According to BleepingComputer , the vulnerability on MikroTik routers assigned the identifier CVE-2023-30799 allows a remote attacker with an existing administrator account to elevate privileges to superadmin via the device's Winbox or HTTP interface.
Previously, a report from security firm VulnCheck explained that although exploiting the vulnerability requires an administrator account, the input to exploit the vulnerability comes from the default password not being changed. The researchers said that the routers lack basic protections against password guessing.
VulnCheck did not release proof of exploitation for fear that it would become a tutorial for malicious hackers. Researchers said that up to 60% of MikroTik devices still use the default admin account.
MikroTik is a router brand present in the Vietnamese market.
MikroTik is a Latvian brand specializing in network devices, running on the MikroTik RouterOS operating system. When using, users can access the administration page on both the web interface or the Winbox application to configure and manage LAN or WAN networks.
Typically, the initial login account is set by the manufacturer as "admin" and a default password for most products. This is a risk that leaves the device vulnerable to attack.
The vulnerability CVE-2023-30799 was first disclosed without an identifier in June 2022 and MikroTik patched the issue in October 2022 via RouterOS stable v6.49.7 and on July 19, 2023 for RouterOS long-term (v6.49.8).
Researchers found 474,000 vulnerable devices when they were remotely exposed to a web-based management page. VulnCheck reports that the Long-term version was only patched when the team managed to contact the manufacturer and share how to attack MikroTik hardware.
Since the vulnerability can also be exploited on the Winbox app, the researchers say that around 926,000 devices have their management ports exposed, making the impact much wider.
According to WhiteHat experts, the main cause of the vulnerability comes from two factors: users and manufacturers. Users who buy devices often ignore the manufacturer's security recommendations and "forget" to change the device's default password. But even after changing the password, there are still other risks from the manufacturer. MikroTik has not equipped any security solutions against password guessing (brute-force) attacks on the MikroTik RouterOS operating system. Hackers can therefore use tools to guess access names and passwords without being prevented.
VulnCheck demonstrates exploiting security flaw on MikroTik router
Furthermore, MikroTik also allowed setting an empty admin password and left this issue unaddressed until October 2021 when they released RouterOS 6.49 to address it.
To minimize risks, WhiteHat experts recommend that users immediately update the latest patch for RouterOS, and can also implement additional solutions such as disconnecting the internet on the administration interface to prevent remote access, and setting strong passwords if the administration page must be made public.
Source link
Comment (0)