A recently revealed report has highlighted a critical privilege escalation vulnerability, CVE-2023-30799, in the MikroTik RouterOS system. This vulnerability allows threat actors to execute arbitrary code and gain full control over the affected devices. It is estimated that hundreds of thousands of devices could be at risk.
The vulnerability essentially allows an administrator's privileges to be escalated to a super administrator. While exploiting this vulnerability requires authentication, obtaining credentials for the RouterOS system is easier than expected. This is mainly due to the lack of protection against brute-force password attacks in the MikroTik RouterOS operating system. Furthermore, before October 2021, the system had a default 'admin' user with an empty string as a password. It was only with the release of RouterOS version 6.49 that administrators were asked to change this blank password.
The impact of the CVE-2023-30799 vulnerability was measured using Shodan, revealing that approximately 474,000 devices were vulnerable due to their exposed web-based administration page. However, considering that the vulnerability can also be exploited via the Mikrotek management client Winbox, a total of 926,000 devices are exposed, making the actual impact significantly larger. It was also noted by researchers that such attacks are difficult to detect once they have been successful. The Web and Winbox interfaces of RouterOS use a custom encryption scheme that cannot be decrypted or inspected by Snort or Suricata. Once a connection with a device has been made by attackers, they can easily hide their presence within the RouterOS user interface. Typically, such vulnerabilities are exploited to build distributed denial-of-service (DDoS) botnets, such as Mēris.
To reduce the risk of attack, users are advised to update to the latest version (6.49.8 or 7.x) to patch this vulnerability. Additional steps to mitigate the risk include removing the MikroTik management interface, limiting the IP addresses allowed for administrator login, disabling Winbox and Web interfaces and using SSH, and setting up SSH to use a public/private key instead of a password.