Researchers found a critical ‘Super Admin’ privilege elevation vulnerability that impacts MikroTik devices. Over 900,000 RouterOS routers are at risk and security specialists advise users to apply available patches immediately.
CVE-2023-30799 enables remote and authenticated threat actors to escalate privileges from admin to super-admin on the Winbox or HTTP interface. Furthermore, hackers can use the vulnerability to execute arbitrary code on the system.
More About the MikroTik Vulnerability
Once the attacker gains super admin privileges, they can reach a code path that enables control over the address of a function call.
Also, as RouterOS web and Winbox interfaces use custom encryption schemes, threat actors can easily evade the RouterOS UI after they gain control over the device.
According to the VulnCheck analysts, malicious actors need previous access to an existing admin account, in order to exploit the new CVE and gain super admin privileges.
However, since obtaining credentials to RouterOS systems is not complicated at all, accessing an admin account is equally easy. The system does not enforce a strong password policy, so admins can and do use simple passwords, which are easy to break in a brute force attack. Additionally, the system only offers brute force protection on the SSH interface. VulnCheck researcher Jacob Baines told BleepingComputer that
‘En masse’ exploitation is going to be more difficult since valid credentials are required. However, as I outlined in the blog, the routers lack basic protections against password guessing.
Risks and Mitigation Measures
Threat actors often targeted MikroTik devices and had previously exploited them to build huge DDoS swarms like the Mēris botnet.
Consequently, users are advised to patch the flaw as soon as possible. MikroTik already released an update for RouterOS, as analysts warn hackers will soon attempt exploiting the revealed flaw.
In addition, security researchers advise users to apply the following caution measures:
- Put administrative interfaces offline
- Restrict login IP addresses to a whitelist
- Disable Winbox and only use SSH
- Configure SSH to use public/private keys, not passwords.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® Patch & Asset Management
- Create policies that meet your exact needs;
- Full compliance and CVE/CVSS audit trail;
- Gain extensive vulnerability intelligence;
- And much more than we can fit in here...