Multiple Security Vulnerabilities in BIND DNSSEC Software Shipped With Solaris May Cause Bogus NXDOMAIN Responses

Category
Security

Release Phase
Resolved

In this Document
  Description
  Likelihood of Occurrence
  Possible Symptoms
  Workaround or Resolution
  Patches
  Modification History
  References

Applies to:

OpenSolaris Operating System - Version: All Versions and later [Release: and later ]
Sun Software > Operating Systems > Solaris Operating System
All Platforms

Description

Multiple security vulnerabilities have been identified in BIND DNSSEC bundled with Solaris:

1. An authentication security vulnerability in named(1M) may allow a remote unprivileged user to cause named(1M) to return incorrect addresses for Internet hosts, thereby redirecting end users to unintended hosts or services.

This issue is also referenced in the following documents:

US-CERT Vulnerability Note VU#418861 at http://www.kb.cert.org/vuls/id/418861
CVE-2009-4022 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022

2. A vulnerability in the way named(1M) handles recursive client queries may allow a remote unprivileged user to cause named(1M) to return NXDOMAIN (Non-Existent Domain) for Internet hosts thus causing a Denial of Service (DoS) for those hosts to end users.

This issue is also referenced in the following documents:

US-CERT Vulnerability Note VU#360341 at http://www.kb.cert.org/vuls/id/360341
CVE-2010-0097 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097

and also at https://www.isc.org/advisories/CVE-2010-0097

Likelihood of Occurrence

These issues can occur in the following releases:

SPARC Platform

Solaris 9 without patch 112837-21
Solaris 10 without patch 119783-15
OpenSolaris based upon builds snv_01 through snv_133

x86 Platform

Solaris 9 without patch 114265-20
Solaris 10 without patch 119784-15
OpenSolaris based upon builds snv_01 through snv_133

Notes:

1. BIND shipped with Solaris 8 does not support DNSSEC and is therefore not impacted by this issue.

2. Only systems with the BIND named(1M) service enabled and configured as a DNSSEC-validating nameserver are impacted by this issue. To verify if BIND is running on a system, the following command can be run:

$ pgrep named && echo 'BIND is running'

To be a DNSSEC-validating nameserver requires trust anchors to be configured at this time. Check for "trusted-keys" statements in '/etc/named.conf' and files included by 'named.conf' as in the following example:

$ grep "trusted-keys" /etc/named.conf

3. OpenSolaris distributions may include additional bug fixes above and beyond the base build from which it was derived. The base build can be derived as follows:

$ uname -a
SunOS  phys-node-1 5.11 snv_94 i86pc i386 i86pc

Possible Symptoms

There are no predictable symptoms that would indicate the described issues have occurred.

Workaround or Resolution

These issues are addressed in the following releases:

SPARC Platform

Solaris 9 with patch 112837-21 or later
Solaris 10 with patch 119783-15 or later
OpenSolaris based upon builds snv_133 or later

x86 Platform

Solaris 9 with patch 114265-20 or later
Solaris 10 with patch 119784-15 or later
OpenSolaris based upon builds snv_133 or later

For more information on Security Sun Alerts, see Document ID: 1009886.1

Patches

119783-15
119784-15
112837-21
114265-20
<>

Modification History

03-Mar-2010: Updated Contributing Factors and Resolution sections - OpenSolaris
10-Mar-2010: Updated Contributing Factors and Resolution sections for Solaris 10 patches
07-Jun-2010: Updated Contributing Factors and Resolution sections for Solaris 9 patches, issue is Resolved

References

<PATCH:112837-21> -
<PATCH:114265-20> -
SUNPATCH:119783-15
SUNPATCH:119784-15

Attachments

This solution has no attachment