Super Admin Elevation Bug Puts 900,000 MikroTik Devices at Risk

Cyber Security Threat Summary:
“A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected. The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface” (Bleeping Computer, 2023).

While the critical vulnerability does require an existing admin account to exploit, researchers note that this is an easy roadblock to bypass. Mikrotik RouterOS operating system does not prevent password brute-force attacks and comes with a well-known default "admin" user.

The researchers from VulnCheck who found the exploit have chosen not to release their proof-of-concept as they fear attacks will occur quickly in the wild.

Security Officer Comments:
The vulnerability was disclosed back in June of 2022, and was fixed in October of the same year. While a patch has been issued, the researchers were able to find nearly 500,000 devices that were vulnerable and had remotely exposed web-based management pages. However, as this vulnerability is also exploitable over Winbox, a Mikrotek management client, VulnCheck found that 926,000 devices were exposing this management port, making the impact far larger.

Exploiting the vulnerability allows an attacker to reach a higher level of admin privilege called “Super Admin.” Unlike the admin account, which offers restricted elevated privileges, Super Admin gives full access to the RouteOS operating system. The attacker can use this access to control the address of a function call. "Super admin is not a privilege given to normal administrators, it's a privilege that is supposed to be given to certain parts of the underlying software (specifically, in this case, to load libraries for the web interface), and not to actual users” (VulnCheck, 2023). Threat actors can jailbreak the RouterOS device and make significant changes to the underlying operating system to hide their activities and maintain persistence.

“The new exploit developed by VulnCheck bypasses the requirement for FTP interface exposure and is not impacted by blocking or filtering of bindshells, as it uses the RouterOS web interface to upload files. Finally, VulnCheck identified a simplified ROP chain that manipulates the stack pointer and the first argument register and calls dlopen, the instructions for which are present in three functions across different RouterOS versions, ensuring broad applicability” (Bleeping Computer, 2023).

VulnCheck notes that RouterOS ships with a fully functional admin account user by default. Their telemetry shows that nearly 60% of MikroTik devices are still using these default credentials despite the hardening guidance suggested by the vendor. Moreover, the default admin password was an empty string until October 2021, when this issue was fixed with the release of RouterOS 6.49.

Finally, RouterOS does not impose admin password strengthening requirements, so users may set anything they like, which makes them susceptible to brute-forcing attacks, for which MikroTik does not offer any protection except on the SSH interface. "All of this is to say, RouterOS suffers from a variety of issues that make guessing administrative credentials easier than it should be," comments VulnCheck

Suggested Correction(s):
The researchers believe CVE-2023-30799 is much easier to exploit than the CVSS score indicates and recommends users to patch their systems. MikroTik devices have historically been impacted by other vulnerabilities in the past and have been added to various DDoS botnets.

Users need to move quickly to patch the flaw by applying the latest update for RouterOS, as attempts to exploit the flaw are bound to increase soon.

Mitigation advice includes removing administrative interfaces from the internet, restricting login IP addresses to a defined allow-list, disabling Winbox and only use SSH, and configuring SSH to use public/private keys instead of passwords.

Link(s):
https://www.bleepingcomputer.com/