cve-2025-40776
Vulnerability from cvelistv5
Published
2025-07-16 13:41
Modified
2025-07-22 14:55
Severity ?
EPSS score ?
Summary
Birthday Attack against Resolvers supporting ECS
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T14:54:56.292632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T14:55:04.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BIND 9",
"vendor": "ISC",
"versions": [
{
"lessThanOrEqual": "9.16.50-S1",
"status": "affected",
"version": "9.11.3-S1",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.18.37-S1",
"status": "affected",
"version": "9.18.11-S1",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.20.10-S1",
"status": "affected",
"version": "9.20.9-S1",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.20.10",
"status": "unaffected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ISC would like to thank Xiang Li from AOSP Lab of Nankai University for bringing this vulnerability to our attention."
}
],
"datePublic": "2025-07-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1."
}
],
"exploits": [
{
"lang": "en",
"value": "We are not aware of any active exploits."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations. As a result of this weakness, a resolver with ECS enabled is more vulnerable to successful cache poisoning via spoofed query responses than one that does not implement this feature."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:41:01.337Z",
"orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"shortName": "isc"
},
"references": [
{
"name": "CVE-2025-40776",
"tags": [
"vendor-advisory"
],
"url": "https://kb.isc.org/docs/cve-2025-40776"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.38-S1 or 9.20.11-S1."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Birthday Attack against Resolvers supporting ECS",
"workarounds": [
{
"lang": "en",
"value": "Disable ECS in BIND by removing the `ecs-zones` option from `named.conf`."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"assignerShortName": "isc",
"cveId": "CVE-2025-40776",
"datePublished": "2025-07-16T13:41:01.337Z",
"dateReserved": "2025-04-16T08:44:49.856Z",
"dateUpdated": "2025-07-22T14:55:04.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-40776\",\"sourceIdentifier\":\"security-officer@isc.org\",\"published\":\"2025-07-16T14:15:25.053\",\"lastModified\":\"2025-07-16T14:58:59.837\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-officer@isc.org\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-officer@isc.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-349\"}]}],\"references\":[{\"url\":\"https://kb.isc.org/docs/cve-2025-40776\",\"source\":\"security-officer@isc.org\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.