quarta-feira, 8 de março de 2017

WikiLeaks - o que a CIA andou fazendo?

Wikileaks just released some CIA documents, and there appears to be a working exploit against Mikrotik HTTPD, allowing full device compromise.




Looks like a POST exploit:

"CIA malware targets Windows, OSx, Linux, routers"
  • https://wikileaks.org/ciav7p1/cms/files/UsersGuide.pdf
  • https://wikileaks.org/ciav7p1/cms/files/DevelopersGuide.pdf
  • https://www.wired.com/2017/03/wikileaks-cia-hacks-dump/
    http://www.independent.co.uk/life-style ... 16826.html 
  • https://www.manitonetworks.com/mikrotik ... -hardening 
  • On March 7th, 2017, Wikileaks made public a set of documents that is being referred to as “Vault 7”. This is a large collection of documents purported to belong to the United States Central Intelligence Agency (CIA) Center for Cyber Intelligence. According to Wikileaks, this disclosure is the first one, additional disclosures will be coming in the near future.

    According to the released documents, the CIA supposedly has tools that can inject malicious tools into RouterOS devices, if the public interface of the RouterOS device has no firewall on port 80. The exploit is called "ChimayRed".

    Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20250630.html:

    "ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed"

    Also, it seems that this exploit may not be functional in RouterOS version above v6.30.1 (released 2015-07-15).

    Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20251203.html:

    "Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2"

    Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.4 'current' and 6.37.5 'bugfix' or newer). We will continue to strengthen RouterOS services and have already released RouterOS version 6.38.4 which removes any malicious files in devices that have been compromised. MikroTik will follow Wikileaks for any new information on this exploit.

    Most RouterBOARD products come with default firewall rules that already protect against malicious access from the public interface. If you have disabled these rules, or have cleared the default config, please apply firewall rules on the public interfaces of your devices to block access to port 80, upgrade RouterOS to the latest version and follow general router protection guides in our documentation, like limiting access only to your own IP address and disabling unused services.

Nenhum comentário:

Postar um comentário