8291 open to the internet. The raw results are on GitHub.

The scan total, 578,456, should be considered a floor, because I didn’t scan the entire internet. Due to time constraints and lack of infrastructure, I only scanned addresses found in @PACKET_TEL’s March 2019 port 8291 TCP scan and addresses gathered from various MikroTik-centric Shodan queries (FTP, SNMP, HTTP, HTTP Proxy, Telnet, and PPTP).

The scanner extracted RouterOS versions from all 578,456 routers so I have the unique opportunity to opine on the patching habits of RouterOS administrators.

On Patching

During the scan period, the most recent MikroTik RouterOS versions were 6.45.7 (Stable) and 6.44.6 (Long-term). Both were released on October 28, 2019. Administrators had more than a month to upgrade to these versions before I started my scan. The following chart shows how many routers were upgraded to the latest versions of RouterOS.

You aren’t misreading that. Approximately 15% of the scanned routers were using the latest versions of RouterOS. 15%. One month after release.

This is particularly bothersome to me because 6.44.6 and 6.45.7 addressed serious unauthenticated vulnerabilities previously disclosed. The attack vector for those vulnerabilities is the Winbox interface on port 8291, and we’ve observed one of the vulnerabilities (CVE-2019–3978) hitting our Winbox honeypot. Below is 37.49.231.122 poisoning the DNS cache for mikrotik.com, upgrade.mikrotik.com, and about 180 other cryptocurrency related addresses.

Why is it always cryptocurrency shit?

Of course, the October vulnerabilities aren’t the only unauthenticated port 8291 vulnerabilities I’ve published this year. In February, MikroTik fixed CVE-2019–3924, a firewall bypass I found. However, less than 50% of the scanned routers have patched against it.

Admittedly, the bypass does have some limitations, but it’s still useful. In practical terms, it’s probably best used for internet or LAN scanning. But, as I detailed in my writeup, it can be used to deliver exploits into the LAN too. So I’m a little bewildered to find a couple hundred thousand routers are still vulnerable ten months after disclosure.

At least most of the scanned routers are patched against CVE-2018–14847 nowadays. Although how much credit goes to administrators or vigilante grey hats is hard to say.

That’s not to say that our honeypot hasn’t seen CVE-2018–14847 thrown around. Quite the opposite. Like other honeypotters, we still see it multiple times a day. Somewhat interestingly, it appears that the attackers are just slinging Exploit-DB 45170.

CVE-2018–14847 in the wild vs my published version.

Full control of the device is possible via the Winbox port, yet attackers are just grabbing our honeypot’s admin credentials and moving on. Perhaps that just speaks to the level of sophistication of spray and pray attackers? Or perhaps stage 2 of the attack is meant to happen later.

Regardless, I guess I can’t expect uniform patch cycles for all MikroTik routers since the models vary so much. The rack mounted CCR10172–1G-8S+ with it’s 72 cores and advertised 80 Gbps throughput has a very different use case than a tiny dual core RB750Gr3. I expect a professional, full time administrator to be maintaining the CCR while the RB750Gr3, like most home routers, probably sees little to no maintenance. With that in mind, I sought to figure out what type of MikroTik devices I had actually scanned.

Approximating Scanned Hardware

Unfortunately, the Winbox interface doesn’t share the platform’s hardware without authentication. But Shodan does have a lot of results from MikroTik routers that have exposed their SNMP interface to the internet.

This blog is not a paid advertisement by Shodan. But it could be. Call me, Shodan!

I downloaded the Shodan SNMP results and matched them up with the IP addresses that my port 8291 scan had identified as MikroTik routers. The overlap wasn’t that great. I could only match about 10% of my scanned data against the Shodan results (58,951 / 578,619). Again, you can grab the raw results off of GitHub.

Perhaps 10% is a bad sample size. I’m a programmer turned bug hunter, I’m not a statistician, but I think it should be representative. Regardless, the results were surprising to me. The chart below maps the top 10 platforms:

If you aren’t familiar with MikroTik routers, only one of these is a small home router (RB951Ui-2Hnd). Everything else is virtualized (x86) or a rack mounted platform. The top two platforms CCR1036–8G-2S+ and CCR1036–12–4S each have 36 cores and are advertised to support 28 Gbps and 16 Gbps throughput respectively. These aren’t sitting in your living room. They are sitting in an ISP somewhere, and should have professionals applying patches.