Major MikroTik RouterOS Flaw Puts Over Half a Million Devices at High Risk

Vulnerabilities

CVE-2023-30799

MikroTik RouterOS Security Gap

An acute privilege elevation vulnerability in MikroTik RouterOS exposes devices to potential remote hacking, allowing attackers to execute arbitrary code and gain total control over the compromised equipment.

Labelled as CVE-2023-30799 (CVSS score: 9.1), this weakness is believed to place between 500,000 and 900,000 RouterOS systems at risk of being manipulated through their web or Winbox interfaces, as revealed in a Tuesday report by VulnCheck.

“Authenticating is required to exploit CVE-2023-30799,” said security researcher Jacob Baines. “The vulnerability is a straightforward privilege escalation from ‘admin’ to ‘super-admin,’ resulting in access to any function. Gaining RouterOS system credentials is not as challenging as you might think.”

Mikrotik’s RouterOS operating system has no safeguard against password brute-force attacks and uses a widely recognized default “admin” user, whose password was an empty string until October 2021. With the launch of RouterOS 6.49, administrators were

prompted to replace the blank passwords.

Margin Research first disclosed CVE-2023-30799 as an exploit named FOISted, without an assigned CVE identifier, in June 2022. The security gap was not patched until October 13, 2022, with RouterOS stable version 6.49.7, and on July 19, 2023, with RouterOS Long-term version 6.49.8.

VulnCheck noted that MikroTik only released a patch for the Long-term release after it was directly contacted by VulnCheck, which had “unveiled new exploits that targeted a broader range of MikroTik hardware.”

According to a proof-of-concept (PoC) created by the company, it’s possible to create a new MIPS architecture-based exploit chain from FOISted and gain a root shell on the router.

“RouterOS has a long history of being targeted by APTs. Considering FOISted was disclosed over a year ago, we must assume we’re not the first to discover this,” Baines stated.

“Detection, unfortunately, is nearly impossible. The RouterOS web and Winbox interfaces employ proprietary encryption schemes that neither Snort nor Suricata can decrypt and inspect. Once an attacker has gained control over the device, they can easily become invisible to the RouterOS UI.”

Given that vulnerabilities in Mikrotik routers have been exploited in the past to form distributed denial-of-service (DDoS) botnets like Mēris, it’s recommended that users promptly update to the latest version (6.49.8 or 7.x).

Mitigation tips include removing MikroTik admin interfaces from the internet, restricting IP addresses from which administrators can log in, disabling Winbox and the web interfaces, and configuring SSH to utilize public/private keys and disable passwords.

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *

INCIDENT RESPONSE