Critical Vulnerability in MikroTik RouterOS Tens of Thousands of Devices in Indonesia are Vulnerable

 Critical Vulnerability in MikroTik RouterOS Threatens Over Half a Million Devices

MikroTik RouterOS, an operating system used in router devices, has a critical vulnerability. The critical vulnerability in MikroTik RouterOS, classified with the number CVE-2023-30799 and scored CVSS 9.1, is a serious issue impacting more than half a million router devices. This vulnerability allows an attacker to perform privilege escalation and take full control of the affected device. As a result, infected devices can be leveraged for malicious purposes such as inserting the device into a denial-of-service (DDoS) botnet or used as a command and control proxy.

One source of this vulnerability is a flaw in the default "admin" user on the MikroTik RouterOS operating system that has no protection from password brute-force attacks. This setting can be exploited by attackers, especially since until October 2021, the default "admin" password is an empty string, and many users have not changed it according to security guidelines.

The CVE-2023-30799 vulnerability was first disclosed by research in June 2022 through a FOISted exploit. Although known since that time, fixes for this security hole were only implemented in October 2022 for the stable version of RouterOS 6.49.7 and in July 2023 for the Long Term RouterOS version 6.49.8. Therefore, it is imperative that users immediately upgrade their devices to the latest version, which is 6.49.8 or 7.x, to protect their devices from this potential threat.

Detection of the vulnerability exploit is made difficult because the web interface and Winbox RouterOS implement an encryption scheme that cannot be decrypted by intrusion detection systems. This allows attackers who successfully log into the device to hide their tracks from the RouterOS user interface. Therefore, other mitigation measures, such as removing the RouterOS administrative interface from the internet, limiting the IP addresses allowed for administrator login, disabling Winbox and the web interface, and using SSH with public/private keys and no passwords, are considered important measures to reduce the risk of attack.

Figure 1: Indonesia RouterOS
Figure 1: Indonesia RouterOS

In terms of the number of vulnerable devices, more than 51,007 MikroTik routers are potentially affected by this vulnerability in Indonesia. Although authentication is required, obtaining access credentials is not difficult as many installations still use the default "admin" user with a blank password. The RouterOS system also does not enforce password restrictions, so administrators are free to set passwords as they see fit. As a result, many devices remain vulnerable even though this vulnerability has been known since June 2022.

This vulnerability gives attackers "super-admin" access, meaning they have full access to the device's operating system and can make undetectable changes. In the previous data, CyberDefenseInsight has identified a significant number of exposed RouterOS Mikrotik systems in Indonesia, including outdated versions still in use. Currently, it is estimated that around 51,006 RouterOS systems are exposed to the public, with over 5000 RouterOS Mikrotik devices being affected by the CVE-2023-30799 vulnerability in Indonesia. Although the exploit related to this vulnerability has not been publicly disclosed, a Proof of Concept (POC) has been published, and there is a high possibility that attackers have already leveraged this vulnerability for activities such as cryptojacking and exploit delivery.

Figure: 1 Shodan Data RouterOS Exposed
Figure 2: Shodan Data RouterOS Exposed

Among the RouterOS vulnerabilities identified by CyberDefenseInsight, some are found in large companies operating in Indonesia. It is possible that these vulnerabilities are being utilized by their customers or even within the scope of the services provided by those companies.

Figure 3: Internet provider Company RouterOS
Figure 3: Internet provider Company RouterOS

Awareness of this critical vulnerability is essential for MikroTik RouterOS users, especially network administrators, to immediately upgrade their devices to the latest version and implement the recommended mitigation measures. By taking proper precautions, users can strengthen the security of their devices and reduce the risk of attacks. Users should also always pay attention to security updates released by device manufacturers and take necessary measures to keep their networks safe. In an ever-evolving cyber environment, these proactive measures are critical to protecting data and infrastructure from evolving cyber threats.