Bound to happen: BIND bug exploits now in the wild
Tardy on the patch? GET BUSY
Security bods are nagging anyone running BIND to install last week's patch, as active exploits have started to appear in the wild.
That information comes from Sucuri's Daniel Cid, who writes that "attacks have begun," based on reports from the company's customers that they were experiencing DNS server crashes.
The patch is straightforward for anyone running Linux-based DNS servers. Ubuntu, Red Hat, CentOS, and Debian have all caught up with the bug, so patching is straightforward – yum update or apt-get dist-upgrade, as suits your environment, plus a DNS server restart.
As reported last week in The Register, CVE-2015-5477 is an error in handling TKEY queries: "a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit."
Cid says it's also trivial to test if your DNS server is being targeted. "Look for the ANY TKEY in your DNS logs" with querylog enabled, because TKEY requests are "not very common" and it should be easy to see suspicious requests. ®