The Internet Systems Consortium (ISC) has identified and addressed two significant vulnerabilities in the BIND 9 Domain Name System (DNS) software, designated as CVE-2025-40776 and CVE-2025-40777. These flaws pose substantial risks, including potential cache poisoning and denial-of-service (DoS) attacks, particularly for organizations utilizing specific BIND configurations.
Understanding the Vulnerabilities
CVE-2025-40776: Cache Poisoning via EDNS Client Subnet (ECS)
This vulnerability affects BIND 9 resolvers configured with the EDNS Client Subnet (ECS) feature, which allows DNS responses to be tailored based on the client’s subnet. The flaw has been assigned a high severity rating with a CVSS score of 8.6.
Affected Versions:
– BIND Subscription Edition (-S) versions:
– 9.11.3-S1 through 9.16.50-S1
– 9.18.11-S1 through 9.18.37-S1
– 9.20.9-S1 through 9.20.10-S1
Mechanism of Exploitation:
Attackers can exploit this vulnerability by manipulating resolvers that send ECS options to authoritative servers. This manipulation increases the likelihood of successful source port guessing, thereby facilitating cache poisoning attacks. The vulnerability was discovered by Xiang Li from AOSP Lab of Nankai University, who noted that it circumvents existing mitigations against birthday attacks on DNS caches.
CVE-2025-40777: Denial-of-Service via Assertion Failures
This vulnerability enables attackers to cause assertion failures in BIND 9, leading to potential denial-of-service conditions. It carries a CVSS score of 7.5, indicating high severity.
Affected Versions:
– BIND 9 versions:
– 9.20.0 through 9.20.10
– 9.21.0 through 9.21.9
– BIND Supported Preview Edition versions:
– 9.20.9-S1 through 9.20.10-S1
Mechanism of Exploitation:
The vulnerability is triggered when resolvers are configured with `serve-stale-enable yes` and `stale-answer-client-timeout` set to 0. Under these conditions, attackers can craft specific CNAME chain combinations involving cached or authoritative records to force the `named` daemon to terminate unexpectedly. This issue was identified during internal testing, and there are currently no reports of active exploitation.
Mitigation Strategies
To protect against these vulnerabilities, ISC recommends the following actions:
For CVE-2025-40776:
– Upgrade: Update to BIND 9.18.38-S1 or 9.20.11-S1.
– Disable ECS: Remove the `ecs-zones` option from the `named.conf` configuration file to disable the ECS feature.
For CVE-2025-40777:
– Upgrade: Update to BIND 9.20.11 or 9.21.10.
– Temporary Workarounds:
– Set `stale-answer-client-timeout` to a non-zero value.
– Disable stale answers by setting `stale-answer-enable` to `no` in the configuration file.
Implications for DNS Infrastructure
These vulnerabilities underscore the critical importance of maintaining up-to-date DNS infrastructure. Cache poisoning attacks can lead to users being redirected to malicious sites, compromising sensitive information and undermining trust. Denial-of-service attacks can disrupt services, leading to downtime and potential financial losses.
Conclusion
Organizations utilizing BIND 9 should promptly assess their configurations and apply the necessary updates or mitigations to protect against these vulnerabilities. Staying vigilant and proactive in updating DNS software is essential to maintaining a secure and reliable network infrastructure.
