More than 900,000 MikroTik devices are impacted by a RouterOS vulnerability leading to arbitrary code execution, vulnerability intelligence provider VulnCheck reports.
Tracked as CVE-2023-30799 (CVSS score of 9.1), the issue is described as a privilege escalation bug impacting RouterOS versions before 6.49.7 and RouterOS long-term versions through 6.48.6.
“A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system,” a NIST advisory reads.
The vulnerability was initially disclosed in June 2022, at the REcon conference, but no CVE identifier was assigned to it. Proof-of-concept (PoC) code demonstrating how a root shell can be obtained on a RouterOS x86 virtual machine was also published at the time.
MikroTik patched the bug in RouterOS stable 6.49.7 in October 2022, without detailing it, VulnCheck says. Patches were released for the RouterOS long-term version as well.
According to VulnCheck, a Shodan search shows that there are many potentially vulnerable devices.
“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively,” VulnCheck notes.
The issue, the firm says, should be taken seriously because it is rather easy to obtain RouterOS credentials and exploit this vulnerability to escalate privileges from admin to ‘super-admin’ – which provides the attacker with access to an arbitrary function call.
On the one hand, attackers can use default RouterOS credentials to compromise devices. On the other hand, they can use various tools to brute-force RouterOS devices, including API, web, and Winbox brute forcing tools (Shodan shows roughly 400,000 devices exposing the RouterOS API).
RouterOS ships with a default ‘admin’ user that is often not removed from devices and which is protected with a default empty string. Attackers can target an observable response discrepancy bug in the Winbox authentication scheme to determine the existence of the default account.
VulnCheck verified 5,500 of the hosts identified via Shodan and found that 60% contained the default admin user account.
“It wasn’t until RouterOS 6.49 (October 2021) that RouterOS started prompting administrators to update blank passwords. Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple,” VulnCheck notes.
The vulnerability went under the radar because the initial exploit only targeted RouterOS x86 virtual machines. However, exploits that target RouterOS hardware have been released as well and administrators are urged to patch devices as soon as possible.
“Under normal circumstances, we’d say detection of exploitation is a good first step to protecting your systems. Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI,” VulnCheck notes.
Related: Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
Related: Microsoft Releases Open Source Tool for Securing MikroTik Routers
Related: MikroTik Confirms Mēris Botnet Targets Routers Compromised Years Ago