Note: This is an archival copy of Security Sun Alert 273169 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021660.1.
Article ID : 1021660.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-06-22
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in BIND DNS Software Shipped With Solaris May Allow DNS Cache Poisoning

Category
Security

Release Phase
Resolved

Bug Id
SUNBUG: 6902912

Product
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Workaround Release
24-Nov-2009
Date of Resolved Release
11-Jun-2010

A security vulnerability in the BIND DNS software shipped with Solaris:

1. Impact

A security vulnerability in the BIND DNS software shipped with Solaris may allow a remote user who is able to perform recursive queries to cause a server that is configured to support DNSSEC validation and recursive client queries to return incorrect addresses for Internet hosts, thereby redirecting end users to unintended hosts or services.

This issue is also mentioned in the following documents:

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 9 without patch 112837-21
  • Solaris 10 without patch 119783-14
  • OpenSolaris based upon builds snv_01 through snv_130
x86 Platform
  • Solaris 9 without patch 114265-20
  • Solaris 10 without patch 119784-14
  • OpenSolaris based upon builds snv_01 through snv_130
Note 1: BIND shipped with Solaris 8 does not support DNSSEC and is therefore not impacted by this issue.

Note 2: Only systems with the BIND named(1M) service enabled are impacted by this issue. To verify if BIND is running on a system, the
following command can be used:
 $ pgrep named && echo "BIND is running"
Note 3: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of  OpenSolaris, the following command can be used:
 $ uname -v
 snv_86

3. Symptoms



There are no predictable symptoms that would indicate the described
issue has occurred.



4. Workaround



As recursive queries are required to exploit this issue, it is possible
to reduce the likelihood of exploitation by using the "allow-recursion"
option in the "/etc/named.conf" file to restrict the list of hosts that
can perform these queries.



In addition, this issue can be prevented by disabling DNSSEC
functionality. This can be done by setting "dnssec-enable" to "no" in

"/etc/named.conf". Note this may affect the security of DNS
transactions as the facilities provided by DNSSEC will no longer be
available.



For Solaris 10 and OpenSolaris, once the configuration file has been
altered, the DNS service must be restarted by running the svcadm(1)
command as follows:


 # svcadm -v enable svc:/network/dns/server:default
 svc:/network/dns/server:default enabled

followed by:


 # svcadm -v restart svc:/network/dns/server:default
 Action restart set for svc:/network/dns/server:default

5. Resolution



This issue is addressed in the following releases:



SPARC Platform


    

  • Solaris 9 with patch 112837-21 or later
    

    • 

  • Solaris 10 with patch 119783-14 or later
    

    • 

  • OpenSolaris based upon builds snv_131 or later
    • 


x86 Platform


    

  • Solaris 9 with patch 114265-20 or later
    

    • 

  • Solaris 10 with patch 119784-14 or later
    

    • 

  • OpenSolaris based upon builds snv_131 or later
    • 


Modification History

22-Jan-2010: Updated Contributing Factors and Resolution sections.

31-Mar-2010: Updated Contributing Factors and Resolution sections.

11-Jun-2010: Updated Contributing Factors and Resolution sections.
Resolved.

22-Jun-2010: Republished to correct visibility



References

 112837-21

 114265-20

 119783-14

 119784-14

 112837-21

 114265-20



                 



Attachments
This solution has no attachment