The MikroTik RouterOS bug opens routers to privilege escalation attacks, allowing threat actors to seize full control of vulnerable devices, researchers say.
A critical flaw in MikroTik RoutersOS, tracked as CVE-2023-30799, was discovered to be affecting between 500,000 and 900,000 public-facing devices, researchers at security firm VulnCheck discovered. The issue was fixed on July 20th, 2023.
Hundreds of thousands of vulnerable devices make a juicy catch for botnet operators. For example, one of the largest botnet attacks, directed at a Russian tech giant Yandex, employed the Latvian-made MikroTik network devices. The botnet was dubbed Mēris, which means ‘plague’ in Latvian.
While the exploit for the recent vulnerability requires authentication, researchers claim it should be dismissed, as they believe “acquiring credentials to RouterOS systems is easier than one might expect.”
“RouterOS ships with a fully functional “admin” user. Hardening guidance tells administrators to delete the “admin” user, but we know a large number of installations haven’t. We know this because the Winbox authentication scheme is vulnerable to a classic example of observable response discrepancy,” researchers explained.
Meanwhile, for at least until October 2021, the default password was an empty string, with only the RouterOS 6.49 issuing a requirement to admins to fill in the blank password with something that could prevent a simple brute-force attack.
“Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple,” reads the report.
Making matters worse is that it’s nearly impossible to detect whether a device was compromised post-infection. To mitigate the issue, users are advised to update to the latest version of RouterOS, disconnect MikroTik admin interfaces from the web, turn off web interfaces, and configure SSH to use private keys and disable passwords.