CVE-2025-40777
📋 TL;DR
A denial-of-service vulnerability in BIND 9 DNS servers causes the named daemon to crash when specific configuration settings are enabled and certain CNAME chain conditions occur during query resolution. This affects BIND 9 caching resolvers configured with serve-stale-enable set to yes and stale-answer-client-timeout set to 0. DNS service disruption is the primary impact.
💻 Affected Systems
- BIND 9
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
DNS service becomes completely unavailable, causing widespread service disruption for all clients relying on the affected resolver.
Likely Case
Intermittent DNS resolution failures and service outages when the specific CNAME chain conditions are triggered.
If Mitigated
Minimal impact if the vulnerable configuration is not used or if the server is patched.
🎯 Exploit Status
Exploitation requires triggering specific CNAME chain conditions which may be difficult to reliably reproduce
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.20.11, 9.21.10, and later versions
Vendor Advisory: https://kb.isc.org/docs/cve-2025-40777
Restart Required: Yes
Instructions:
1. Download and install patched BIND version from ISC. 2. Stop named service. 3. Install updated packages. 4. Restart named service. 5. Verify service is running correctly.
🔧 Temporary Workarounds
Disable vulnerable configuration
allChange serve-stale-enable to no or set stale-answer-client-timeout to disabled
Edit named.conf and set: serve-stale-enable no; or stale-answer-client-timeout disabled;
Then run: rndc reload
🧯 If You Can't Patch
- Disable serve-stale functionality in BIND configuration
- Implement monitoring and alerting for named process crashes
🔍 How to Verify
Check if Vulnerable:
Check BIND version with 'named -v' and verify configuration contains serve-stale-enable yes and stale-answer-client-timeout 0Check Version:
named -vVerify Fix Applied:
Verify BIND version is 9.20.11+, 9.21.10+, or later, and check that named process remains running📡 Detection & Monitoring
Log Indicators:
- named daemon crash logs
- assertion failure messages in system logs
- DNS query failures
Network Indicators:
- DNS resolution failures
- Increased DNS timeout errors
SIEM Query:
process_name:named AND (event_type:crash OR log_message:assertion)