A critical severity ‘Super Admin’ privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected.
The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to “super-admin” via the device’s Winbox or HTTP interface.
A VulnCheck report published today explains that while CVE-2023-30799 requires an existing admin account to exploit, this is not a low bar to clear.
This is because the Mikrotik RouterOS operating system does not prevent password brute-force attacks and comes with a well-known default “admin” user.
“‘En masse’ exploitation is going to be more difficult since valid credentials are required. However, as I outlined in the blog, the routers lack basic protections against password guessing,” VulnCheck researcher Jacob Baines told BleepingComputer.
“We intentionally didn’t release a proof-of-concept exploit, but if we had, I have no doubt that the exploit would have been successfully used in the wild quickly after the blog was released.”
A large-scale problem
The Mikrotik CVE-2023-30799 vulnerability was first disclosed without an identifier in June 2022, and MikroTik fixed the issue in October 2022 for RouterOS stable (v6.49.7) and on July 19, 2023, for RouterOS Long-term (v6.49.8).
VulnCheck reports that a patch for the Long-term branch was made available only after they contacted the vendor and shared new exploits that targeted MikroTik hardware.
The researchers used Shodan to determine the flaw’s impact and found that 474,000 devices were vulnerable as they remotely exposed the web-based management page.
However, as this vulnerability is also exploitable over Winbox, a Mikrotek management client, Baines found that 926,000 devices were exposing this management port, making the impact far larger.
The CVE-2023-30799 vulnerability
While exploiting this vulnerability requires an existing admin account, it elevates you to a higher privilege level called “Super Admin.”
Unlike the admin account, which offers restricted elevated privileges, Super Admin gives full access to the RouteOS operating system.
“By escalating to super admin, the attacker can reach a code path that allows them to control the address of a function call,” Baines told BleepingComputer.
“Super admin is not a privilege given to normal administrators, it’s a privilege that is supposed to be given to certain parts of the underlying software (specifically, in this case, to load libraries for the web interface), and not to actual users.
This makes the vulnerability valuable to threat actors wishing to “jailbreak” the RouterOS device to make significant changes to the underlying operating system or hide their activities from detection.
To develop an exploit for CVE-2023-30799 that obtains a root shell on MIPS-based MikroTik devices, VulnCheck’s analysts used Margin Research’s FOISted remote RouterOS jailbreak exploit.
The new exploit developed by VulnCheck bypasses the requirement for FTP interface exposure and is not impacted by blocking or filtering of bindshells, as it uses the RouterOS web interface to upload files.
Finally, VulnCheck identified a simplified ROP chain that manipulates the stack pointer and the first argument register and calls dlopen, the instructions for which are present in three functions across different RouterOS versions, ensuring broad applicability.
The exploit still requires authentication as “admin,” however, VulnCheck explains that RouterOS ships with a fully functional admin user by default, which nearly 60% of MikroTik devices still use despite the vendor’s hardening guidance suggesting its deletion.
Moreover, the default admin password was an empty string until October 2021, when this issue was fixed with the release of RouterOS 6.49.
Finally, RouterOS does not impose admin password strengthening requirements, so users may set anything they like, which makes them susceptible to brute-forcing attacks, for which MikroTik does not offer any protection except on the SSH interface.
“All of this is to say, RouterOS suffers from a variety of issues that make guessing administrative credentials easier than it should be,” comments VulnCheck
“We believe CVE-2023-30799 is much easier to exploit than the CVSS vector indicates.”
Patch your devices
MikroTik devices have been targeted by malware many times and inadvertently helped build record-breaking DDoS swarms like the Mēris botnet.
Users need to move quickly to patch the flaw by applying the latest update for RouterOS, as attempts to exploit the flaw are bound to increase soon.
Mitigation advice includes removing administrative interfaces from the internet, restricting login IP addresses to a defined allow-list, disabling Winbox and only use SSH, and configuring SSH to use public/private keys instead of passwords.