CVE-2025-40780: 
Rocky Linux vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-40780) was discovered in BIND 9, affecting versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, and 9.21.0 through 9.21.12, along with various BIND Supported Preview Edition versions. The vulnerability, discovered by Prof. Amit Klein and Omer Ben Simhon from Hebrew University of Jerusalem, stems from a weakness in the Pseudo Random Number Generator (PRNG) implementation (ISC KB, NVD).

The vulnerability is characterized by a weakness in the PRNG that allows attackers to predict the source port and query ID that BIND will use. It received a CVSS v3.1 base score of 8.6 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N. The issue specifically affects DNS resolvers, while authoritative services are believed to be unaffected (ISC KB, Ars Technica).

The vulnerability enables attackers to perform cache poisoning attacks by predicting BIND's source port and query ID. If successfully exploited, BIND can be tricked into caching attacker responses, potentially redirecting users to malicious destinations that are indistinguishable from legitimate ones. However, the impact is somewhat mitigated by existing security measures such as DNSSEC, rate limiting, and server firewalling (Ars Technica).

The primary mitigation is to upgrade to the patched releases: BIND 9.18.41, 9.20.15, or 9.21.14. For BIND Supported Preview Edition users, patches are available in versions 9.18.41-S1 and 9.20.15-S1. No alternative workarounds are known (ISC KB).

The vulnerability has drawn significant attention from the security community, particularly due to its similarity to the historic 2008 Kaminsky DNS cache poisoning attack. Security experts have noted that while serious, the impact is less severe than the 2008 incident due to additional protective measures that remain in place (Ars Technica).