Critical privilege escalation vulnerability discovered in MikroTik RouterOS potentially affecting over 900,000 routers

A critical privilege escalation vulnerability [3] [4], known as CVE-2023-30799 [1] [3], has been discovered in MikroTik RouterOS [1] [4], potentially affecting over 900,000 routers. This vulnerability allows remote and authenticated threat actors to gain full control of vulnerable devices by executing arbitrary code.

Description

To exploit the vulnerability [1] [3] [4], attackers need previous access to an existing admin account [4], which is often obtained due to weak password policies. Once attackers gain access [4], they can escalate privileges from admin to super-admin [3] [4], granting them complete control over the device’s operating system and enabling them to make undetectable changes.

The vulnerability, initially disclosed in June 2022 as an exploit called FOISted, was only patched in the stable branch of RouterOS and not in the widely used Long-term branch [2]. However, a recent patch has been released for the Long-term branch after researchers demonstrated the exploit. It is estimated that approximately 500,000 to 900,000 RouterOS systems are at risk through their web and Winbox interfaces [1].

Detecting the attack is challenging due to the custom encryption schemes implemented in the RouterOS interfaces [1]. To mitigate the risk [1], users are advised to take the following measures:

1. Update to the latest version of RouterOS (6.49.8 or 7.x).
2. Remove administrative interfaces from the internet [1].
3. Limit login IP addresses [1].
4. Disable Winbox and web interfaces [1].
5. Configure SSH with public/private keys [1] [4].

These measures will help minimize the attack surface and enhance security for MikroTik router admins/users.

Conclusion

The privilege escalation vulnerability in MikroTik RouterOS poses a significant risk to over 900,000 routers. By following the recommended mitigation measures, users can reduce the likelihood of exploitation and protect their devices from unauthorized access. It is crucial for users to stay vigilant and keep their systems up to date to ensure the security of their network infrastructure.

References

[1] https://thehackernews.com/2023/07/critical-mikrotik-routeros.html
[2] https://www.helpnetsecurity.com/2023/07/26/cve-2023-30799/
[3] https://gbhackers.com/privilege-escalation-mikrotik-routeros/
[4] https://heimdalsecurity.com/blog/mikrotik-vulnerability-926000-routers-at-risk/

Keywords

privilege escalation vulnerability, CVE-2023-30799, MikroTik RouterOS, routers, remote, authenticated threat actors, arbitrary code, admin account, weak password policies, super-admin, operating system, undetectable changes, FOISted, patch, stable branch, Long-term branch, web interface, Winbox interface, custom encryption schemes, risk, update, administrative interfaces, login IP addresses, SSH, public/private keys, attack surface, security, mitigation measures, unauthorized access, network infrastructure.