Executive Summary
- Censys observed that nearly 450,000 MikroTik RouterOS configuration interfaces (almost half of the total number exposed) were still running versions vulnerable to CVE-2023-30799, a privilege escalation bug that resurfaced in the past 2 weeks
- This substantial number of exposed devices indicates a concerning lack of patch response from users and administrators – even more alarming when MikroTik routers don’t have passwords by default
- This, in combination with other recent high-profile attacks targeting network device admin consoles, serves as a strong reminder to harden these devices
- Censys Search query for exposed MikroTik config pages: services.http.response.html_title:”RouterOS router configuration page”
- Censys Exposure Management customers can search for vulnerable devices with the query host.risks:”Vulnerable MikroTik RouterOS [CVE-2023-30799]”
Continue to track the state of vulnerability with our interactive dashboard
Introduction
Threat researchers at VulnCheck recently brought renewed attention to a critical remote post-authentication privilege escalation vulnerability in MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6, tracked as CVE-2023-30799. This exploit was first published by researchers from Margin Research at REcon 2022 as a remote jailbreak exploit in RouterOS 6.34 through 6.49.6. It only recently got assigned a CVE when VulnCheck unveiled new exploits that affect additional versions of MikroTik hardware.
To exploit this vulnerability, an attacker would need administrative access through an unobstructed connection (i.e. no firewall). If that happened, a particular vulnerability would probably be the least of your concerns – a threat actor with that level of access could do all kinds of damage, which MikroTik emphasized on their blog:
“This is not the only way how a logged in administrator user with such a high access level (as required for this exploit) can compromise the router… if the malicious party has full admin login to a router, this exploit provides little additional advantage. It is extremely important to make sure that the configuration interface of the router is protected by secure password and not accessible to untrusted parties.”
In an ideal world, everyone would heed that advice. While that statement was likely meant to be reassuring, what it fails to acknowledge is that by default, most MikroTik routers are configured with username “admin” and no password. The reality is that many users simply plug-and-play these routers without touching that default configuration, making them an easy target for compromise. Indeed, MikroTik devices have a history of being targeted by advanced threat actors for various purposes, including spreading malware, launching DDos attacks, and building botnets. A notable example is the TrickBot botnet that was found abusing MikroTik routers as proxy servers for its C2 architecture. While security upgrades are available for many initial access vulnerabilities in MikroTik devices, a significant number remain vulnerable to botnet recruitment due to out-of-date firmware and/or default credentials.
Scale of Vulnerable Routers
As of August 2, 2023, Censys observed that nearly 450,000 hosts exposing MikroTik RouterOS config interfaces were still running versions vulnerable to CVE-2023-30799 – almost half of all the MikroTik config pages that we see on the Internet. The most common versions at risk were 6.48.6 and 6.49.6. The numbers of vulnerable hosts have stayed pretty consistent over the last few weeks with minor fluctuations. This significant number of exposed devices indicates a concerning lack of patch response from users and administrators.
Censys Data as of August 2, 2023
This is particularly worrisome considering how easy it is to misconfigure these devices given their weak security settings out of the box. A quick Censys Search reveals evidence that many MikroTik config pages will automatically prefill their login forms with default “admin” usernames and blank passwords. Although this behavior persists regardless of the user’s actual credentials, the fact that these defaults are set to autocomplete certainly doesn’t encourage users to switch to a more robust username and password, as a few MikroTik users have noted.
Example of a MikroTik WebFig Login
Default credentials make it incredibly easy for malicious actors to gain total control of these devices once they identify vulnerable software.
The reappearance of this exploit, coupled with the recent Citrix NetScaler Gateway vulnerability, serves as a stark reminder that remote management interfaces for network devices continue to be appealing initial access points for threat actors.
What Can Be Done?
This most recent MikroTik RouterOS exploit should serve as a critical reminder of the importance of securing network devices. Remote management interfaces should have robust access controls or not be directly accessible from the public-facing Internet. The recent BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces from CISA also drew attention to the need for such precautions.
The disclosure of CVE-2023-30799 should prompt network administrators and users to take immediate action. Users are advised to apply the latest security patches to their routers, set up a robust password, and hide the router’s administration interface from public access. Ensuring that admin interfaces for network devices are not needlessly exposed to the public Internet will significantly reduce your organization’s attack surface and help safeguard against potential exploits.
A reminder that devices and software, even those that come with the word “secure” in their product names, are not necessarily secure right out of the gate. Access controls should not be an afterthought, particularly on network infrastructure.