A privilege escalation vulnerability in the RouterOS operating system has exposed up to 900,000 MikroTik routers to potential attacks. Researchers from VulnCheck recently published several new exploits for the CVE-2023-30788 vulnerability, which allows threat actors to gain complete control of MIPS-processor-based MikroTik devices and infiltrate an organization’s network. In addition, attackers can use the vulnerability to carry out man-in-the-middle attacks on network traffic passing through the router. The affected versions of MikroTik RouterOS include those before 6.49.7 and long-term versions through 6.48.6.
According to Jacob Baines, the leader researcher at VulnCheck, the worst-case scenario is that an attacker can install and execute arbitrary tools on the underlying Linux operating system, potentially gaining a root shell on the router. MikroTik, the manufacturer of the affected routers, has released a fix for the impacted RouterOS versions, and administrators are advised to apply the patch promptly.
The potential impact of this vulnerability is significant, considering the wide use of MikroTik routers by numerous well-known organizations, including NASA, ABB, Ericsson, Saab, Siemens, and Sprint. Various Internet Service Providers (ISPs) also rely on MikroTik routers. A Shodan search conducted on July 18 revealed that between 500,000 and 900,000 MikroTik routers were vulnerable to the CVE-2023-30799 vulnerability through their Web or Winbox interfaces.
MikroTik routers have long been attractive targets for advanced threat actors due to their powerful access to protected networks. Groups like TrickBot, VPNFilter, and the Slingshot advanced persistent threat group have previously targeted these devices. In 2022, Microsoft warned of TrickBot actors using compromised MikroTik routers as proxy servers for their command-and-control (C2) infrastructure. Furthermore, an exploit for MikroTik routers was discovered in the Vault 7 Wikileaks data dump, which contained classified CIA documents.
The attack developed by VulnCheck exploits the vulnerability using a technique called return-oriented programming (ROP). ROP is an exploit method where an attacker executes malicious code by chaining together small pieces of existing code on the system. VulnCheck created a new ROP chain specifically designed for RouterOS on the MIPS big-endian (MIPSBE) architecture.
While this vulnerability requires an attacker to have authenticated access to a vulnerable MikroTik device, obtaining credentials for RouterOS is relatively easy. RouterOS is shipped with an “admin” user account that has an empty password by default. Although MikroTik recommends deleting this account, many organizations fail to do so. Moreover, RouterOS does not enforce any password restrictions, making it susceptible to brute force attacks.
MikroTik was made aware of this vulnerability by Margin Research in October 2021. However, a patch and CVE identifier for RouterOS Long-term were only released on July 20, 2023. This delay in patching was likely due to the vulnerability not posing any real-world risks until now. Besides, an exploit for the vulnerability named “FOISTed” was discovered by Margin Research in June 2022, but it could only enable root shell access on x86 virtual machines running RouterOS. VulnCheck’s exploit, on the other hand, works on the MIPSBE architecture used in many MikroTik products, making it more impactful.
To mitigate the risks associated with this vulnerability, VulnCheck recommends that organizations using affected versions of MikroTik devices disable their Winbox and Web interfaces. They should also restrict admin login only to specific IP addresses and disable passwords, instead opting for public/private keys for SSH authentication. In the long run, VulnCheck suggests adopting password-less solutions or implementing stronger passwords to prevent brute force attacks.