BIND 9 Vulnerabilities Expose Organizations to Cache Poisoning and DoS Attacks
Two critical vulnerabilities in the BIND 9 DNS resolver software are affecting organizations worldwide, with potential cache poisoning and denial-of-service attacks.
The vulnerabilities, identified as CVE-2025-40776 and CVE-2025-40777, pose significant security risks to DNS infrastructure, particularly for resolvers configured with specific advanced features.
Key Takeaways
1. CVE-2025-40776 (cache poisoning) and CVE-2025-40777 (denial-of-service) affecting BIND 9 resolvers.
2. Target-specific BIND configurations can be exploited remotely without authentication.
3. Upgrade to patched versions or disable vulnerable features.
BIND 9 Cache Poisoning Flaw (CVE-2025-40776)
The first vulnerability, CVE-2025-40776, targets BIND 9 resolvers configured with EDNS Client Subnet (ECS) options, carrying a high severity rating of 8.6 on the CVSS scale.
This birthday attack vulnerability affects only the BIND Subscription Edition (-S) versions, including 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.
The attack exploits resolvers sending ECS options to authoritative servers, compelling them to make queries that increase the probability of successful source port guessing.
Xiang Li from AOSP Lab of Nankai University discovered this vulnerability, which bypasses original birthday cache poisoning attack mitigations.
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N indicates network-accessible exploitation with high integrity impact.
BIND 9 DoS Vulnerability (CVE-2025-40777)
CVE-2025-40777 presents a different threat vector, enabling denial-of-service attacks through assertion failures with a CVSS score of 7.5.
This vulnerability affects BIND versions 9.20.0 through 9.20.10 and 9.21.0 through 9.21.9, plus corresponding Supported Preview Edition versions.
The vulnerability triggers when resolvers are configured with serve-stale-enable yes and stale-answer-client-timeout set to 0.
Attackers can exploit specific CNAME chain combinations involving cached or authoritative records to force named daemon termination.
The vulnerability was discovered during internal testing, with no active exploits currently identified. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H reflects high availability impact through remote exploitation.
| CVE | Title | Affected Products | CVSS 3.1 Score | Severity |
| CVE-2025-40776 | Birthday Attack against Resolvers supporting ECS | BIND 9 Supported Preview Edition:- 9.11.3-S1 → 9.16.50-S1- 9.18.11-S1 → 9.18.37-S1- 9.20.9-S1 → 9.20.10-S1 | 8.6 | High |
| CVE-2025-40777 | A possible assertion failure when using the ‘stale-answer-client-timeout 0’ option | BIND 9:- 9.20.0 → 9.20.10- 9.21.0 → 9.21.9 BIND Supported Preview Edition:- 9.20.9-S1 → 9.20.10-S1 |
7.5 | High |
Mitigations
ISC recommends immediate patching to resolve both vulnerabilities.
For CVE-2025-40776, organizations should upgrade to BIND 9.18.38-S1 or 9.20.11-S1, or disable ECS by removing the ecs-zones option from named.conf. CVE-2025-40777 requires upgrading to BIND 9.20.11 or 9.21.10, with temporary workarounds including setting stale-answer-client-timeout off or stale-answer-enable no in configuration files.
These vulnerabilities highlight the critical importance of maintaining updated DNS infrastructure, as both cache poisoning and denial-of-service attacks can severely compromise organizational security posture and service availability.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
