900,000 MikroTik Routers Vulnerable to Privilege Escalation
VulnCheck Issues Warning
Overt Operator
July 26, 2023
As many as 900,000 MikroTik routers, a prime target for cyber threat actors including nation-state groups, are at potential risk of an attack due to a privilege escalation vulnerability (CVE-2023-30788) within the RouterOS operating system.
Researchers from VulnCheck have warned that this vulnerability provides attackers with the ability to seize complete control of affected MIPS-processor-based MikroTik devices, thereby enabling them to infiltrate an organization's network. Attackers can exploit this flaw to execute man-in-the-middle attacks on network traffic processed through the router. RouterOS versions stable before 6.49.7 and long-term through 6.48.6 are susceptible to this issue.
Notably, MikroTik counts renowned organizations such as NASA, ABB, Ericsson, Saab, Siemens, and Sprint among its clients. Furthermore, numerous Internet Service Providers (ISPs) utilize MikroTik routers. A Shodan search revealed that between 500,000 and 900,000 MikroTik routers are vulnerable to CVE- 2023-30799 via their Web or Winbox interfaces, as of July 18.
MikroTik has released a fix for the impacted RouterOS versions and recommends its swift application. Given the prestigious client list, the implications of this vulnerability are severe.
MikroTik devices have historically been the target of advanced threat actors, including groups like TrickBot, VPNFilter, and the Slingshot advanced persistent threat group, owing to their privileged access to protected networks.
The exploit that VulnCheck has developed necessitates the use of return-oriented programming (ROP), an exploit technique wherein the attacker executes malicious code by stringing together small pieces of existing system code.
The vulnerability can only be exploited by an attacker with authenticated access to a MikroTik device. However, VulnCheck's report suggests that obtaining credentials to RouterOS is relatively straightforward.
RouterOS comes equipped with an "admin" user account with a default password that is an empty string, which many organizations fail to remove, despite MikroTik's advice to do so. Furthermore, the RouterOS places no restrictions on passwords, making them easy to guess and susceptible to brute-force attacks.
While MikroTik has been aware of this issue since last October, a CVE identifier and patch were not released until July 20, likely because the vulnerability posed no real-world risk until now.
However, VulnCheck's exploit impacts the MIPSBE architecture utilized in many MikroTik products, making it significantly more consequential than previous exploits.
VulnCheck's research has also weaponized the exploit, for example, by eliminating the use of FTP and opting for a reverse shell instead of a bind shell. To safeguard against these attacks, VulnCheck advises all organizations using affected versions of MikroTik devices to disable their Winbox and Web interfaces, limit the IP addresses from which admins can log in, and transition to using SSH with public/private keys instead of passwords.