Multiple BIND 9 DNS Vulnerabilities Enable Cache Poisoning and Denial of Service Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The Internet Systems Consortium (ISC) disclosed three high-severity vulnerabilities in BIND 9 on October 22, 2025, potentially allowing remote attackers to conduct cache poisoning attacks or cause denial-of-service (DoS) conditions on affected DNS resolvers. <\/p>\n
These flaws, tracked as CVE-2025-8677, CVE-2025-40778, and CVE-2025-40780, primarily impact recursive resolvers used by organizations for domain name resolution, leaving authoritative DNS servers<\/a> largely unaffected.<\/p>\n With BIND powering a significant portion of the internet\u2019s DNS infrastructure, administrators are urged to apply patches immediately to mitigate risks of service disruptions and malicious redirections.<\/p>\n CVE-2025-8677<\/a> involves resource exhaustion triggered by malformed DNSKEY records in specially crafted zones, leading to CPU overload on resolvers during queries.<\/p>\n Rated at a CVSS score of 7.5, this vulnerability enables attackers to remotely overwhelm servers without authentication, severely degrading performance for legitimate users. <\/p>\n ISC notes that while authoritative setups remain safe, resolvers in recursive mode are prime targets, echoing concerns from their knowledge base on unintended query behaviors.<\/p>\n The other two issues center on cache poisoning, a technique reminiscent of the 2008 Dan Kaminsky attack that once threatened global DNS integrity. <\/p>\n CVE-2025-40778<\/a> (CVSS 8.6) stems from BIND\u2019s overly permissive handling of unsolicited resource records in responses, allowing forged data to infiltrate the cache and corrupt future resolutions.<\/p>\n Similarly, CVE-2025-40780<\/a> (CVSS 8.6) exploits a weak pseudo-random number generator (PRNG), making source ports and query IDs predictable for spoofing malicious replies into the cache.<\/p>\n Both flaws elevate the attack surface by enabling scope changes in impact, as tainted caches could redirect traffic across networks.<\/p>\n Researchers from Nankai University, Tsinghua University, and Hebrew University of Jerusalem identified these issues, crediting their work in ISC\u2019s advisories. <\/p>\n No active exploits are known yet, but the remote, unauthenticated nature heightens urgency given BIND\u2019s widespread deployment.<\/p>\n Successful exploitation could lead to phishing<\/a>, malware distribution, or man-in-the-middle attacks by diverting users to attacker-controlled sites.<\/p>\n For instance, poisoned caches might replace legitimate IP addresses with malicious ones, mimicking trusted domains and eroding user trust in online services. <\/p>\n DoS from CVE-2025-8677 risks operational downtime, financial losses, and reduced productivity for businesses reliant on stable DNS. <\/p>\n Organizations using vulnerable versions spanning BIND 9.11.0 to 9.21.12 and Supported Preview Editions face elevated threats, especially in cloud and enterprise environments.<\/p>\n ISC emphasizes that these vulnerabilities underscore ongoing DNS resilience challenges, even post-Kaminsky mitigations like randomized query IDs. <\/p>\n Distributions like Ubuntu and Red Hat<\/a> have begun issuing updates, with package maintainers encouraged to release patches swiftly.<\/p>\n No workarounds exist, so upgrading to fixed releases is essential: BIND 9.18.41, 9.20.15, or 9.21.14 for standard branches, and corresponding Supported Preview versions. <\/p>\n Selective patches are available in release directories for those preferring minimal changes. Administrators should review ISC\u2019s advisories and monitor for distribution updates to safeguard against these DNS threats.<\/p>\n As BIND evolves, such disclosures highlight the need for proactive patching in critical infrastructure.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Multiple BIND 9 DNS Vulnerabilities Enable Cache Poisoning and Denial of Service Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nFlaws Exposed In Resolver Logic<\/strong><\/h2>\n
Mitigations<\/strong><\/h2>\n