BIND Updates Address High-Severity Cache Poisoning Flaws

BIND Updates Address High-Severity Cache Poisoning Flaws

Posted on By CWS

Web Methods Consortium (ISC) on Wednesday introduced BIND 9 updates that resolve high-severity vulnerabilities, together with cache poisoning flaws.

The primary challenge is a weak spot within the Pseudo Random Quantity Generator (PRNG) utilized by the favored DNS server software program that, in sure circumstances, might enable an attacker to foretell the supply port and question ID that might be used.

Attackers might abuse the safety defect, tracked as CVE-2025-40780 (CVSS rating of 8.6), in spoofing assaults that, if profitable, might lead to BIND caching attacker responses, ISC explains.

The second bug, tracked as CVE-2025-40778 (CVSS rating of 8.6), exists as a result of, “beneath sure circumstances, BIND is just too lenient when accepting data from solutions.”

This permits attackers to inject cast data into the cache, probably impacting the decision of future queries.

The third vulnerability, CVE-2025-8677 (CVSS rating of seven.5), is described as a denial-of-service (DoS) challenge that may be triggered when “querying for data inside a specifically crafted zone containing sure malformed DNSKEY data”.

An attacker might exploit the bug to overwhelm the server, impacting the efficiency and repair availability by exhausting CPU assets.

In accordance with ISC, all three flaws have an effect on resolvers however are believed to haven’t any impression on authoritative servers. No workaround is out there for any of them, however none seems to have been exploited within the wild.Commercial. Scroll to proceed studying.

The safety defects have been addressed with the discharge of BIND variations 9.18.41, 9.20.15, and 9.21.14, and BIND Supported Preview Version variations 9.18.41-S1 and 9.20.15-S1.

ISC recommends updating to a patched model of BIND as quickly as potential. Organizations counting on discontinued iterations of the DNS server ought to transition to a supported model.

Associated: Oracle Releases October 2025 Patches

Associated: BIND Updates Resolve Excessive-Severity DoS Vulnerabilities

Associated: Essential Vulnerabilities Patched in TP-Hyperlink’s Omada Gateways

Associated: ConnectWise Patches Essential Flaw in Automate RMM Device

Security Week News Tags:, , , , , ,

Related Posts

Cityworks Zero-Day Exploited by Chinese Hackers in US Local Government Attacks Cityworks Zero-Day Exploited by Chinese Hackers in US Local Government Attacks Security Week News
Australia’s TPG Telecom Investigating iiNet Hack Australia’s TPG Telecom Investigating iiNet Hack Security Week News
Palo Alto Networks to Acquire CyberArk for Billion Palo Alto Networks to Acquire CyberArk for $25 Billion Security Week News
Microsoft Patches 130 Vulnerabilities for July 2025 Patch Tuesday Microsoft Patches 130 Vulnerabilities for July 2025 Patch Tuesday Security Week News
Chrome to Distrust Chunghwa Telecom and Netlock Certificates Chrome to Distrust Chunghwa Telecom and Netlock Certificates Security Week News
1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium 1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium Security Week News