Up to 900,00 MikroTik routers — a popular target for threat actors including nation-state groups — may be open to attack via a privilege escalation vulnerability in the RouterOS operating system.
The vulnerability (CVE-2023-30788) gives attackers a way to take complete control of affected MIPS-processor-based MikroTik devices and pivot into an organization’s network, according to researchers from VulnCheck, which just published several new exploits for the flaw. Attackers can also use it to enable man-in-the-middle attacks on network traffic flowing through the router, they warned. Versions of MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to the issue.
“The worst-case scenario is that an attacker can install and execute arbitrary tools on the underlying Linux operating system,” says Jacob Baines, leader researcher at VulnCheck. “Remote and authenticated attackers can use the vulnerability to get a root shell on the router,” by escalating admin-level privileges to that of a super-administrator.
MikroTik has released a fix for impacted RouterOS versions, and admins should apply it quickly. The stakes are high: MikroTik claims numerous well-known organizations as its customers, including NASA, ABB, Ericsson, Saab, Siemens, and Sprint. Several ISPs use its routers as well. A Shodan search showed that as of July 18, there were between 500,000 and 900,000 MikroTik routers that are vulnerable to CVE- 2023-30799 via their Web or Winbox interfaces.
“MikroTik devices have been targeted by advanced attackers for quite some time because they provide powerful access to protected networks,” Baines says. Groups such as TrickBot, VPNFilter, and the Slingshot advanced persistent threat group have all been known to target the device; in 2022, Microsoft warned of TrickBot actors using MikroTik routers as proxy servers for its command-and-control (C2) servers. In addition, the Vault 7 Wikileaks data dump of classified CIA documents contained an exploit for MikroTik routers, he says.
A Return Oriented Programming Chain
The attack that VulnCheck developed requires the exploit use return-oriented programming (ROP). ROP is an exploit technique where an attacker executes malicious code by chaining together small pieces of existing code on the system. VulnCheck essentially developed a new ROP chain that works against RouterOS on the MIPS big endian (MIPSBE) architecture, Baines says.
Only an attacker with authenticated access to an affected MikroTik device can exploit the vulnerability. But acquiring credentials to RouterOS is relatively easy, VulnCheck said in its report.
For one thing, RouterOS ships with an “admin” user account with an empty string as a default password. Many organizations fail to delete the admin account even though MikroTik itself recommends that organizations delete it.
RouterOS also does not enforce any restrictions on passwords. So, when administrators do set password, they are often easy to guess and offer little protection against brute force attacks, VulnCheck said.
For its part, MikroTik did not immediately respond to a Dark Reading request for comment submitted via its support email.
FOISTing a New Attack Against MikroTik
While MikroTik has been aware of this latest issue since at least last October, a CVE identifier and patch for RouterOS Long-term wasn’t released until July 20, likely because the bug hasn’t posed any real-world risk until now.
Researchers at security firm Margin Research first disclosed the vulnerability and an exploit for it dubbed “FOISTed” in June 2022. FOISTed enabled root shell access on a x86 virtual machine running RouterOS, but it was a moot exercise, since MikroTik does not ship x86 hardware-based devices, Baines says.
Nonetheless, Lativia-based MikroTik addressed the issue in an incremental version of the operating system (Router OS stable 6.49.7) last October but made no patch available for major versions — or what MikroTik refers to as “long-term” versions — of RouterOS.
VulnCheck’s exploit on the other hand, works against RouterOS on the MIPSBE architecture that MikroTik uses in many of its products. The exploits, therefore, have a far bigger impact, Baines notes: “FOISted had no impact on real world products, VulnCheck’s findings very much do.”
The security vendor describes its exploit as a simplified and more practical version of Margin’s FOISted. “VulnCheck’s research also did some things to weaponize the exploit — for example, eliminating the use of FTP and using a reverse shell instead of a bind shell,” Baines says.
To protect themselves, VulnCheck recommends that all organizations using affected versions of the MikroTik devices disable their Winbox and Web interfaces, restrict the IP addresses from which admins can login from, and disable passwords and configure SSH to use public/private keys instead.
“Ultimately, our recommendation is to move to a password-less solution,” Baines says. Organizations that must use passwords would ideally move to stronger passwords to prevent brute-forcing.”