CVE-2025-5994 in Unbound
Summary
by MITRE • 07/16/2025
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/12/2025
The rebirthday attack represents a sophisticated cache poisoning vulnerability that exploits the EDNS Client Subnet functionality in DNS caching resolvers, affecting multiple vendors including Unbound when properly configured with ECS support. This vulnerability leverages the birthday paradox principle to manipulate DNS cache entries by crafting malicious responses that can be cached and subsequently served to legitimate clients. The attack specifically targets resolvers that support ECS and are configured to forward ECS information to upstream servers, creating a scenario where attackers can exploit the transaction ID matching mechanism to poison the cache with malicious DNS responses.
The technical flaw stems from inadequate segregation of outgoing DNS queries when ECS information is involved, creating a fundamental weakness in the resolver's ability to distinguish between different client contexts. When a resolver sends ECS data to upstream servers and receives responses back, the transaction IDs of these responses can be manipulated to match cached entries from different client contexts. This occurs because the resolver fails to properly isolate the cache entries based on the ECS information associated with each query, allowing attackers to inject poisoned responses that appear legitimate within the cache's context.
The operational impact of this vulnerability is significant for organizations relying on DNS caching infrastructure, as successful exploitation can lead to complete DNS cache poisoning and potential man-in-the-middle attacks. Attackers can redirect traffic to malicious destinations by poisoning the cache with false A, AAAA, or CNAME records, effectively compromising the integrity of DNS resolution for affected domains. The vulnerability is particularly dangerous because it can be exploited without requiring direct access to the network, making it a passive attack vector that can be executed from anywhere on the internet.
Mitigation strategies should focus on implementing proper ECS query segregation mechanisms within DNS resolvers to prevent cross-contamination of cache entries. Organizations should consider disabling ECS functionality when it is not strictly required for operational purposes, or ensure that their DNS infrastructure properly isolates cache entries based on ECS information. The implementation of transaction ID randomization techniques and enhanced cache validation mechanisms can help prevent successful exploitation of this vulnerability. Additionally, network administrators should monitor their DNS infrastructure for unusual query patterns and implement proper logging and alerting systems to detect potential cache poisoning attempts. This vulnerability aligns with CWE-200 (Information Exposure) and CWE-257 (Storing Passwords in a Recoverable Format) in terms of information exposure, while mapping to ATT&CK technique T1071.004 (Application Layer Protocol: DNS) for its exploitation through DNS protocols and T1496 (Resource Hijacking) for potential impact on network resources.