- This Eufy twin-turbine robot vacuum is a steal at $350 for Black Friday
- The robot vacuum that kept my floors free of muddy paw prints this fall is $600 off
- Here's how to get the ultimate Kindle bundle for $135 this Black Friday (plus more ways to mix and match deals)
- This racecar-looking robot mower mows a gorgeous lawn and is on sale for Black Friday
- I tested the world's first thermal phone camera with a 50Hz refresh rate, and here are the results (get $75 off in this Black Friday deal)
Over 900,000 MikroTik Routers Exposed to Critical Bug
Security experts have warned that hundreds of thousands of routers produced by Latvian networking equipment maker MikroTik are vulnerable to a critical bug which could enable attackers to remotely control affected devices.
VulnCheck researcher, Jacob Baines, explained in a blog post yesterday that remote and authenticated attackers can use CVE-2023-30799 to get a root shell on MikroTik RouterOS routers.
Read more on MikroTik vulnerabilities: Vulnerability Discovered in MikroTik RouterOS
The vulnerability itself was first disclosed in June 2022 but only assigned a CVE after VulnCheck published new exploits, Baines said. A patch is now available, but Baines claimed that around 472,000 RouterOS devices globally are still vulnerable via their web management interface – with the figure rising to more than 920,000 if exploitation happens via the Winbox management client.
The vulnerability itself is a privilege escalation bug with a CVSS score of 9.1.
“A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system,” noted an entry on the National Vulnerability Database (NVD).
Baines warned that although exploitation of the bug requires authentication, this is easier than one might think.
VulnCheck claimed around 60% of RouterOS users are still running a default admin user.
“RouterOS ships with a fully functional ‘admin’ user. Hardening guidance tells administrators to delete the “admin” user, but we know a large number of installations haven’t,” Baines explained.
“To make matters worse, the default ‘admin’ password is an empty string, and it wasn’t until RouterOS 6.49 (October 2021) that RouterOS started prompting administrators to update blank passwords. Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple. That’s particularly unfortunate because the system doesn’t offer any brute force protection (except on the SSH interface).”
Adding to customers’ woes is the fact that detecting exploitation of CVE-2023-30799 is “nearly impossible” because RouterOS web and Winbox interfaces implement custom encryption which threat detection systems Snort and Suricata can’t decrypt and inspect, Baines added.
That means the best time to catch an attacker is when they’re attempting to brute force the admin credentials, if they decide to go down that route.
Editorial image credit: awstoys / Shutterstock.com