An error in the handling of TKEY queries can be exploited by an attacker
for use as a denial-of-service vector, as a constructed packet can use the
defect to trigger a REQUIRE assertion failure, causing BIND to exit.
IPS Signature
alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS? CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4;)
Solution
Upgrade to the patched release most closely related to your current
version of BIND. These can be downloaded from http://www.isc.org/downloads.
- BIND 9 version 9.9.7-P2
- BIND 9 version 9.10.2-P3
