MikroTik RouterOS, an operating system used in
router devices, has a critical vulnerability. The critical vulnerability in
MikroTik RouterOS, classified with the number CVE-2023-30799 and scored CVSS
9.1, is a serious issue impacting more than half a million router devices. This
vulnerability allows an attacker to perform privilege escalation and take full
control of the affected device. As a result, infected devices can be leveraged
for malicious purposes such as inserting the device into a denial-of-service
(DDoS) botnet or used as a command and control proxy.
One source of this vulnerability is a flaw in the
default "admin" user on the MikroTik RouterOS operating system that
has no protection from password brute-force attacks. This setting can be
exploited by attackers, especially since until October 2021, the default
"admin" password is an empty string, and many users have not changed
it according to security guidelines.
The CVE-2023-30799 vulnerability was first disclosed
by research in June 2022 through a FOISted exploit. Although known since that time,
fixes for this security hole were only implemented in October 2022 for the
stable version of RouterOS 6.49.7 and in July 2023 for the Long Term RouterOS
version 6.49.8. Therefore, it is imperative that users immediately upgrade
their devices to the latest version, which is 6.49.8 or 7.x, to protect their
devices from this potential threat.
Detection of the vulnerability exploit is made
difficult because the web interface and Winbox RouterOS implement an encryption
scheme that cannot be decrypted by intrusion detection systems. This allows
attackers who successfully log into the device to hide their tracks from the
RouterOS user interface. Therefore, other mitigation measures, such as removing
the RouterOS administrative interface from the internet, limiting the IP
addresses allowed for administrator login, disabling Winbox and the web
interface, and using SSH with public/private keys and no passwords, are
considered important measures to reduce the risk of attack.
Figure 1: Indonesia RouterOS |
In terms of the number of vulnerable devices, more than 51,007 MikroTik routers are potentially affected by this vulnerability in Indonesia. Although authentication is required, obtaining access credentials is not difficult as many installations still use the default "admin" user with a blank password. The RouterOS system also does not enforce password restrictions, so administrators are free to set passwords as they see fit. As a result, many devices remain vulnerable even though this vulnerability has been known since June 2022.
This vulnerability gives attackers "super-admin" access, meaning they have full access to the device's operating system and can make undetectable changes. In the previous data, CyberDefenseInsight has identified a significant number of exposed RouterOS Mikrotik systems in Indonesia, including outdated versions still in use. Currently, it is estimated that around 51,006 RouterOS systems are exposed to the public, with over 5000 RouterOS Mikrotik devices being affected by the CVE-2023-30799 vulnerability in Indonesia. Although the exploit related to this vulnerability has not been publicly disclosed, a Proof of Concept (POC) has been published, and there is a high possibility that attackers have already leveraged this vulnerability for activities such as cryptojacking and exploit delivery.
Figure 2: Shodan Data RouterOS Exposed |
Among the RouterOS vulnerabilities identified by CyberDefenseInsight, some are found in large companies operating in Indonesia. It is possible that these vulnerabilities are being utilized by their customers or even within the scope of the services provided by those companies.
Figure 3: Internet provider Company RouterOS |
Awareness of this critical vulnerability is
essential for MikroTik RouterOS users, especially network administrators, to
immediately upgrade their devices to the latest version and implement the
recommended mitigation measures. By taking proper precautions, users can
strengthen the security of their devices and reduce the risk of attacks. Users
should also always pay attention to security updates released by device
manufacturers and take necessary measures to keep their networks safe. In an
ever-evolving cyber environment, these proactive measures are critical to
protecting data and infrastructure from evolving cyber threats.
0 Comments