CVE-2019-3979

Name of the Vulnerable Software and Affected Versions RouterOS versions 6.45.6 and below RouterOS version 6.44.5 Long-term and below

Description The issue allows a remote attacker to poison the router's DNS cache via malicious responses with additional and untrue records. This is due to the router adding all A records to its DNS cache even when the records are unrelated to the domain that was queried. The vulnerability exists because of insufficient input validation, which can allow an attacker to cause damage to the integrity of the data in the DNS system.

Recommendations For RouterOS versions 6.45.6 and below, update to a version above 6.45.6 to resolve the issue. For RouterOS version 6.44.5 Long-term and below, update to a version above 6.44.5 to resolve the issue. As a temporary workaround, consider restricting access to the winbox dns request to minimize the risk of exploitation. Avoid using the vulnerable DNS cache functionality until the issue is resolved. Restrict access to the TCP port 8291 (Winbox) to prevent remote attackers from exploiting the vulnerability.