CVE-2019-3979 in RouterOS
Summary
by MITRE
RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below are vulnerable to a DNS unrelated data attack. The router adds all A records to its DNS cache even when the records are unrelated to the domain that was queried. Therefore, a remote attacker controlled DNS server can poison the router's DNS cache via malicious responses with additional and untrue records.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/29/2024
The vulnerability described in CVE-2019-3979 represents a critical DNS cache poisoning flaw affecting MikroTik RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and earlier releases. This vulnerability stems from improper DNS cache validation mechanisms within the router's DNS resolver implementation, creating a significant security risk for network infrastructure. The flaw allows remote attackers to manipulate the router's DNS cache through malicious responses that contain additional A records unrelated to the originally queried domain, effectively enabling unauthorized DNS cache poisoning attacks.
The technical nature of this vulnerability lies in the router's failure to properly validate DNS responses against the queried domain name. When a router processes DNS queries, it should only accept and cache records that are directly related to the specific domain being queried. However, the affected RouterOS versions indiscriminately accept and store all A records present in DNS responses, regardless of their relevance to the original query. This behavior creates an exploitable condition where an attacker controlling a malicious DNS server can craft responses containing both legitimate records for the queried domain and additional false A records for unrelated domains, leading to complete DNS cache poisoning.
The operational impact of this vulnerability is substantial for organizations relying on MikroTik routers for network infrastructure. Network administrators may experience service disruptions, redirected traffic, and potential man-in-the-middle attacks as malicious DNS responses propagate through the poisoned cache. The vulnerability enables attackers to redirect traffic to malicious destinations, compromise network security posture, and potentially gain unauthorized access to network resources. This issue affects the fundamental trust model of DNS resolution within the network infrastructure, undermining the security of all systems relying on the affected routers for DNS services.
Mitigation strategies for CVE-2019-3979 should prioritize immediate firmware updates to versions 6.45.7 or later, which contain the necessary patches to address the DNS cache validation flaw. Network administrators should also implement additional security controls such as DNSSEC deployment to provide cryptographic validation of DNS responses, and consider configuring routerOS to disable unnecessary DNS caching features when possible. The vulnerability aligns with CWE-20: Improper Input Validation, as it involves inadequate validation of DNS response data. From an ATT&CK framework perspective, this vulnerability maps to T1071.004: Application Layer Protocol: DNS, and T1566.002: Phishing: Spearphishing Attachment, as it enables attackers to manipulate DNS resolution and potentially deliver malicious payloads through compromised DNS responses. Organizations should also consider implementing network monitoring solutions to detect anomalous DNS traffic patterns that may indicate cache poisoning attempts.