“In certain circumstances, due to a weakness in the pseudo-random number generator (PRNG) used, an attacker can predict the source port and request ID that BIND will use,” the BIND developers wrote in a post on Wednesday. “BIND can be tricked into caching an attacker's responses if the spoofing is successful.”
CVE-2025-40778 also increases the likelihood of renewed cache poisoning attacks.
“Under certain circumstances, BIND is too lenient in accepting entries from responses, allowing an attacker to inject fake data into the cache,” the developers explained. “Fake entries may be introduced into the cache during a request, potentially affecting the resolution of future requests.”
Even in such cases, the consequences will be much more limited than the scenario envisaged by Kaminsky. One reason for this is that authoritative servers themselves are not vulnerable. Further, as noted Here And Here from Red Hat, various other cache poisoning countermeasures remain unchanged. These include DNSSEC, a security that requires DNS records to be digitally signed. Additional measures include speed limiting and server firewalling, which are considered best practices.
“Because the exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without compromising the server, the vulnerability is considered important rather than critical,” Red Hat wrote in its disclosure of CVE-2025-40780.
However, vulnerabilities can cause harm to some organizations. Patches for all three should be installed as soon as possible.
:quality(85):upscale()/2025/10/22/741/n/49352476/e6110b1768f90aa360d173.33738949_.jpg?w=150&resize=150,150&ssl=1 "Brooks Nader’s Must-Have Products | PS Shopping")
