It’s A Bird, It’s A Plane, It’s A MikroTik SuperAdmin Bug!
Another Day, Another IT Nightmare
MikroTik RouterOS has often been attacked, and once unwilling contributed to creating a record breaking botnet called Mēris. Their equipment running RouterOS, and including those using Winbox, need to patch immediately and there are almost one million of them out there. The bug allows someone with admin access to the network device to grant themselves SuperAdmin, which is an amusing name for the level of privilege given to low level software so it can make function calls and other basic tasks. A user with that much access could easily root the router or switch and make invisible changes to the OS as well as ensuring their activities cannot be monitored.
You might be wondering why this is so awful if you need to be an admin in order to exploit it; that reason is almost as bad as the bug. Not only does MikroTik’s RouterOS ship with a built in administrator account named the excessively obvious admin, until October 2021 it’s default password was blank. If you follow best practices and change or delete that account, RouterOS doesn’t have password complexity requirements so a lazy admin could use an easily guessable password. To make it even better, except for the SSH interface, RouterOS has absolutely no protections against brute force password guessing.
Patch ’em if you got ’em, and maybe consider tossing them and getting replacement network devices.
"'En masse' exploitation is going to be more difficult since valid credentials are required. However, as I outlined in the blog, the routers lack basic protections against password guessing," VulnCheck researcher Jacob Baines told BleepingComputer.
More Tech News From Around The Web
- Micron HBM3 Gen2 with Higher Capacity and Bandwidth @ ServeTheHome
- New Nitrogen malware pushed via Google Ads for ransomware attacks @ Bleeping Computer
- Meta, Microsoft and Amazon Team Up on Maps Project To Crack Apple-Google Duopoly @ Slashdot
- Google’s next big idea for browser security looks like another freedom grab to some @ The Register
- Samsung makes the Galaxy Z Fold 5 and Z Flip 5 official @ Ars Technica
- Debian 12.1 released with bug fixes aplenty and excitement still in short supply @ The Register
- Pocket assistant: ChatGPT comes to Android @ Ars Technica
If you’re using a MikroTik device, and you’re operating it with a blank password (or a weak password) for the default admin account, you’ve likely already been owned long ago. This bug makes little difference. It’s like obsessing about a tree in a vast forest.
Correction: not a “bug”, vulnerabilities/poor design.