CVE-2019-3978
published 2019-10-29CVE-2019-3978: RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOIT
Exploited in the wild
EPSS
10.27%
95.1th percentile
RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker's choice. The DNS responses are cached by the router, potentially resulting in cache poisoning
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikrotik | routeros | <= 6.44.5 | — |
| mikrotik | routeros | <= 6.45.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated inbound TCP connections to port 8291 (Winbox) originating from external/untrusted IP addresses, which may indicate exploitation attempts for CVE-2019-3978. ↗
- →Inspect Winbox (port 8291) traffic for the message pattern containing fields bff0005, uff0006, uff0007, and Uff0001 with a user-supplied DNS server address (u1 field), which is the exploit's wire format for triggering a DNS lookup. ↗
- →Alert on RouterOS DNS cache entries appearing for domains not queried by internal clients, especially when the TTL or resolved address is unexpected — indicative of DNS cache poisoning via CVE-2019-3978/3979. ↗
- →Chain detection: watch for a RouterOS downgrade event (autoupgrade to an older version) shortly after unauthenticated Winbox port 8291 activity, as this indicates chained exploitation of CVE-2019-3977 and CVE-2019-3978. ↗
- ·The attack is significantly more impactful when the RouterOS device is configured to serve DNS to downstream clients, as poisoned cache entries will propagate to all clients using the router as their resolver. ↗
- ·Disabling the Winbox interface entirely, or restricting port 8291 to specific trusted IP addresses, eliminates the unauthenticated attack surface for CVE-2019-3978. ↗
- ·CVE-2019-3979 compounds the risk: even if CVE-2019-3978 is patched, a router querying an attacker-controlled DNS server will still cache unrelated/malicious A records due to improper DNS response handling. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2019-10-29
Published
Exploited in the wild