Up to 900,000 MicroTik routers from Brazil, India, Indonesia, and Iran, among other countries, are vulnerable to a privilege escalation vulnerability (CVE-2023-30799) in the RouterOS operating system.
This flaw allows threat actors to gain complete control over affected devices, potentially leading to unauthorised access to an organisation’s network, researchers from VulnCheck observed.
Furthermore, it enables attackers to execute man-in-middle attacks on network traffic flowing through the router.
MicroTik is a popular choice for many organisations and internet service providers and counts well-known entities such as NASA, ABB, Ericsson, Saab, Siemens, and Sprint among its customers.
VulnCheck lead researcher, Jacob Baines, explained that an attacker with authenticated access to an affected MicroTik device could exploit the vulnerability. Acquiring credentials is not particularly difficult, as the RouterOS often ships with an “admin” user account with a default empty password, which some organisations neglect to delete despite recommendations. Additionally, RouterOS lacks password restrictions, leading to easily guessable passwords that offer minimal protection against brute-force attacks.
The exploit uses a Return Oriented Programming (ROP) chain, which chains together pieces of existing code on the system to execute malicious actions. This new ROP chain targets RouterOS on the MIPS big-endian architecture, significantly expanding the impact compared to previous vulnerabilities.
MikroTik had previously addressed a privilege elevation flaw in October 2022 for the RouterOS stable version but neglected to patch the Long-term versions until July 2023, leaving many devices at risk.
VulnCheck’s findings highlight that this flaw’s impact is far larger than initially estimated, affecting approximately 926,000 devices due to exposure via the Winbox management client.
Despite the need for authenticated access, the exploit allows attackers to escalate their privilege to “Super Admin”, granting full access to the RouterOS operating system. This privilege level was intended for specific software functions, not normal users, making it valuable for malicious actors seeking to conceal their activities and make significant changes to the system.
VulnCheck has not released a proof-of-concept exploit to avoid further risk, but they warn that the potential for mass exploitation is still high. The researchers recommend organizations disable Winbox and Web interfaces, restrict admin login IP addresses, and replace passwords with stronger alternatives or adopt a password-less solution. Upgrading to the latest RouterOS version is crucial to safeguard against potential attacks.
Given the history of MikroTik routers targeted by advanced threat groups like TrickBot and VPNFilter, researchers urged customers to patch the devices. Failure to address the vulnerability could have dire consequences, allowing threat actors to exploit affected devices and compromise sensitive networks.