Introduction

In a recent blog post by VulnCheck, a vulnerability in MikroTik RouterOS was discussed in detail. The vulnerability, identified as CVE-2023-30799, affects MikroTik RouterOS up until version 6.49.8 (July 20, 2023). Remote and authenticated attackers can exploit this vulnerability to gain root shell access on the router. This blog post aims to provide a detailed analysis of this vulnerability, its potential impact, and mitigation strategies.

Technical Details

CVE-2023-30799 was first disclosed in June 2022 by Margin Research employees, Ian Dupont and Harrison Green, without a CVE. They released an exploit called FOISted that could obtain a root shell on the RouterOS x86 virtual machine. The CVE was assigned on July 19, 2023, when VulnCheck researchers published new exploits that attacked a wider range of MikroTik hardware.

The vulnerability requires authentication and is essentially a privilege escalation from admin to “super-admin” which results in access to an arbitrary function call. Despite the requirement for authentication, the vulnerability is considered dangerous due to the ease of acquiring credentials to RouterOS systems.

The default “admin” user in RouterOS is fully functional and a significant number of installations have not deleted this user. Furthermore, the default “admin” password is an empty string, and RouterOS does not enforce any password restrictions or offer brute force protection, except on the SSH interface.

Impact

According to Shodan, approximately 500,000 to 900,000 RouterOS systems are vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces. This means that the vulnerability could have far-reaching effects.

Mitigation

The best course of action for administrators is prevention. Administrators should:

  • Remove MikroTik administrative interfaces from the internet.
  • Restrict which IP addresses administrators can log in from.
  • Disable the Winbox and the web interfaces. Only use SSH for administration.
  • Configure SSH to use public/private keys and disable passwords.
  • Upgrade to 6.49.8 (stable) or the most recent 7.x stable.

Further Reading

For more information about this vulnerability, you can refer to the following resources:

Conclusion

This vulnerability highlights the importance of regular patching and following best security practices. Administrators should always ensure that they are running the latest versions of their software and that unnecessary services are disabled.

Credits

This blog post is based on the research and work done by the team at VulnCheck. We appreciate their efforts in identifying and sharing details about this vulnerability. You can read their original blog post here.