Hacker News new | past | comments | ask | show | jobs | submit login
Abusing container mount points on MikroTik's RouterOS to gain code execution (nns.ee)
54 points by xx_ns 3 days ago | hide | past | favorite | 15 comments

I’m seeing a few unhappy comments about this, so I’ll just point out a couple of things:

1. This was introduced in a beta. It was then removed from subsequent betas until a fix could be found.

2. Running docker on a router could be really helpful in some cases, especially for small ISPs such as mine. For example: being able to run a recursive DNS resolver at the broadcast tower (ie nearer the customer) without having to run an entire server would be great. Or running a Prometheus exporter on the router for metric collection. Or for local processing/archiving of netflow data.

There are some really helpful use cases for this, but they are not the normal devops reasons for using docker.

It is even more amusing what this would be used by most for running something like piHole.

This is seriously the last straw for me, I'll be switching away from Mikrotik to OpenWRT devices, a router should stay a router, not run containers!

The attack area on a router should shrink, not grow!

I installed OpenWrt on my mikrotik hap ac2 because I had problems streaming audio over wireless from my laptop to my raspberry.

I posted on mikrotik forums, even contacted support, all to no avail. Not what I expected from mikrotik and a device marketed as a "home router".

After installing openwrt, everything just worked as expected.

Support, as well as detailed, rigorous documentation in a technical writing style, are definitely lacking with Mikrotik products. There is a lot of assumed knowledge in the process of specifying and then purchasing from them. However the price, support and feature set are not too bad if you're able to determine ahead of time that it would all be suitable for your environment.

I did get very technical support in the forums, down to the level of tracking latencies and detailed package inspection. But that was way too low-level and over my head for something that worked out of the box on several previous OpenWRT installs on much weaker hardware.

I like the idea of Mikrotik and understand that they are pretty powerful for the price, but as you said, they require a certain level of experience and knowledge to wrangle them to the users liking.

So...disable the container feature?

Do you just not review the configuration of your networking equipment?

It is a convenient way to maximize hardware in SOHO deployments.

Edge equipment should not be multi-purpose, "maximizing hardware" or not.

This pursuit of saving money has given us weak boundaries that are relatively easy to cross, which will ultimately cost substantially more given any successful attack. The risk of an attack is an existential threat to the business itself. Do you really want to risk your entire business because you are trying to save a few hundred for a separate device?

There are places to try to save money and consolidate workloads, but edge routers are not it.

I was initially inclined to agree, especially since openwrt can run docker too, but I think it's fair to question both defaults and supported modes of operation, and how much work it is to go from the default to the desired target state. If out of the box openwrt has less attack surface and you have to go out of your way to add those features, that's probably better than a jack-of-all-trades that comes out of the box with loads of attack surface that you have to pare down and hope that removing the features you don't want is possible/supported.

RouterOS by default doesn't have container support. It's a separate package which has to be installed on the system. And it is still in testing / beta phase.

Oh boy, what you wanna do when you learn what there are switches there what have a complete PC in them, running Debian?

Eg: https://www.servethehome.com/dell-s5232f-on-hands-on-a-vastl...

Might want to stay away from the Turris routers, while openwrt based they also support running containers ;-)

Containers are an optional add-on package that is only present in the unstable release channel

... OpenWRT also can run containers.

Oh boy, glad I moved mine to SwitchOS I guess. This being a beta means I would've ended up with this eventually, and Docker is just not something I want on a network device

Seriously considering replacing this with Mikrotik showing up so often

Edit: Any recommendations for 10GbE switches with ~8 ports would be appreciated, likely encouraging me to follow through

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact