While exploting it does require authentication, acquiring credentials to access the routers is not that difficult.
âRouterOS [the underlying operating system] ships with a fully functional âadminâ user. Hardening guidance tells administrators to delete the âadminâ user, but we know a large number of installations havenât,â Baines explained. âWe probed a sample of hosts on Shodan (n=5500) and found that nearly 60% still used the default admin user.â
In addition to this, until October 2021, the default âadminâ password was an empty string and there was no prompt for admins to change it.
âEven when an administrator has set a new password, RouterOS doesnât enforce any restrictions. Administrators are free to set any password they choose, no matter how simple. Thatâs particularly unfortunate because the system doesnât offer any brute force protection (except on the SSH interface),â he added.
About CVE-2023-30799
The interesting thing about CVE-2023-30799 is not that itâs a bug that allows elevation of privilege, but that it allow attackers to achieve âsuper-adminâ privileges, which allows them to full access to the deviceâs OS and to, potentially, make undetectable changes to it.
Even though the vulnerability received a CVE number this year, its existence has been known since June 2022, when Ian Dupont and Harrison Green of Margin Research released an exploit called FOISted that can obtain a root shell on the RouterOS x86 virtual machine.
The vulnerability had been fixed in the RouterOS stable branch later that year (the fix was shipped in v6.49.7), but not in the RouterOS Long-term branch, which consists of less current but still widely used version of the OS.
A patch for RouterOS Long-term was released last week, after the researchers ported and demonstrated the FOISted exploit working on MIPS-based MikroTik devices either via its web or Winbox interface.
What to do?
âIn total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively,â Baines noted.
They havenât made the exploit public, but the race is on; in the past, attackers have been compromising MikroTik routers for a variety of nefarious ends (cryptojacking, setting up C2 communication proxies, exploit delivery).
Also, itâs possible that attackers have already developed an exploit and have been using it without getting noticed.
âUnder normal circumstances, weâd say detection of exploitation is a good first step to protecting your systems. Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI,â Baines shared.
âMicrosoft published a toolset that identifies potential malicious configuration changes, but configuration changes arenât necessary when the attacker has root access to the system.â
Admins/users of MikroTik routers are advised to upgrade to a fixed version (either Stable or Long-term) and, in general, to minimize the attack surface to prevent this type and similar attacks by remote actors.
They can do that by removing MikroTik administrative interfaces from the internet, restricting which IP addresses administrators can log in from, or by disabling the Winbox and the web interfaces, says Baines. âOnly use SSH for administration. Configure SSH to use public/private keys and disable passwords.â
InfoSec books | InfoSec tools | InfoSec services