MikroTik routers, highly targeted by threat actors, are at risk due to a privilege escalation vulnerability (CVE-2023-30788) in the RouterOS operating system. The flaw allows attackers to gain full control of affected MIPS-processor-based devices, opening the door to network pivoting and man-in-the-middle attacks.
The researchers at VulnCheck have published several new exploits for this vulnerability, warning organizations to apply MikroTik’s fix swiftly to avoid potential exploitation.
MikroTik’s customer base includes well-known organizations like NASA, ABB, Ericsson, Saab, Siemens, and Sprint, making the stakes particularly high for vulnerable routers.
Threat groups like TrickBot, VPNFilter, and Slingshot have long targeted these devices, with Microsoft even warning about TrickBot actors using MikroTik routers as proxy servers for command-and-control (C2) activities. The seriousness of the threat is underscored by the fact that a Shodan search identified between 500,000 and 900,000 vulnerable routers as of July 18, 2023.
The attack devised by VulnCheck employs return-oriented programming (ROP), chaining small segments of existing code to execute malicious code against the MIPS big endian (MIPSBE) architecture in RouterOS. Though the vulnerability requires authenticated access, gaining credentials is relatively easy due to the default “admin” user account with an empty password on RouterOS.
Organizations often fail to remove this account, leaving routers susceptible to brute-force attacks due to lax password enforcement by RouterOS. MikroTik released a fix for some versions but neglected major versions, making the newer MIPSBE exploits more impactful than previously known exploits.
VulnCheck recommends affected organizations disable Winbox and Web interfaces, restrict admin login IP addresses, and replace passwords with public/private keys for enhanced protection. They emphasize moving towards a password-less solution to counter the threat effectively.