Cache poisoning vulnerabilities found in 2 DNS resolving apps - Ars Technica
(arstechnica.com)
from otters_raft@lemmy.ca to cybersecurity@infosec.pub on 23 Oct 20:00
https://lemmy.ca/post/53887088
from otters_raft@lemmy.ca to cybersecurity@infosec.pub on 23 Oct 20:00
https://lemmy.ca/post/53887088
The makers of BIND, the Internet’s most widely used software for resolving domain names, are warning of two vulnerabilities that allow attackers to poison entire caches of results and send users to malicious destinations that are indistinguishable from the real ones.
The vulnerabilities, tracked as CVE-2025-40778 and CVE-2025-40780, stem from a logic error and a weakness in generating pseudo-random numbers, respectively. They each carry a severity rating of 8.6. Separately, makers of the Domain Name System resolver software Unbound warned of similar vulnerabilities that were reported by the same researchers. The unbound vulnerability severity score is 5.6
threaded - newest