wdjwxh

BIND 9 Cache Poisoning via Unsolicited Answer Records (CVE-2025-40778)

Overview

A vulnerable BIND 9 resolver (version 9.18.39) accepts and caches resource records that were not requested in the original DNS query. An off-path attacker who can race or spoof responses may inject forged address data into the resolver cache. Once poisoned, subsequent clients are redirected to attacker-controlled infrastructure without triggering fresh lookups. The issue is tracked as CVE-2025-40778 and carries a published CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).

Affected Software

Product: BIND 9 recursive resolver
Version tested: 9.18.39 (affected)
Known affected ranges:
9.11.0 – 9.16.50

	----------------
	-- 报文结构定义
	----------------
	CMPPv2_Field_Protos = {
	Command_Name = {
	[0x00000001] = "CMPP_CONNECT",
	[0x80000001] = "CMPP_CONNECT_RESP",
	[0x00000002] = "CMPP_TERMINATE",
	[0x80000002] = "CMPP_TERMINATE_RESP",
	[0x00000004] = "CMPP_SUBMIT",

	databases:
	- logs: 7
	- vms: 9
	- statistics: 20

	connect_line: '127.0.0.1'
	log_file: 'cl_clean_partitions.log'

	milovidov@milovidov-xenial:~$ clickhouse-client
	ClickHouse client version 1.1.53996.
	Connecting to localhost:9000.
	Connected to ClickHouse server version 1.1.53996.

	:) CREATE TABLE IF NOT EXISTS `employee` (
	:-] `empid` Int32,
	:-] `deptid` Int32,
	:-] `salary` Int64
	:-] ) ENGINE = Memory;

	:) SELECT toDateTime(intDiv(toUInt32(EventTime), 5) * 5) AS k, count(), uniq(UserID) FROM hits_layer WHERE CounterID = 29761725 AND EventDate = today() AND EventTime >= now() - 600 GROUP BY k ORDER BY k

	SELECT
	toDateTime(intDiv(toUInt32(EventTime), 5) * 5) AS k,
	count(),
	uniq(UserID)
	FROM hits_layer
	WHERE (CounterID = 29761725) AND (EventDate = today()) AND (EventTime >= (now() - 600))
	GROUP BY k
	ORDER BY k ASC