MikroTik vulnerability could be used to hijack 900,000 routers (CVE-2023-30799)

A privilege escalation vulnerability (CVE-2023-30799) could allow attackers to commandeer up to 900,000 MikroTik routers, says VulnCheck researcher Jacob Baines.

While exploting it does require authentication, acquiring credentials to access the routers is not that difficult.

“RouterOS [the underlying operating system] ships with a fully functional ‘admin’ user. Hardening guidance tells administrators to delete the ‘admin’ user, but we know a large number of installations haven’t,” Baines explained. “We probed a sample of hosts on Shodan (n=5500) and found that nearly 60% still used the default admin user.”

In addition to this, until October 2021, the default “admin” password was an empty string and there was no prompt for admins to change it.

“Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple. That’s particularly unfortunate because the system doesn’t offer any brute force protection (except on the SSH interface),” he added.

About CVE-2023-30799

The interesting thing about CVE-2023-30799 is not that it’s a bug that allows elevation of privilege, but that it allow attackers to achieve “super-admin” privileges, which allows them to full access to the device’s OS and to, potentially, make undetectable changes to it.

Even though the vulnerability received a CVE number this year, its existence has been known since June 2022, when Ian Dupont and Harrison Green of Margin Research released an exploit called FOISted that can obtain a root shell on the RouterOS x86 virtual machine.

The vulnerability had been fixed in the RouterOS stable branch later that year (the fix was shipped in v6.49.7), but not in the RouterOS Long-term branch, which consists of less current but still widely used version of the OS.

A patch for RouterOS Long-term was released last week, after the researchers ported and demonstrated the FOISted exploit working on MIPS-based MikroTik devices either via its web or Winbox interface.

What to do?

“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively,” Baines noted.

They haven’t made the exploit public, but the race is on; in the past, attackers have been compromising MikroTik routers for a variety of nefarious ends (cryptojacking, setting up C2 communication proxies, exploit delivery).

Also, it’s possible that attackers have already developed an exploit and have been using it without getting noticed.

“Under normal circumstances, we’d say detection of exploitation is a good first step to protecting your systems. Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI,” Baines shared.

“Microsoft published a toolset that identifies potential malicious configuration changes, but configuration changes aren’t necessary when the attacker has root access to the system.”

Admins/users of MikroTik routers are advised to upgrade to a fixed version (either Stable or Long-term) and, in general, to minimize the attack surface to prevent this type and similar attacks by remote actors.

They can do that by removing MikroTik administrative interfaces from the internet, restricting which IP addresses administrators can log in from, or by disabling the Winbox and the web interfaces, says Baines. “Only use SSH for administration. Configure SSH to use public/private keys and disable passwords.”