Critical DNS Cache Poisoning Flaws Found in 2 Apps
▼ Summary
– BIND software has two vulnerabilities (CVE-2025-40778 and CVE-2025-40780) that allow attackers to poison DNS caches and redirect users to malicious sites.
– The vulnerabilities stem from a logic error and weak pseudo-random number generation, each with a severity rating of 8.6, while Unbound has similar issues rated 5.6.
– Exploiting these flaws enables attackers to replace legitimate domain IP addresses with malicious ones in DNS resolvers across many organizations.
– This attack method resembles the 2008 DNS cache poisoning threat by Dan Kaminsky, which was previously mitigated through industry-wide coordination.
– DNS vulnerabilities arise from its use of UDP packets, which lack authentication and are easily spoofed, allowing fake packets to appear legitimate.
The developers behind BIND, the world’s most popular domain name resolution software, have issued an urgent warning regarding two critical vulnerabilities that enable attackers to poison DNS caches and redirect users to fraudulent websites that appear completely legitimate. These security flaws, identified as CVE-2025-40778 and CVE-2025-40780, stem from a logic error and a weakness in pseudo-random number generation, respectively. Each has received a severity rating of 8.6. In a related development, the creators of the Unbound DNS resolver software have also alerted users to similar vulnerabilities discovered by the same research team, with Unbound’s flaw rated at 5.6 in severity.
These vulnerabilities allow malicious actors to compromise DNS resolvers within numerous organizations, replacing legitimate domain lookup results with corrupted entries. The manipulated results would substitute the authentic IP addresses managed by domain operators, such as the address for arstechnica.com, with addresses controlled by attackers. Security patches addressing all three vulnerabilities were released this past Wednesday.
This situation brings to mind the landmark DNS cache poisoning attack uncovered by researcher Dan Kaminsky back in 2008, which represented one of the most serious Internet security threats ever documented. The Kaminsky attack enabled mass redirection of users to counterfeit versions of major websites including Google and Bank of America. Through unprecedented industry cooperation, DNS providers worldwide collaborated with browser developers and other application makers to implement a comprehensive solution that prevented what could have been a catastrophic scenario.
The fundamental vulnerability emerged from DNS’s reliance on UDP packets for communication. Since UDP transmissions operate in one direction only, DNS resolvers couldn’t implement password protection or credential verification when communicating with authoritative servers, those officially designated to provide IP address lookups for specific top-level domains like .com. Additionally, UDP traffic remains notoriously easy to spoof, allowing attackers to easily fabricate packets that appear to originate from legitimate sources.
(Source: Ars Technica)
