ISC BIND 9
Easy fix3 remedies
cpe:2.3:a:isc:bind:*:*:*:*:supported_preview:*:*
Easy fix3 remedies
- >= 9.11.3-S1, <= 9.16.50-S1
- >= 9.18.11-S1, <= 9.18.37-S1
- >= 9.20.9-S1, <= 9.20.10-S1
BIND 9 EDNS Client Subnet Cache-Poisoning Vulnerability
Vulnerability
Patched
A cache-poisoning vulnerability has been identified in the BIND 9 DNS resolver when it is configured to use EDNS Client Subnet (ECS) options. This issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1. The vulnerability allows an attacker to manipulate the resolver's cache by sending spoofed query responses that exploit the way ECS options are handled, increasing the likelihood of successfully poisoning the cache.
Impact
Resolvers that send ECS options to authoritative servers are more susceptible to cache-poisoning attacks. The vulnerability allows spoofed query responses to bypass existing mitigations, making it easier to poison the resolver's cache with malicious data.
Remediation
Users can disable ECS in BIND by removing the 'ecs-zones' option from 'named.conf'. To address the vulnerability, upgrade to BIND versions 9.18.38-S1 or 9.20.11-S1.
Added: Jul 16, 2025, 3:16 PM
Updated: Jul 16, 2025, 3:16 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
0.6exploitability
7.4remediation
8.3relevance
0.3threat
0.0urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.