Note: This is an archival copy of Security Sun Alert 245206 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019756.1.
Solaris 10 Operating System
Date of Resolved Release
A security vulnerability in Solaris IP Filter (ipfilter(5)):
A security vulnerability in Solaris IP Filter (ipfilter(5)) when configured to provide Network Address Translation (NAT) service on DNS servers may allow remote unprivileged users to cause named(1M) to return incorrect addresses for Internet hosts, thereby redirecting end users to unintended hosts or services.
This vulnerability annuls the fix for the DNS Cache Poisoning Vulnerability described in Sun Alert 239392, available at:
Sun acknowledges with thanks, CERT/CC for bringing this issue to our2. Contributing Factors
This issue can occur in the following releases:
Note 2: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived.
To determine the base build of OpenSolaris, the following command can be used:
$ uname -vNote 3: Only OpenSolaris installations including the affected binary "/usr/sbin/sparcv9/ipnat" are impacted by this issue.
Note 4: Only systems with the BIND named(1M) service enabled and using IPFilter's Network Address Translation service are impacted by this issue.
To verify if BIND is running on a system, the following command can be used:
$ ps -e | grep in.named && echo "BIND is running"To verify if IPFilter's Network Address Translation service is in use, the following command can be used:
# ipnat -l | egrep '^map.*portmap'If there is no output from the above command, the system is not vulnerable to this issue.
There are no predictable symptoms that would indicate the described vulnerability has been exploited.
To work around this issue, it is possible to configure NAT to not change the port number for DNS traffic. This is done using a NAT
rule in "/etc/ipf/ipnat.conf". If, for example, this file contains a NAT rule such as the following:
map bge0 192.168.1.0/24 -> 0/32 portmap tcp/udp 5000:50000and the DNS server is in the 192.168.1.0/24 subnet, then change this rule in the configuration file to be two rules, in the following order:
map bge0 from 192.168.1.0/24 to any port = 53 -> 0/32 tcp/udp5. Resolution
This issue is addressed in the following release:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment