Note: This is an archival copy of Security Sun Alert 201238 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000924.1. |
Category Security Release Phase Resolved Solaris 9 Operating System Solaris 2.5.1 Solaris 2.6 Operating System Solaris 7 Operating System Solaris 8 Operating System Bug Id 4777715 Date of Workaround Release 20-NOV-2002 Date of Resolved Release 28-FEB-2003 Impact Vulnerabilities in the in.named(1M) daemon and the libresolv(3lib) library may allow a local or remote unprivileged user to: VU#844360 : execute arbitrary code with the privileges of an application which calls the vulnerable libresolv(3lib) function VU#852283 : execute arbitrary code with the privileges of the in.named(1M) daemon (normally root) VU#581682 and VU#229595 : disrupt the operation of the DNS server, possibly causing in.named(1M) to SEGV (see manual page for signal.h(3HEAD))
These issues are described in CERT Vulnerability Notes VU#844360, VU#852283, VU#229595, VU#581682 (see http://www.kb.cert.org/vuls/) which is referenced in CERT Advisory CA-2002-31 (see http://www.cert.org/advisories/CA-2002-31.html). This issue is also described at: http://www.isc.org/products/BIND/bind-security.html and http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
Contributing Factors This issue can occur in the following releases: SPARC Platforms
x86 Platforms
Note 1: VU#844360 affects Solaris 2.5.1 and 2.6 only. VU#852283 affects Solaris 7, 8, and 9 only. VU#581682 affects Solaris 7, 8, and 9 only. VU#229595 affects Solaris 9 only. Note 2: Only Solaris 2.5.1 and 2.6 are affected by VU#844360. These systems are only vulnerable to VU#844360 if they are configured to use DNS, the Domain Name System, as the host name resolution service in nsswitch.conf(4M), as in the following example: $ grep dns /etc/nsswitch.conf hosts: nisplus dns [NOTFOUND=return] files Additionally applications independently linked to /usr/lib/libresolv.so are also vulnerable. $ /bin/ldd dig | grep libresolv libresolv.so.2 => /usr/lib/libresolv.so.2 Note 3: Applications statically linked to a static resolver library libresolv.a are also vulnerable to VU#844360 if the libresolv.a came from BIND 4.9.2 through 4.9.10. If this is the case, then it will be necessary to obtain an application upgrade or patch from the application vendor. A static resolver library (libresolv.a) is not supplied with the Solaris Operating Environment. Note 4: Solaris 7, 8, and 9 systems are vulnerable to VU#852283, VU#581682 and VU#229595 only if they are configured as a DNS server, which is indicated by the presence of the file /etc/named.conf. For example: $ ls -l /etc/named.conf -rw-r--r-- 1 root staff 218 Oct 3 2002 /etc/named.conf
Symptoms VU#844360 and VU#852283: There are no predictable symptoms that would show these issues have been exploited to execute arbitrary code on a vulnerable system. VU#581682 and VU#229595: The in.named(1M) process may SEGV resulting in a file named "core" in the directory specified by the 'directory' setting in the options section of the /etc/named.conf file. Running file(1) on the 'core' file will reference in.named(1M), similar to the following example: # file `awk -F\" '/directory/ {print $2}' /etc/named.conf`/core /var/named/core: ELF 32-bit MSB core file SPARC Version 1, from 'in.named'
Workaround VU#844360: No workaround is available. VU#852283, VU#581682 and VU#229595: A potential workaround for systems running in.named(1M) which do not require recursion and respond to DNS requests made by untrusted systems is to disable recursion. This can be done by adding 'recursion no' to the options section of /etc/named.conf: options { recursion no; }; Note: With recursion disabled in.named can only supply answers from the information loaded at startup as specified in the in.named configuration file, see in.named(1M). For sites using in.named(1M) which cannot disable recursion, there is a an interim workaround available of filtering TCP port 53 at all appropriate network perimeters. Resolution This issue is addressed in the following releases: SPARC Platforms
x86 Platforms
Note: Solaris 2.5.1 will require an upgrade to a later release with appropriate patches.
Modification History Date: 28-FEB-2003
References109326-10109327-10 105756-13 105755-13 106938-07 112970-03 106939-07 114354-01 Attachments This solution has no attachment |
|