Note: This is an archival copy of Security Sun Alert 201238 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000924.1.
Article ID : 1000924.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-02-27
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security vulnerabilities in BIND and libresolv (CERT CA-2002-31)



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4777715

Date of Workaround Release
20-NOV-2002

Date of Resolved Release
28-FEB-2003

Impact

Vulnerabilities in the in.named(1M) daemon and the libresolv(3lib) library may allow a local or remote unprivileged user to:

VU#844360 :

	  execute arbitrary code with the privileges of an application which
calls the vulnerable libresolv(3lib) function

VU#852283 :

 	  execute arbitrary code with the privileges of the in.named(1M)
daemon (normally root)

VU#581682 and VU#229595 :

	  disrupt the operation of the DNS server, possibly causing
in.named(1M) to SEGV (see manual page for signal.h(3HEAD))

These issues are described in CERT Vulnerability Notes VU#844360, VU#852283, VU#229595, VU#581682 (see http://www.kb.cert.org/vuls/) which is referenced in CERT Advisory CA-2002-31 (see http://www.cert.org/advisories/CA-2002-31.html).

This issue is also described at: http://www.isc.org/products/BIND/bind-security.html and http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469


Contributing Factors

This issue can occur in the following releases:

SPARC Platforms

  • Solaris 2.5.1
  • Solaris 2.6 without patch 105755-13
  • Solaris 7 without patch 106938-07
  • Solaris 8 without patch 109326-10
  • Solaris 9 without patch 112970-03

x86 Platforms

  • Solaris 2.5.1
  • Solaris 2.6 without patch 105756-13
  • Solaris 7 without patch 106939-07
  • Solaris 8 without patch 109327-10
  • Solaris 9 without patch 114354-01

Note 1:

	VU#844360 affects Solaris 2.5.1 and 2.6 only.
	VU#852283 affects Solaris 7, 8, and 9 only.
	VU#581682 affects Solaris 7, 8, and 9 only.
	VU#229595 affects Solaris 9 only.

Note 2: Only Solaris 2.5.1 and 2.6 are affected by VU#844360. These systems are only vulnerable to VU#844360 if they are configured to use DNS, the Domain Name System, as the host name resolution service in nsswitch.conf(4M), as in the following example:

	$ grep dns /etc/nsswitch.conf
hosts:     nisplus dns [NOTFOUND=return] files

Additionally applications independently linked to /usr/lib/libresolv.so are also vulnerable.

	$ /bin/ldd dig | grep libresolv
libresolv.so.2 =>        /usr/lib/libresolv.so.2

Note 3: Applications statically linked to a static resolver library libresolv.a are also vulnerable to VU#844360 if the libresolv.a came from BIND 4.9.2 through 4.9.10. If this is the case, then it will be necessary to obtain an application upgrade or patch from the application vendor. A static resolver library (libresolv.a) is not supplied with the Solaris Operating Environment.

Note 4: Solaris 7, 8, and 9 systems are vulnerable to VU#852283, VU#581682 and VU#229595 only if they are configured as a DNS server, which is indicated by the presence of the file /etc/named.conf. For example:

       $ ls -l /etc/named.conf
-rw-r--r--   1 root     staff        218 Oct   3  2002 /etc/named.conf


Symptoms

VU#844360 and VU#852283: There are no predictable symptoms that would show these issues have been exploited to execute arbitrary code on a vulnerable system.

VU#581682 and VU#229595: The in.named(1M) process may SEGV resulting in a file named "core" in the directory specified by the 'directory' setting in the options section of the /etc/named.conf file. Running file(1) on the 'core' file will reference in.named(1M), similar to the following example:

	# file `awk -F\" '/directory/ {print $2}' /etc/named.conf`/core
/var/named/core:    ELF 32-bit MSB core file SPARC Version 1, from 'in.named'


Workaround

VU#844360: No workaround is available.

VU#852283, VU#581682 and VU#229595: A potential workaround for systems running in.named(1M) which do not require recursion and respond to DNS requests made by untrusted systems is to disable recursion. This can be done by adding 'recursion no' to the options section of /etc/named.conf:

	options {
recursion no;
	};

Note: With recursion disabled in.named can only supply answers from the information loaded at startup as specified in the in.named configuration file, see in.named(1M).

For sites using in.named(1M) which cannot disable recursion, there is a an interim workaround available of filtering TCP port 53 at all appropriate network perimeters.


Resolution

This issue is addressed in the following releases:

SPARC Platforms

  • Solaris 2.6 with patch 105755-13 or later
  • Solaris 7 with patch 106938-07 or later
  • Solaris 8 with patch 109326-10 or later
  • Solaris 9 with patch 112970-03 or later

x86 Platforms

  • Solaris 2.6 with patch 105756-13 or later
  • Solaris 7 with patch 106939-07 or later
  • Solaris 8 with patch 109327-10 or later
  • Solaris 9 with patch 114354-01 or later

Note: Solaris 2.5.1 will require an upgrade to a later release with appropriate patches.



Modification History
Date: 28-FEB-2003
  • State: Resolved (and Closed)
  • Updated Contributing Factors and Resolution sections


References

109326-10
109327-10
105756-13
105755-13
106938-07
112970-03
106939-07
114354-01




Attachments
This solution has no attachment