Security experts have warned that hundreds of thousands of routers produced by Latvian networking equipment maker MikroTik are vulnerable to a critical bug which could enable attackers to remotely control affected devices.
VulnCheck researcher, Jacob Baines, explained in a blog post yesterday that remote and authenticated attackers can use CVE-2023-30799 to get a root shell on MikroTik RouterOS routers.
Read more on MikroTik vulnerabilities: Vulnerability Discovered in MikroTik RouterOS
The vulnerability itself was first disclosed in June 2022 but only assigned a CVE after VulnCheck published new exploits, Baines said. A patch is now available, but Baines claimed that around 472,000 RouterOS devices globally are still vulnerable via their web management interface – with the figure rising to more than 920,000 if exploitation happens via the Winbox management client.
The vulnerability itself is a privilege escalation bug with a CVSS score of 9.1.
“A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system,” noted an entry on the National Vulnerability Database (NVD).
Baines warned that although exploitation of the bug requires authentication, this is easier than one might think.
VulnCheck claimed around 60% of RouterOS users are still running a default admin user.
“RouterOS ships with a fully functional ‘admin’ user. Hardening guidance tells administrators to delete the “admin” user, but we know a large number of installations haven’t,” Baines explained.
“To make matters worse, the default ‘admin’ password is an empty string, and it wasn’t until RouterOS 6.49 (October 2021) that RouterOS started prompting administrators to update blank passwords. Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple. That’s particularly unfortunate because the system doesn’t offer any brute force protection (except on the SSH interface).”
Adding to customers’ woes is the fact that detecting exploitation of CVE-2023-30799 is “nearly impossible” because RouterOS web and Winbox interfaces implement custom encryption which threat detection systems Snort and Suricata can’t decrypt and inspect, Baines added.
That means the best time to catch an attacker is when they’re attempting to brute force the admin credentials, if they decide to go down that route.
Editorial image credit: awstoys / Shutterstock.com