BIND9 – Denial of Service Exploit in the Wild

  • August 2, 2015

BIND is one of the most popular DNS servers in the world. It comes bundled with almost every cPanel, VPS and dedicated server installation and is used by most DNS providers.

A week ago, the Internet Systems Consortium (ISC) team released a patch for a serious denial of service vulnerability (CVE-2015-5477) that allows a remote and unauthenticated attacker to crash the BIND (named) daemon, taking down a DNS server.

This happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can trigger a required assertion failure, causing the DNS daemon to exit.

Exploits in the Wild

Because of its severity we’ve been actively monitoring to see when the exploit would be live. We can confirm that the attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down also means your email, HTTP and all other services will be unavailable.

If You Have Not Patched Your DNS Server, Do it Now!

All major Linux distributions (Redhat, Centos, Ubuntu, etc) have already provided patches for it and a simple “yum update” on Redhat/Centos or “apt-get update” on Debian-based systems will get you protected. Remember though, for the change to take affect you must restart BIND after the update.

If you run your own DNS server, a quick way to see if you are being targeted is to look for the “ANY TKEY” in your DNS logs:

Aug 2 10:32:48 dns named[2717]: client a.b.c.d#42212 (foo.bar): view north_america: query: foo.bar ANY TKEY + (x.y.z.zz)

In fact, you can look for any type of TKEY request, as they are not very common, and see if there have been any attempts. The example above is from one of the public exploits released. Note that you need to have querylog enabled (which you can do with the command “rndc querylog on“).

Clients using our DNS server, part of our Website Firewall, are already protected against this vulnerability. For existing customers, you can enable the use of our DNS manager and find instructions in our knowledgebase.

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags
2 comments

  2. I saw this on another site: You can also apply the following patch to your vulnerable version of BIND 9.

    diff –git a/lib/dns/tkey.c b/lib/dns/tkey.c
    index 66210d5..34ad90b 100644
    — a/lib/dns/tkey.c
    +++ b/lib/dns/tkey.c
    @@ -654,6 +654,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
    * Try the answer section, since that’s where Win2000
    * puts it.
    */
    + name = NULL;
    if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
    dns_rdatatype_tkey, 0, &name,
    &tkeyset) != ISC_R_SUCCESS) {

    Can you confirm if the patch can be applied in lieu of the update.

Comments are closed.

Related Categories
You May Also Like