Approximately 900,000 routers from MikroTik, which are often targeted by threat actors including nation-state groups, are potentially exposed to a privilege escalation vulnerability in the RouterOS operating system. This vulnerability, identified as CVE-2023-30788, allows attackers to gain full control over the affected MikroTik devices, which use MIPS processors, and infiltrate an organization's network, according to researchers.
The vulnerability can also be exploited to enable man-in-the-middle attacks on network traffic passing through the router. MikroTik RouterOS versions stable before 6.49.7 and long-term through 6.48.6 are susceptible to this issue. As per Jacob Baines, the lead researcher, the worst-case scenario would be an attacker installing and executing arbitrary tools on the underlying Linux operating system. Remote and authenticated attackers can exploit this vulnerability to obtain a root shell on the router by escalating admin-level privileges to that of a super-administrator.
MikroTik has issued a fix for the impacted RouterOS versions, and it is crucial for administrators to apply it promptly. MikroTik's clientele includes renowned organizations such as NASA, ABB, Ericsson, Saab, Siemens, and Sprint. Several Internet Service Providers also use its routers. A Shodan search revealed that between 500,000 and 900,000 MikroTik routers are vulnerable to CVE- 2023-30788 via their Web or Winbox interfaces.
MikroTik devices have been a target for advanced attackers for a while now as they offer powerful access to protected networks, says Baines. Groups such as TrickBot, VPNFilter, and the Slingshot advanced persistent threat group have targeted these devices. In 2022, Microsoft issued a warning about TrickBot actors using MikroTik routers as proxy servers for its command-and-control (C2) servers. Moreover, the Vault 7 Wikileaks data dump of classified CIA documents contained an exploit for MikroTik routers.
The vulnerability can only be exploited by an attacker with authenticated access to an affected MikroTik device. However, acquiring credentials to RouterOS is relatively straightforward, as RouterOS ships with an 'admin' user account with an empty string as a default password. Many organizations fail to delete this admin account, even though MikroTik recommends doing so. RouterOS does not enforce any restrictions on passwords, making them easy to guess and offering little protection against brute force attacks.
MikroTik was aware of this issue since at least last October, but a CVE identifier and patch for RouterOS Long-term wasn't released until July 20, likely because the bug hasn't posed any real-world risk until now. Researchers at a security firm first disclosed the vulnerability and an exploit for it, dubbed 'FOISTed', in June 2022. However, this exploit had no impact on real-world products.
To safeguard themselves, all organizations using affected versions of the MikroTik devices are advised to disable their Winbox and Web interfaces, restrict the IP addresses from which admins can login from, and disable passwords and configure SSH to use public/private keys instead. 'Ultimately, our recommendation is to move to a password-less solution,' Baines says. Organizations that must use passwords should ideally move to stronger passwords to prevent brute-forcing.