WARNING: CRITICAL VULNERABILITY IN MIKROTIK ROUTEROS

Reference:
Advisory #2023-89

Version:
1.0

Affected software:
MikroTik RouterOS long-term versions prior to 6.49.8
MikroTik RouterOS stable versions 6.27 to version 6.49.6

Type:
Remote Code Execution

CVE/CVSS:
CVE-2023-30799
CVSS score : 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 

Sources

https://mikrotik.com/download/changelogs/long-term-release-tree
https://mikrotik.com/download/changelogs/stable-release-tree
https://www.bleepingcomputer.com/news/security/super-admin-elevation-bug-puts-900-000-mikrotik-devices-at-risk/

Risks

By successfully exploiting CVE-2023-30799, a remote and authenticated attacker could escalate privileges from admin to super-admin, which would enable them to execute arbitrary code.

It is important to note that admin credentials for RouterOS can be guessed relatively easily, because:

• RouterOS ships with a fully functional admin user by default
• RouterOS does not impose admin password strengthening requirements – which makes it vulnerable to brute-forcing attacks

Description

MikroTik RouterOS is the operating system of MikroTik RouterBOARD hardware. MikroTik RouterOS has different user privileges, including admin and Super Admin accounts. While an admin account has restricted elevated privileges, a Super Admin account gives full access to the RouterOS operating system.

CVE-2023-30799 is a vulnerability in RouterOS that could enable an attacker to elevate privileges from admin to Super Admin. This makes it possible for the attacker to make changes to the underlying operating system and/or hide activities from detection.

Recommended Actions

MikroTik recommends upgrading your software:

• MikroTik RouterOS stable v6.49.7
• MikroTik RouterOS long-term v6.49.8

It is also considered good practice to:

• Remove administrative interfaces from the internet
• Restrict login IP addresses to a defined allow-list
• Disable Winbox and only use SSH
• Configure SSH to use public/private keys instead of passwords

References