Note: This is an archival copy of Security Sun Alert 273169 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021660.1.
Solaris 9 Operating System
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
A security vulnerability in the BIND DNS software shipped with Solaris:
A security vulnerability in the BIND DNS software shipped with Solaris may allow a remote user who is able to perform recursive queries to cause a server that is configured to support DNSSEC validation and recursive client queries to return incorrect addresses for Internet hosts, thereby redirecting end users to unintended hosts or services.
This issue is also mentioned in the following documents:
2. Contributing Factors
This issue can occur in the following releases:
Note 2: Only systems with the BIND named(1M) service enabled are impacted by this issue. To verify if BIND is running on a system, the
following command can be used:
$ pgrep named && echo "BIND is running"Note 3: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of OpenSolaris, the following command can be used:
$ uname -v3. Symptoms
There are no predictable symptoms that would indicate the described issue has occurred.
As recursive queries are required to exploit this issue, it is possible to reduce the likelihood of exploitation by using the "allow-recursion" option in the "/etc/named.conf" file to restrict the list of hosts that can perform these queries.
In addition, this issue can be prevented by disabling DNSSEC functionality. This can be done by setting "dnssec-enable" to "no" in
"/etc/named.conf". Note this may affect the security of DNS transactions as the facilities provided by DNSSEC will no longer be available.
For Solaris 10 and OpenSolaris, once the configuration file has been altered, the DNS service must be restarted by running the svcadm(1) command as follows:
# svcadm -v enable svc:/network/dns/server:defaultfollowed by:
# svcadm -v restart svc:/network/dns/server:default5. Resolution
This issue is addressed in the following releases:
22-Jan-2010: Updated Contributing Factors and Resolution sections.
31-Mar-2010: Updated Contributing Factors and Resolution sections.
11-Jun-2010: Updated Contributing Factors and Resolution sections. Resolved.
22-Jun-2010: Republished to correct visibility
This solution has no attachment