Abusing container mount points on MikroTik's RouterOS to gain code execution

I’m seeing a few unhappy comments about this, so I’ll just point out a couple of things:

1. This was introduced in a beta. It was then removed from subsequent betas until a fix could be found.

2. Running docker on a router could be really helpful in some cases, especially for small ISPs such as mine. For example: being able to run a recursive DNS resolver at the broadcast tower (ie nearer the customer) without having to run an entire server would be great. Or running a Prometheus exporter on the router for metric collection. Or for local processing/archiving of netflow data.

There are some really helpful use cases for this, but they are not the normal devops reasons for using docker.

justsomehnguy · 3 years ago

It is even more amusing what this would be used by most for running something like piHole.

This is seriously the last straw for me, I'll be switching away from Mikrotik to OpenWRT devices, a router should stay a router, not run containers!

The attack area on a router should shrink, not grow!

kirenida · 3 years ago

I installed OpenWrt on my mikrotik hap ac2 because I had problems streaming audio over wireless from my laptop to my raspberry.

I posted on mikrotik forums, even contacted support, all to no avail. Not what I expected from mikrotik and a device marketed as a "home router".

After installing openwrt, everything just worked as expected.

oakwhiz · 3 years ago

Support, as well as detailed, rigorous documentation in a technical writing style, are definitely lacking with Mikrotik products. There is a lot of assumed knowledge in the process of specifying and then purchasing from them. However the price, support and feature set are not too bad if you're able to determine ahead of time that it would all be suitable for your environment.

necheffa · 3 years ago

So...disable the container feature?

Do you just not review the configuration of your networking equipment?

It is a convenient way to maximize hardware in SOHO deployments.

gunapologist99 · 3 years ago

Edge equipment should not be multi-purpose, "maximizing hardware" or not.

This pursuit of saving money has given us weak boundaries that are relatively easy to cross, which will ultimately cost substantially more given any successful attack. The risk of an attack is an existential threat to the business itself. Do you really want to risk your entire business because you are trying to save a few hundred for a separate device?

There are places to try to save money and consolidate workloads, but edge routers are not it.

yjftsjthsd-h · 3 years ago

I was initially inclined to agree, especially since openwrt can run docker too, but I think it's fair to question both defaults and supported modes of operation, and how much work it is to go from the default to the desired target state. If out of the box openwrt has less attack surface and you have to go out of your way to add those features, that's probably better than a jack-of-all-trades that comes out of the box with loads of attack surface that you have to pare down and hope that removing the features you don't want is possible/supported.

oherrala · 3 years ago

RouterOS by default doesn't have container support. It's a separate package which has to be installed on the system. And it is still in testing / beta phase.

justsomehnguy · 3 years ago

Oh boy, what you wanna do when you learn what there are switches there what have a complete PC in them, running Debian?

Eg: https://www.servethehome.com/dell-s5232f-on-hands-on-a-vastl...

mcspiff · 3 years ago

Might want to stay away from the Turris routers, while openwrt based they also support running containers ;-)

oakwhiz · 3 years ago

Containers are an optional add-on package that is only present in the unstable release channel

detaro · 3 years ago

... OpenWRT also can run containers.