BIND DNS Vulnerability Let Attackers Crash DNS Servers With Malicious Packet

A high-severity vulnerability in the BIND DNS server software was recently disclosed that allows attackers to crash DNS servers by sending just a single malicious packet. 

The Internet Systems Consortium (ISC) released BIND versions 9.18.37, 9.20.9, and 9.21.8 on May 21, 2025, to address the security flaw identified as CVE-2025-40775. 

This vulnerability affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7, though notably, the existing Extended Support Version (ESV) branch 9.18. X remains unaffected. 

Security experts warn that exploitation could disrupt DNS operations across vulnerable servers, potentially affecting large portions of the internet infrastructure.

Critical BIND DoS Flaw

The vulnerability stems from improper handling of Transaction Signatures (TSIG) in BIND’s DNS implementation. 

BIND performs validation checks on these signatures when processing incoming DNS protocol messages that include a TSIG. 

However, when a TSIG contains an invalid value in the algorithm field, affected versions of BIND immediately abort with an assertion failure. 

This issue is classified under CWE-232 (Improper Handling of Undefined Values) and has received a CVSS base score of 7.5, indicating high severity.

Transaction Signatures (TSIG) are a security mechanism used to authenticate DNS message exchanges between servers. When any server sends a TSIG-signed DNS request, it expects the response to be signed with the same key. 

However, the validation process for these signatures contains the vulnerable code that occurs early in the packet handling routine, making it difficult to defend against without patching. 

Similar to previous BIND vulnerabilities, this flaw can affect both authoritative and recursive DNS servers, and standard access control lists (ACLs) provide no protection against exploitation.

Risk Factors	Details
Affected Products	BIND 9.20.0 – 9.20.8, BIND 9.21.0 – 9.21.7
Impact	Denial of service
Exploit Prerequisites	Ability to send malicious DNS packets to vulnerable servers (remote, unauthenticated)
CVSS 3.1 Score	7.5 (High)

Potential Impact

The vulnerability allows for remote exploitation without requiring authentication, this means attackers can target vulnerable systems from anywhere on the internet with relatively low complexity. 

While the exploit doesn’t allow for data theft or system compromise, it can effectively cause denial-of-service conditions by forcing DNS servers to crash.

Similar historical vulnerabilities in BIND have demonstrated the potential widespread impact of such flaws. 

Security researcher Rob Graham previously warned how easy it could be to “blanket the internet with those packets and crash all publicly facing BIND9” servers during a previous vulnerability disclosure. 

DNS servers are fundamental components of internet infrastructure, translating domain names into numeric IP addresses, which makes their availability crucial for normal internet operations.

Mitigation

Organizations running affected versions should immediately update to the patched versions: BIND 9.20.9 or 9.21.8. 

These maintenance releases are available for download from the ISC software download page, with updates for packages and container images being rolled out shortly after the initial release.

There are currently no known workarounds for this vulnerability other than applying the appropriate patch, which is reported to be completely effective. Administrators should note that:

The vulnerability affects only BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7. The ESV branch (9.18. X) is not affected by this vulnerability

The ISC recommends regularly checking for updates and patches to ensure the DNS infrastructure remains secure and efficient. 

Additionally, organizations should stay informed about platform deprecation timelines, noting that support for RHEL 7 ended in June 2024, and BIND will not be compatible with RHEL 7 moving forward.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post BIND DNS Vulnerability Let Attackers Crash DNS Servers With Malicious Packet appeared first on Cyber Security News.