DUPLICATE of Sun Alert 239392 - Security Vulnerability in the DNS Protocol may lead to DNS Cache Poisoning |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | 6702096
|
| Product : | Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris
|
| Date of Workaround Release : | 28-Jul-2008
|
| Date of Resolved Release : | 08-Aug-2008
|
DUPLICATE of Sun Alert 239392 - Security Vulnerability in the DNS Protocol may lead to DNS Cache Poisoning
1. Impact
This Sun Alert is a DUPLICATE to Sun Alert
239392,
originally issued July 8th, 2008 as an Update.
A security vulnerability in the DNS protocol may allow remote
unprivileged
users to cause named(1M) to return incorrect addresses for Internet
hosts, thereby redirecting end users to unintended hosts or services.
This issue is also referenced in the following documents:
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 8 without patch 109326-23
- Solaris 9 without patch 112837-15
- Solaris 10 without patch 119783-06
- OpenSolaris based upon builds snv_01 through snv_94
x86 Platform
- Solaris 8 without patch 109327-23
- Solaris 9 without patch 114265-14
- Solaris 10 without patch 119784-06
- OpenSolaris based upon builds snv_01 through snv_94
OpenSolaris distributions may include additional bug fixes above and
beyond the base build from which it was derived. The base build can be
derived as follows:
$ uname -a
SunOS phys-node-1 5.11 snv_94 i86pc i386 i86pc
Only systems with the BIND named(1M) service enabled are impacted by
this issue. To verify if BIND is running on a system, the following
command can be used:
$ ps -e | grep in.named && echo "BIND is running
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has occurred.
4. Workaround
Please refer to section III, "Solution", of
CERT VU#800113, in
particular the following headings: "Restrict access", "Filter traffic
at network perimeters" and Disable recursion:
http://www.kb.cert.org/vuls/id/800113
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 8 with patch 109326-23 or later
- Solaris 9 with patch 112837-15 or later
- Solaris 10 with patch 119783-06 or later
- OpenSolaris based upon builds snv_95 or later
x86 Platform
- Solaris 8 with patch 109327-23 or later
- Solaris 9 with patch 114265-14 or later
- Solaris 10 with patch 119784-06 or later
- OpenSolaris based upon builds snv_95 or later
Note 1: The above patches implement mitigation strategies within
the
implementation of the DNS protocol, specifically source port
randomization and query ID randomization making BIND 9 more resilient
to an attack. It does not, however, completely remove the possibility
of exploitation of this issue.
The full resolution is for DNS Security Extensions (DNSSEC) to be
implemented Internet-wide. DNS zone administrators should start signing
their zones.
If your site's parent DNS zone is not signed you can register with the
ISC's DNSSEC Look-aside Validation (DLV) registry at the following URL:
https://secure.isc.org/ops/dlv/
Further details on configuring your DNA zones for DNSSEC is available
from the ISC at the following URL:
http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
Note 2: BIND as provided with Solaris 8 is not DNSSEC capable
and thus Sun
recommends
updating Solaris 8 systems acting as DNS servers to Solaris 10
or later.
Note 3: After installation of the above mentioned patches the
named(1M)
configuration file, by default /etc/named.conf, MUST not have the
"query-source" or "query-source-v6" option configured. These options
instruct the name server to use only the port configured for outbound
queries which means the source port will not be randomized. When
disabling these options note that some firewall configuration may be
necessary to allow the name server to work though the firewall.
For more information
on Security Sun Alerts, see Technical
Instruction
ID 213557.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems,
Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Modification History08-Jul-2008: Originally released as Sun Alert 239392
15-Jul-2008: Updated Workaround and Resolution sections
17-Jul-2008: Updated Workaround section
28-Jul-2008: Updated version of 239392 released as Sun Alert 240048
08-Aug-20-08: Updated Contributing Factors and Resolution sections, DUPLICATE of original Sun Alert 239392 for this issue; now Resolved
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
