DNS cache poisoning vulnerability

Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled.

One possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks. The resolver can be reached via Winbox by sending messages to system resolver. If Winbox access is enabled from untrusted networks, an attacker from the internet can trigger a DNS request from the router which allows the attacker to make arbitrary requests, find the router’s internal address (router.lan), or figure out what is already cached.

As usual, we recommend to protect your router administration interface with VPN and firewall.

The issue is fixed in RouterOS versions:

  • 6.45.7 [stable]
  • 6.44.6 [long-term]
  • 6.46beta59 [testing]

With the following changelog entry:

  • !) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);

For more details, please see original report by Jacob Baines (Tenable).