Facebook
Twitter- Server operating system version
- Ubuntu 24
- Plesk version and microupdate number
- Plesk Obsidian 18.0.73 Update #3
Plesk, can you let us know the timeline for the release of the patches or updates for BIND9?
The Dutch National Cyber Security Centre (and security agencies worldwide) are urging immediate patching of BIND 9 due to a critical DNS cache poisoning vulnerability known as CVE-2025-40778.
The Dutch National Cyber Security Centre (and security agencies worldwide) are urging immediate patching of BIND 9 due to a critical DNS cache poisoning vulnerability known as CVE-2025-40778.
Vulnerability Description
A flaw in a BIND 9 resolver allows it to accept and cache DNS records that were not requested in the original DNS query. An off-path attacker capable of spoofing or racing responses could inject forged address information into the cache. After the cache is poisoned, users relying on the resolver may be redirected to attacker-controlled systems without new DNS queries being made.Impact
Forged records can be injected into cache during a query, which can potentially affect resolution of future queries.- Authoritative services are believed to be unaffected by this vulnerability but it is important to read: Why does my authoritative server make recursive queries?
- Resolvers are affected by this vulnerability.
Scope
Previous versions of this advisory overestimated the number of affected servers due to only keying off versions, however only recursive resolvers are affected.Mitigations
- Upgrade resolvers to a patched release (9.18.41, 9.20.15, 9.21.14, or newer maintenance builds) as provided by ISC.
- Until upgrades are complete, restrict recursion to trusted clients, employ DNSSEC validation, and monitor caches for unexpected RRsets. Note these measures reduce but do not eliminate risk.
