7.8
CVSSv2

CVE-2015-5477

Published: 29/07/2015 Updated: 10/11/2017
CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10
VMScore: 837
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Summary

named in ISC BIND 9.x prior to 9.9.7-P2 and 9.10.x prior to 9.10.2-P3 allows remote malicious users to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.

Affected Products

Vendor Product Versions
IscBind9.9.7, 9.10.2

Vendor Advisories

Debian Bug report logs - #793903 bind9: CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure Package: src:bind9; Maintainer for src:bind9 is Debian DNS Team <team+dns@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 28 Jul 2015 1 ...
Debian Bug report logs - #839051 bind9: CVE-2016-2848: A packet with malformed options can trigger an assertion failure Package: bind9; Maintainer for bind9 is Debian DNS Team <team+dns@trackerdebianorg>; Source for bind9 is src:bind9 (PTS, buildd, popcon) Reported by: Florian Weimer <fw@denebenyode> Date: Wed, 2 ...
Jonathan Foote discovered that the BIND DNS server does not properly handle TKEY queries A remote attacker can take advantage of this flaw to mount a denial of service via a specially crafted query triggering an assertion failure and causing BIND to exit For the oldstable distribution (wheezy), this problem has been fixed in version 1:984dfsg ...
Bind could be made to crash if it received specially crafted network traffic ...
As reported upstream, an error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit ...
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available To learn more about Apple Product Security, see the Apple Product Security website For information about the Apple Product Security PGP Key, see How to use ...
A flaw was found in the way BIND handled requests for TKEY DNS resource records A remote attacker could use this flaw to make named (functioning as an authoritative DNS server or a DNS resolver) exit unexpectedly with an assertion failure via a specially crafted DNS request packet ...
<!-- content goes here --> Oracle Solaris Third Party Bulletin - July 2015 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when ...
Oracle VM Server for x86 Bulletin - July 2016 Description The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin Oracle VM Server for x86 Bulletins are published on the same day ...

Exploits

/* PoC for BIND9 TKEY assert Dos (CVE-2015-5477) Usage: tkill &lt;hostname&gt; What it does: - First sends a "version" query to see if the server is up - Regardless of the version response, it then sends the DoS packet - Then it waits 5 seconds for a response If the server crashes, there wi ...
#!/usr/bin/env python # Exploit Title: PoC for BIND9 TKEY DoS # Exploit Author: elceef # Software Link: githubcom/elceef/tkeypoc/ # Version: ISC BIND 9 # Tested on: multiple # CVE : CVE-2015-5477 import socket import sys print('CVE-2015-5477 BIND9 TKEY PoC') if len(sysargv) &lt; 2: print('Usage: ' + sysargv[0] + ' [target]') syse ...

Mailing Lists

BIND TKEY query remote denial of service proof of concept exploit ...

Metasploit Modules

BIND TKEY Query Denial of Service

This module sends a malformed TKEY query, which exploits an error in handling TKEY queries on affected BIND9 'named' DNS servers. As a result, a vulnerable named server will exit with a REQUIRE assertion failure. This condition can be exploited in versions of BIND between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0 through 9.10.2-P2.

msf > use auxiliary/dos/dns/bind_tkey
      msf auxiliary(bind_tkey) > show actions
            ...actions...
      msf auxiliary(bind_tkey) > set ACTION <action-name>
      msf auxiliary(bind_tkey) > show options
            ...show and set options...
      msf auxiliary(bind_tkey) > run

Github Repositories

cve-2015-5477 PoC for BIND9 TKEY assert DoS (CVE-2015-5477) $ ps awux | grep -v grep | grep bind bind 2373 00 22 141164 13424 ? Ssl 14:58 0:00 /var/named/chroot/sbin/named -u bind -t /var/named/chroot -c /etc/namedconf $ python tkillpy 127001 Begin emission: Finished to send 1 packets

cve-2015-5477

PoC for BOND9 TKEY assert DoS (CVE-2015-5477) This exploit tests to see if a BIND9 server is vulnerable by sending the exploit in order to see if it crashes It's C code that you compile the normal way on Unix/Window, such as: # gcc tkillc -o tkill It'll run over both IPv4 and IPv6 This is what it looks like running against localhost Since it gets two IP addresses

PoC for CVE-2015-5477 BIND9 TKEY DoS This code sends UDP packet that crashes vulnerable BIND9 DNS servers elceef@osiris:~/tkeypoc$ /tkeypocpy localhost CVE-2015-5477 BIND9 TKEY PoC Sending packet to localhost Done

ShareDoc the document I shared with others add cve-2015-5477 debug

Vulnerability as a Service - CVE 2015-5477 A Debian (Wheezy) Linux system with a vulnerable version of bind9 to showcase CVS-2015-5477 Overview This docker container is based on Debian Wheezy and has been modified to use a vulernable version of bind9 and the matching additional dependencies Usage Get the container with docker pull hmlio/vaas-cve-2015-5477 Run the container w

ShareDoc the document I shared with others add cve-2015-5477 debug

#awesome-c A curated list of awesome C frameworks, libraries and software SamyPesse/How-to-Make-a-Computer-Operating-System - How to Make a Computer Operating System in C++ liuliu/ccv - C-based/Cached/Core Computer Vision Library, A Modern Computer Vision Library Microsoft/WinObjC - Objective-C for Windows grpc/grpc - The C based gRPC (C++, Nodejs, Python, Ruby, Objective-C,

#awesome-c A curated list of awesome C frameworks, libraries and software SamyPesse/How-to-Make-a-Computer-Operating-System - How to Make a Computer Operating System in C++ liuliu/ccv - C-based/Cached/Core Computer Vision Library, A Modern Computer Vision Library Microsoft/WinObjC - Objective-C for Windows grpc/grpc - The C based gRPC (C++, Nodejs, Python, Ruby, Objective-C,

awesome-c A curated list of awesome C frameworks, libraries and software git/git - Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored Please follow Documentation/SubmittingPatches procedure for any of your improvements ggreer/the_silver_searcher - A code-searching tool similar to ack, but faster SamyPesse/How-to-Make-a-Computer-Ope

afl-cve A collection of vulnerabilities discovered by the AFL fuzzer (afl-fuzz) Introduction afl-cve is a collection of known vulnerabilities that can be attributed to the AFL fuzzer afl-fuzz All vulnerabilities in this list either already have a CVE assigned, or a CVE has been requested from a CVE Numbering Authority Why is This Necessary? Because CVE descriptions are not ge

Recent Articles

Bound to happen: BIND bug exploits now in the wild
The Register • Richard Chirgwin • 04 Aug 2015

Tardy on the patch? GET BUSY

Security bods are nagging anyone running BIND to install last week's patch, as active exploits have started to appear in the wild.
That information comes from Sucuri's Daniel Cid, who writes that "attacks have begun," based on reports from the company's customers that they were experiencing DNS server crashes.
The patch is straightforward for anyone running Linux-based DNS servers. Ubuntu, Red Hat, CentOS, and Debian have all caught up with the bug, so patching is straightforward –...

Critical BIND bug scores PATCH YESTERDAY grading
The Register • Darren Pauli • 30 Jul 2015

Easy to hack universal remote BIND DoS hole leaves DNS open to attack

Gird your loins internet: Attackers now have the ability to disrupt large swathes of the web through a remote denial of service vulnerability found in the most widely used software for DNS servers.
The BIND bug (CVE-2015-5477) patched overnight affects all DNS servers running the software, and can be attacked with ease.
In fact a researcher has already developed an attack capable of knocking servers offline with a single packet.
Internet Systems Consortium Michael McNally, lead...

References

CWE-19http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10718http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163006.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163007.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00043.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00045.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00048.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00050.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00033.htmlhttp://marc.info/?l=bugtraq&m=144000632319155&w=2http://marc.info/?l=bugtraq&m=144017354030745&w=2http://marc.info/?l=bugtraq&m=144181171013996&w=2http://marc.info/?l=bugtraq&m=144294073801304&w=2http://packetstormsecurity.com/files/132926/BIND-TKEY-Query-Denial-Of-Service.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1513.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1514.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1515.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0078.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0079.htmlhttp://www.debian.org/security/2015/dsa-3319http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/76092http://www.securitytracker.com/id/1033100http://www.ubuntu.com/usn/USN-2693-1https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04789415https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952480https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05095918https://kb.isc.org/article/AA-01272https://kb.isc.org/article/AA-01305https://kb.isc.org/article/AA-01306https://kb.isc.org/article/AA-01307https://kb.isc.org/article/AA-01438https://kb.juniper.net/JSA10783https://kc.mcafee.com/corporate/index?page=content&id=SB10126https://security.gentoo.org/glsa/201510-01https://security.netapp.com/advisory/ntap-20160114-0001/https://support.apple.com/kb/HT205032https://www.exploit-db.com/exploits/37721/https://www.exploit-db.com/exploits/37723/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2015-1513https://www.rapid7.com/db/vulnerabilities/aix-6.1.9-bind9_advisory8_cve-2015-5477https://github.com/knqyf263/cve-2015-5477https://www.exploit-db.com/exploits/37721/https://nvd.nist.govhttps://usn.ubuntu.com/2693-1/http://tools.cisco.com/security/center/viewAlert.x?alertId=40201