Introduction

A recent discovery by VulnCheck has revealed a critical security flaw in MikroTik RouterOS Long-term versions prior to 6.49.8 (as of July 20, 2023), categorized as CVE-2023-30799. It leaves their routers vulnerable to remote and authenticated attackers, allowing them to exploit the routers to gain root access, potentially leading to widespread damage.

June 2022

The vulnerability first came to light last summer, in June 2022, when Margin Research disclosed an exploit called FOISted at the REcon conference that could obtain a root shell. However, due to the design of the exploit, it only worked on the RouterOS x86 virtual machine, which was a less common version of the software.

October 2022

MikroTik then addressed the issue in October 2022 with the release of RouterOS stable version 6.49.7, but the Long-term version remained exposed until recently.

July 2023

Researchers at VulnCheck published new exploits as proof of concept, which expanded the vulnerability’s reach to a wider range of MikroTik hardware. Consequently, CVE-2023-30799 was assigned to this vulnerability on July 19, 2023. Although authentication is required, the flaw allows for privileged escalation from admin to “super-admin,” granting attackers access to an arbitrary function call.

Unfortunately, obtaining credentials to RouterOS systems is easier than expected, as many installations still retain the default “admin” user, despite security recommendations to remove it. Moreover, the default “admin” password is often left as an empty string and RouterOS lacks password complexity enforcement or brute-force protection.

The vulnerability’s reach is potentially vast. A recent query done by VulnCheck on Shodan showed an index of approximately 500,000 to 900,000 RouterOS systems that are vulnerable to CVE-2023-30799.

Mitigation Steps

Administrators are advised to:

  • remove MikroTik administrative interfaces from the internet
  • restrict login IP addresses
  • disable Winbox and web interfaces
  • exclusively use SSH for administration, configuring it to use public/private keys & disabling passwords

Upgrading the software to version 6.49.8 or the most recent 7.x stable is the most effective way to safeguard MikroTik routers against potential attacks.

To stay up to date on all APG intel, follow them on Twitter and Reddit.

Want something new to listen to?

Check out The Unfair Fight, a podcast by Jon Murchison, where you can hear conversations with experts surrounding geopolitics, high-level performance, entrepreneurship, and cybersecurity.