#VU22426 Incorrect permission assignment for critical resource

Published: 2021-06-17

Vulnerability identifier: #VU22426

Vulnerability risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-3978


Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
MikroTik RouterOS
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: MikroTik


The vulnerability allows a remote attacker to perform DNS cache poisoning attacks.

The vulnerability exists due to RouterOS allows a remote attacker to initiate DNS queries via port 8291/TCP. A remote attacker can force the router to send DNS requests to an attacker-contorted server and poison router's DNS cache.

Install updates from vendor's website.

Vulnerable software versions

MikroTik RouterOS: 6.45.1 - 6.45.6, 6.44.1 - 6.44.5


External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability