Pierluigi Paganini July 26, 2023

Experts warn of a severe privilege escalation, tracked as CVE-2023-30799, in MikroTik RouterOS that can be exploited to hack vulnerable devices.

VulnCheck researchers warn of a critical vulnerability, tracked as CVE-2023-30799 (CVSS score: 9.1), that can be exploited in large-scale attacks to target over 500,000 RouterOS systems.

“MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface.” reads the advisory published by NIST. “The attacker can abuse this vulnerability to execute arbitrary code on the system.”

MikroTik RouterOS is an operating system designed to run on MikroTik’s line of routers and other network devices.

The CVE-2023-30799 flaw can be exploited by a remote and an authenticated attacker to escalate privileges from admin to ‘super-admin’ which allows it to get a root shell on the router.

The vulnerability CVE-2023-30799 was first disclosed in June 2022 at REcon by Margin Research employees, Ian Dupont and Harrison Green. The duo also released a PoC exploit called FOISted that allows obtaining a root shell on the RouterOS x86 virtual machine. On July 19, 2023, VulnCheck researchers published new exploits to target a wider range of MikroTik hardware and the flaw received a CVE.

“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively.” reads the analysis published by VulnCheck.

The Mikrotik RouterOS operating system does not support brute force protection and the default “admin” user password was an empty string until October 2021. With the release of RouterOS 6.49 in October 2021, administrators were prompted to change the password

.

The researchers warn that detection is nearly impossible because the RouterOS web and Winbox interfaces implement custom encryption schemes that tools like Snort or Suricata can decrypt and inspect. Once an attacker has gained a foothold on the device, it cannot be visible to the RouterOS UI.

The researchers advise keeping a close eye on brute force attempts or the uploading of malicious ELF binaries to the device as a means of identifying any ongoing attacks.

Below are recommendations provided by the experts:

1. Remove MikroTik administrative interfaces from the internet.
2. Restrict which IP addresses administrators can login from.
3. Disable the Winbox and the web interfaces. Only use SSH for administration.
4. Configure SSH to use public/private keys and disable passwords.

“As we’ve seen, exploitation of CVE-2023-30799 on hardware turned out to be quite easy. Given RouterOS’ long history of being an APT target, combined with the fact that FOISted was released well over a year ago, we have to assume we aren’t the first group to figure this out.” concludes the report.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MikroTik RouterOS)