Mikrotik routers are popular targets for threat actors including nation state groups. Roughly 900,000 devices can be potentially attacked via a prvilege escalation vulnerability in the Router OS firmware.
CVE-2023-30788 allows for an attacker to take total control over certain affected MIPS based processor devices. They would then be able to pivot into an organizations network. Researchers from VulnCheck published several exploits for this flaw.
VulnCheck warns that threat actors can also enable a man in the middle attack on any network traffic that is going through the router. RouterOS stable versions before 6.49.7 and long term version through 6.48.6 are vulnerable to these exploits.
Jacob Baines, lead research at VulnCheck can be quoted as saying:
“The worst-case scenario is that an attacker can install and execute arbitrary tools on the underlying Linux operating system, and that remote and authenticated attackers can use the vulnerability to get a root shell on the router by escalating admin-level privileges to that of a super-administrator.”
A fix has been released by MikroTik for the affected RouterOS versions and its urged that admins should apply the fixed versions as soon as possible. The risks are high as well known organizations use MikroTik, such as NASA, Ericsson, Saab, and Siemen. There are also a number of internet service providers that use these devices as well.
Carrying out a search on Shodan showed that as of July 18th 2023 there were around 500,000 to 900,000 MikroTik devices vulnerable to this CVE via their web or winbox interfaces.
Baines goes on to further say, and I quote:
“MikroTik devices have been targeted by advanced attackers for quite some time because they provide powerful access to protected networks. Groups such as TrickBot, VPNFilter, and the Slingshot advanced persistent threat group have all been known to target the device; in 2022, Microsoft warned of TrickBot actors using MikroTik routers as proxy servers for its command-and-control (C2) servers. In addition, the Vault 7 Wikileaks data dump of classified CIA documents contained an exploit for MikroTik routers.”
Return Oriented Programming Chain
VulnCheck developed an attack that requires the exploit that uses a return oriented programming (ROP) exploit. ROP is an exploit tactic where an attacker executes malicious code by chaining small pieces of existing code on the system.
“VulnCheck managed to develop a new ROP Chain attack that RouterOS that have MIPS Big Endian (MIPSBE) architecture.”
Once the attacker has authenticated access to the affected device can the vulnerability be exploited. VulnCheck said in its report that acquiring credentials to Router OS is rather easy.
By default RouterOS ships with a default admin user account with no password set as the default password. Alot of organizations fail to delete this account granted MikroTik recommend that it be deleted.
They also do not require any form of password complexity. When administreators do set a password they are very easy to guess and do not offer any real protection against brute force attacks.
New Attack Against MikroTik – FOISTing
MikroTik had been aware of this issue since at least October 2022. A CVE and patch for the long term RouterOS was not released until July 20th 2023. This was due to the issue not posing any real world threat until now.
Security firm Margin Research, first disclosed this vulnerability and dubbed it “FOISTed” in June 2022. Margin was able to enable a root shell on an x86 virtual machine running RouterOS, but as Baines mentions this is a moot exercise due to the fact that Mikrotik do not ship x86 based devices.
Regardless MikroTik addressed this issue in an incremental version of RouterOS, stable 6.49.7, last October 2022 but there were no patches made for their long term versions of their RouterOS.
Baines notes that the exploit created by VulnCheck have a much bigger impact as it works against the RouterOS that is for the MIPSBE architecture. This type of architecture is used in a variety of its products.
Bains also notes that while FOISted had no real impact on products used in production, the findings done by VulnCheck do given the hardware architecture that they tested against.
Baines can further be quoted as saying:
“VulnCheck’s research also did some things to weaponize the exploit — for example, eliminating the use of FTP and using a reverse shell instead of a bind shell”
VulnCheck recommends that organizations that are using the affected versions of MikroTik devices and disable their Winbox and web interfaces, restrict the IP addresses from where Admin’s can login from, disable passwords and configure SSH public and private keys.
Baines ultimately recommends the following:
“Ultimately, our recommendation is to move to a password-less solution. Organizations that must use passwords would ideally move to stronger passwords to prevent brute-forcing.”
Reach out to us on [email protected] for a consultation on how we can potentially improve your security posture.