Heads up, MikroTik users! The router firm has recently patched a critical-severity privilege escalation flaw affecting over 900,000 MikroTik routers. Users must update their routers immediately with the latest firmware releases to avoid potential exploits.
MikroTik Routers Exhibit A Critical Security Flaw
According to a recent report from VulnCheck, the researchers have found a new way to exploit a critical privilege escalation vulnerability in MikroTik routers. As explained, the vulnerability is a simple privilege escalation flaw that gives “Super Admin” privileges to an authenticated admin.
Although, it requires authentication, which makes the vulnerability seem difficult to exploit. However, the researchers explained that gaining the credentials is trivial since the devices shipped with the default RouterOS configurations have a built-in “admin” user. Moreover, it has a default blank password, and it never pinged the users to reset the blank password until RouterOS version 6.49. On top of that, the firmware won’t implement any restrictions for resetting the password, letting the users even proceed with simple passwords that an adversary may easily brute-force.
Also, the researchers found the routers lacking brute-force protection measures, enabling the researchers easily exploit the flaw. The researchers have demonstrated a possible attack scenario in the following video. However, they refrained from sharing a detailed proof-of-concept to prevent mass-scale exploitation attempts.
The vulnerability, CVE-2023-30799, first made it to the news in 2022 when researchers from Margin Research discovered it. The researchers also shared an exploit, “FOISted,” at that time to demonstrate the attack.
However, the vulnerability only received the CVE number lately when VulnCheck developed more ways to exploit the flaw. Specifically, while they used the same FOISted exploit to trigger the flaw, they could attack more devices. Precisely, their strategy makes over 900,000 MikroTik routers (as found exposed on Shodan) vulnerable to attacks.
Patch Deployed From MikroTik
MikroTik patched the vulnerability again, releasing the fix with RouterOS stable v6.49.7 in October 2022. But following VulnCheck’s report demonstrating more ways to exploit, the vendors released the patch with RouterOS Long-term v6.49.8. Given the severity of the issue, all users must ensure updating their devices with the latest firmware release immediately.
Attribution link