—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple vulnerabilities in ISC Bind 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Systems Affected

BIND Supported Preview Edition versions:

9.11.3-S1 – 9.16.50-S1

9.18.11-S1 – 9.18.37-S1

9.20.9-S1 – 9.20.10-S1

BIND versions:

9.20.0 – 9.20.10

9.21.0 – 9.21.9

Overview

Multiple vulnerabilities have been reported in ISC BIND, which could allow an attacker to conduct DNS cache poisoning or cause denial of service (DoS) conditions on the targeted system.

Target Audience:

All individuals and organizations using affected ISC BIND versions.

Risk Assessment:

High risk of service disruption or redirection of DNS queries due to cache poisoning.

Impact Assessment:

Potential for DNS response manipulation, loss of DNS service availability, or process termination due to assertion failure.

Description

ISC BIND is an open-source DNS server software package that provides both authoritative and recursive DNS services, making it a core component of internet infrastructure.

These vulnerabilities exist in ISC BIND due to a flaw in the named caching resolver when ECS (EDNS Client Subnet) options are used and due to a possible assertion failure in named when the option stale-answer-client-timeout 0; is used.

Successful exploitation of these vulnerabilities could allow an attacker to manipulate DNS responses (cache poisoning) or cause the server process to crash (denial of service) on the targeted system.

Workaround

For CVE-2025-40776: Disable ECS in BIND by removing the ecs-zones option from named.conf.

For CVE-2025-40777: Avoid using stale-answer-client-timeout 0;. Instead, use either:

– stale-answer-client-timeout off;

– stale-answer-enable no;

Solution

Apply the necessary patches and updates as provided by ISC:

https://kb.isc.org/docs/cve-2025-40776

https://kb.isc.org/docs/cve-2025-40777

Vendor Information

ISC BIND

https://kb.isc.org/docs/cve-2025-40776

https://kb.isc.org/docs/cve-2025-40777

References

ISC BIND

https://kb.isc.org/docs/cve-2025-40776

https://kb.isc.org/docs/cve-2025-40777

CVE Name

CVE-2025-40776

CVE-2025-40777

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmiDknIACgkQ3jCgcSdc

ys9LOg/9GqsKYU+AkkG5a0dvddiixLpdn39gZOzsymzncqp8eVk2AHUJT+7loZsU

QUe8qksUyf5dZdgiqCrnaItkxID+7nc6CYHyW13u2mlncF3vDu45CRs5Gmu5A4n9

4BOkwstxhkDsn5HkO11tCgGi0IyOuEb684wtycEB0WoG39NUj3wyXMSdP82THAVv

zHvuWpJ2YdSW999j564R/ZEIP1+8J7tw/xqb54UzpCTgV2YUvsg2m1bAE5YLo/uD

uJShsnSPm95LnyEDeInUpjCZUrUBknRa87RPheq11H36LLYHNMKsJ861pIFdelcw

TFIysntkIJ+BZcGYtozZuG5IelWodswV/Tvidy+gJrI4PMCv7qTL8fbb3/aw4cXz

0EoVR5eHNZoom1XbzaRlOpP0dJX7hKO5NRQFeGV+P1yiDRDbiMlSPSNVtFD38LyJ

VG9ChCpdFpCRB0RUSTiyX+ke6A5vj6CRgZMbf85/5aJc8ZoFcGekrDOS7joS0OWA

NcNNa2Z83G2WjIn2IcLh7oac9yFVaa4s2DvD6DDNSiotBuGvNWG+r4vfoVXRVhlK

MXOUrkIeEdizXPD6njDZd+kKDgfKEmhNZO4nnGNA4Umb3V3ZI8UYahGt5HtIEGEn

Yz1e/n0O+YjSZ4tVB8R6Sreg6n9KtRtB0u2ctvZInIkjIXjINmI=

=qX4P

—–END PGP SIGNATURE—–