The developers of BIND, the widely utilized software for resolving domain names on the Internet, have issued a warning about two significant vulnerabilities. These vulnerabilities enable attackers to poison entire caches of DNS results, leading unsuspecting users to malicious sites that closely mimic legitimate ones. The vulnerabilities, identified as CVE-2025-40778 and CVE-2025-40780, are attributed to a logic error and a flaw in generating pseudo-random numbers, respectively. Both vulnerabilities have been assigned a severity rating of 8.6, indicating their critical nature.
In addition to BIND, the developers of the Domain Name System resolver software Unbound have also reported similar vulnerabilities discovered by the same researchers. The severity score for the Unbound vulnerability is rated at 5.6, suggesting it is less severe but still poses a risk to users.
The vulnerabilities in question can be exploited to manipulate DNS resolvers within thousands of organizations. This manipulation allows attackers to replace legitimate DNS lookup results with corrupted entries, redirecting users to malicious IP addresses instead of the intended domain operators, such as 3.15.119.63 for arstechnica.com. Both vulnerabilities can potentially revive the notorious DNS cache poisoning attacks that were first brought to light by researcher Dan Kaminsky in 2008.
Kaminsky's cache poisoning attack revealed one of the most severe Internet-wide security threats, allowing attackers to direct users to counterfeit sites impersonating those of major entities like Google and Bank of America. This led to an industry-wide response, with thousands of DNS providers collaborating with browser and application developers to implement a robust fix that mitigated the threat of cache poisoning.
The original vulnerability was rooted in the use of UDP packets for DNS queries. Since UDP packets are sent unidirectionally, there was no mechanism for DNS resolvers to authenticate communications with authoritative servers responsible for IP lookups of specific top-level domains like .com. Furthermore, spoofing UDP traffic is relatively simple, making it easy for malicious actors to send packets that appear to originate from legitimate sources.
To combat this risk, DNS resolvers began attaching a 16-bit transaction ID to each request, ensuring that only responses with matching IDs were accepted. However, Kaminsky discovered that with only 65,536 possible transaction IDs, an attacker could overwhelm a DNS resolver with numerous lookup results, each using slight variations of the domain name and different transaction IDs. This allowed attackers to potentially redirect users to malicious IP addresses.
The newly discovered vulnerabilities, particularly CVE-2025-40780, effectively reduce the safeguards against these types of attacks. BIND developers noted that due to a flaw in the Pseudo Random Number Generator (PRNG), an attacker could predict the source port and query ID used by BIND, enabling them to cache their malicious responses if the spoofing attempt is successful.
Similarly, CVE-2025-40778 raises the possibility of cache poisoning, allowing forged data to be injected into the resolver's cache under certain conditions. While the potential fallout from these vulnerabilities is significant, it is essential to note that the impact would be less severe than the scenarios envisioned by Kaminsky. This is largely because authoritative servers remain secure against these vulnerabilities.
Fortunately, several countermeasures remain intact to protect against cache poisoning attacks. These include DNSSEC, which requires DNS records to be digitally signed, alongside other protective measures like rate limiting and firewalling. According to Red Hat, exploitation of these vulnerabilities requires a sophisticated level of network-level spoofing and precise timing, which is why they are classified as "Important" rather than "Critical."
Despite the challenges posed by these vulnerabilities, they still have the potential to affect certain organizations adversely. Therefore, it is crucial for users and organizations to implement patches for all three vulnerabilities as soon as possible to ensure the integrity of their DNS resolutions.
