BIND 9 Vulnerabilities Enable Cache Poisoning and Service Disruption

The Internet Systems Consortium (ISC) has disclosed two critical security vulnerabilities in BIND 9, one of the most widely used DNS software implementations worldwide.

Published on July 16, 2025, these vulnerabilities could allow attackers to poison DNS caches and disrupt DNS resolution services, potentially affecting millions of internet users and organizations globally.

Critical Security Flaws Identified

The first vulnerability, CVE-2025-40776, represents a sophisticated birthday attack against DNS resolvers that support EDNS Client Subnet (ECS) options.

This high-severity flaw affects only the BIND Subscription Edition (-S) and carries a CVSS score of 8.6, indicating significant security implications for organizations using this premium version of the software.

The vulnerability enables cache poisoning attacks by compelling ECS-enabled resolvers to make queries that increase the likelihood of successfully guessing source ports and other critical details needed to bypass existing cache poisoning protections.

This weakness makes DNS resolvers more susceptible to spoofed query responses, potentially allowing attackers to redirect users to malicious websites or intercept communications.

The second vulnerability, CVE-2025-40777, poses a different but equally serious threat.

This flaw can cause assertion failures leading to complete service disruption when specific configuration conditions are met.

With a CVSS score of 7.5, this vulnerability affects resolvers configured with serve-stale-enable yes and stale-answer-client-timeout set to 0, causing the DNS daemon to abort unexpectedly when processing certain CNAME chains.

Affected Versions and Impact

Both vulnerabilities primarily impact DNS resolvers rather than authoritative servers, though ISC emphasizes the importance of understanding when authoritative servers might perform recursive queries.

The cache poisoning vulnerability affects multiple versions of BIND Subscription Edition, from 9.11.3-S1 through recent releases, while the assertion failure bug impacts BIND versions 9.20.0 through 9.20.10 and 9.21.0 through 9.21.9.

ISC has released patched versions addressing both vulnerabilities. Organizations using affected versions should immediately upgrade to BIND 9.18.38-S1, 9.20.11-S1, 9.20.11, or 9.21.10 depending on their current deployment.

As temporary workarounds, administrators can disable ECS functionality for the cache poisoning vulnerability or modify stale-answer configurations for the assertion failure issue.

The vulnerabilities were discovered through internal testing and academic research, with credit given to Xiang Li from AOSP Lab of Nankai University for identifying the ECS-related flaw.

ISC reports no awareness of active exploits but urges immediate patching given the potential for significant security impact.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now