Digital Event Horizon
Researchers have discovered two new DNS cache poisoning vulnerabilities that could allow attackers to poison entire caches of results and send users to malicious destinations.
Vulnerabilities CVE-2025-40778 and CVE-2025-40780 have been discovered in BIND, a widely used DNS resolver software. The vulnerabilities allow attackers to predict the source port and query ID, potentially affecting resolution of future queries. Another vulnerability (CVE-2025-40780) allows attackers to inject forged records into the cache, which can affect resolution of future queries. The severity is considered "Important" due to its non-trivial nature and requirement for network-level spoofing and precise timing. Organizations using BIND should install patches as soon as possible to protect themselves against these threats.
In a recent disclosure, the makers of BIND, the Internet's most widely used software for resolving domain names, have warned of two vulnerabilities that allow attackers to poison entire caches of results and send users to malicious destinations that are indistinguishable from the real ones. These vulnerabilities, tracked as CVE-2025-40778 and CVE-2025-40780, stem from a logic error and a weakness in generating pseudo-random numbers, respectively.
The first vulnerability, CVE-2025-40778, allows an attacker to predict the source port and query ID that BIND will use. This can be exploited to trick BIND into caching attacker responses, which can potentially affect resolution of future queries. Furthermore, under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache.
The second vulnerability, CVE-2025-40780, raises the possibility of reviving cache poisoning attacks. This vulnerability allows an attacker to inject forged records into the cache during a query, which can potentially affect resolution of future queries.
However, it is worth noting that these vulnerabilities do not affect authoritative servers themselves and that various other cache poisoning countermeasures remain intact, such as DNSSEC, rate limiting, and server firewalling. Additionally, the severity of this vulnerability is considered "Important" rather than "Critical," due to its non-trivial nature and requirement for network-level spoofing and precise timing.
Despite these mitigations, the potential harm caused by these vulnerabilities cannot be overstated. Organizations that use BIND or other DNS resolving apps should install patches as soon as possible to protect themselves against these threats.
The discovery of these vulnerabilities serves as a reminder of the importance of staying vigilant in the face of emerging security threats. The Internet's infrastructure is only as strong as its weakest link, and it is up to all of us to ensure that our systems are protected from these kinds of attacks.
In 2008, researcher Dan Kaminsky revealed one of the most severe Internet-wide security threats ever, known as DNS cache poisoning. This vulnerability allowed attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industry-wide coordination, thousands of DNS providers around the world implemented a fix that averted this doomsday scenario.
In recent years, similar vulnerabilities have been discovered in Unbound, another popular DNS resolver software. These vulnerabilities also carry a severity rating of 5.6 and are related to cache poisoning attacks.
The DNS ecosystem ultimately fixed the problem by exponentially increasing the amount of entropy required for a response to be accepted. Whereas before, lookups and responses traveled only over port 53, the new system randomly selected any one of thousands of potential ports. For a DNS resolver to accept a response, it had to travel through that same port number. Combined with a transaction number, the entropy was measured in the billions, making it mathematically infeasible for attackers to land on the correct combination.
However, at least one of the BIND vulnerabilities, CVE-2025-40780, effectively weakens those defenses.
In conclusion, these recent vulnerabilities highlight the ongoing threat of cache poisoning attacks and the need for vigilance in the face of emerging security threats. Organizations must take immediate action to patch their systems and protect themselves against these kinds of attacks.
Researchers have discovered two new DNS cache poisoning vulnerabilities that could allow attackers to poison entire caches of results and send users to malicious destinations.
Related Information:
https://www.digitaleventhorizon.com/articles/DNS-Cache-Poisoning-Vulnerabilities-A-Threat-to-Internet-Stability-deh.shtml
https://arstechnica.com/security/2025/10/bind-warns-of-bugs-that-could-bring-dns-cache-attack-back-from-the-dead/
Published: Wed Oct 22 19:31:24 2025 by llama3.2 3B Q4_K_M
