[SECURITY-L] Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking

Quinta Julho 27 11:32:06 -03 2023

Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million
Devices to Hacking
Jul 26, 2023    THN

Network Security / Vulnerability

MikroTik RouterOS Vulnerability

A severe privilege escalation issue impacting MikroTik RouterOS could be
weaponized by remote malicious actors to execute arbitrary code and
seize full control of vulnerable devices.

Cataloged as CVE-2023-30799 (CVSS score: 9.1), the shortcoming is
expected to put approximately 500,000 and 900,000 RouterOS systems at
risk of exploitation via their web and/or Winbox interfaces,
respectively, VulnCheck disclosed in a Tuesday report.

"CVE-2023-30799 does require authentication," security researcher Jacob
Baines said. "In fact, the vulnerability itself is a simple privilege
escalation from admin to 'super-admin' which results in access to an
arbitrary function. Acquiring credentials to RouterOS systems is easier
than one might expect."

This is because the Mikrotik RouterOS operating system does not offer
any protection against password brute-force attacks and ships with a
well-known default "admin" user, with its password being an empty string
until October 2021, at which point administrators were prompted to
update the blank passwords with the release of RouterOS 6.49.

CVE-2023-30799 is said to have been originally disclosed by Margin
Research as an exploit dubbed FOISted without an accompanying CVE
identifier in June 2022. The security hole, however, was not plugged
until October 13, 2022, in the RouterOS stable version 6.49.7 and on
July 19, 2023, for the RouterOS Long-term version 6.49.8.

VulnCheck noted that a patch for the Long-term release tree was made
available only after it directly contacted the vendor and "published new
exploits that attacked a wider range of MikroTik hardware."

A proof-of-concept (PoC) devised by the company shows that it's possible
to derive a new MIPS architecture-based exploit chain from FOISted and
obtain a root shell on the router.

"Given RouterOS' long history of being an APT target, combined with the
fact that FOISted was released well over a year ago, we have to assume
we aren't the first group to figure this out," Baines noted.

"Unfortunately, detection is nearly impossible. The RouterOS web and
Winbox interfaces implement custom encryption schemes that neither Snort
or Suricata can decrypt and inspect. Once an attacker is established on
the device, they can easily make themselves invisible to the RouterOS UI."

With flaws in Mikrotik routers exploited to corral the devices into
distributed denial-of-service (DDoS) botnets such as Mēris and use them
as command-and-control proxies, it's recommended that users patch the
flaw by updating to the latest version (6.49.8 or 7.x) as soon as possible.

Mitigation advice includes removing MikroTik administrative interfaces
from the internet, limiting the IP addresses administrators can login
from, disabling the Winbox and the web interfaces, and configuring SSH
to use public/private keys and disable passwords.

link referencia:
https://thehackernews.com/2023/07/critical-mikrotik-routeros.html

===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20230727/5c33f0bf/attachment.html>