Описание
Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
A vulnerability exists in BIND’s DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. Under certain conditions, this flaw allows attackers to inject unsolicited or forged DNS records into the cache. This can be exploited to poison the resolver cache, redirecting clients to malicious domains or unauthorized servers.
Отчет
It is classified as Important rather than Critical because its impact is limited to cache poisoning within recursive resolvers and does not allow direct code execution, privilege escalation, or service disruption. The vulnerability affects the accuracy of DNS responses, but not the availability or confidentiality of systems. Additionally, DNSSEC-enabled deployments and restricted recursive access can significantly mitigate exploitation risks. Therefore, while the flaw can misdirect network traffic and compromise trust in name resolution, it does not directly compromise the underlying server or client systems, justifying an Important — but not Critical — severity rating. Technical Analysis: The issue arises because BIND fails to strictly validate unsolicited resource records accompanying legitimate DNS responses. This gap allows forged recursive resolvers to be cached as valid entries. Since the attack is remote, requires no authentication, and exploits a low-complexity vector, it is highly impactful in recursive resolver environments—especially those exposed to untrusted clients or open resolvers.
Меры по смягчению последствий
While it is not possible to eliminate risk from this vulnerability, there are several options for reducing the risk. These include restricting recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 9 | dhcp | Not affected | ||
| Red Hat Enterprise Linux 10 | bind | Fixed | RHSA-2025:19912 | 06.11.2025 |
| Red Hat Enterprise Linux 10 | bind | Fixed | RHSA-2025:21034 | 11.11.2025 |
| Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION | bind | Fixed | RHSA-2025:23414 | 17.12.2025 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | bind | Fixed | RHSA-2025:22205 | 26.11.2025 |
| Red Hat Enterprise Linux 8 | bind9.16 | Fixed | RHSA-2025:19793 | 05.11.2025 |
| Red Hat Enterprise Linux 8 | bind | Fixed | RHSA-2025:19835 | 06.11.2025 |
| Red Hat Enterprise Linux 8 | bind | Fixed | RHSA-2025:19835 | 06.11.2025 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | bind | Fixed | RHSA-2025:21741 | 19.11.2025 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | bind | Fixed | RHSA-2025:21740 | 19.11.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
Under certain circumstances, BIND is too lenient when accepting record ...
EPSS
8.6 High
CVSS3