Security Vulnerability in Solaris BIND named(1M) due to Incorrect DNSSEC Signature Verification

---

Security vulnerability in Solaris BIND named(1M) due to incorrect DNSSEC signature verification:

1. Impact

An insufficient validation vulnerability in named(1m) due to incorrectly processing the return value of OpenSSL library functions "EVP_VerifyFinal()" and "DSA_do_verify()" may allow a remote unprivileged user to trick named(1m) into believing DNSSEC signatures that should not have passed validation, and subsequently forge DNS responses and redirect Internet services.

Sun acknowledges with thanks, Google Security Team (for the original OpenSSL issue),  Florian Weimer for spotting that BIND was vulnerable and the ISC for for bringing this issue to our attention.

This issue is also referenced in the following documents:

• CVE-2009-0025 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
• https://www.isc.org/node/389
  

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

• Solaris 9 with patch 112837-15 and without patch 112837-17
• Solaris 10 without patch 119783-09
  
• OpenSolaris based upon builds snv_01 through snv_106

x86 Platform

• Solaris 9 with patch 114265-14 and without patch 114265-16
• Solaris 10 without patch 119784-09
• OpenSolaris based upon builds snv_01 through snv_106
  

Note 1: Solaris 8 is not impacted by this issue as it does not support DNSSEC.

Note 2: This issue only occurs on systems that are running BIND 9 where the named(1M) version is less than and not equal to 9.3.6-P1, and the service is running and accepting DNSSEC responses using the DNSKEY algorithms DSA(3).

To determine if a system meets the above criteria, execute the following commands:

1. Determine if Sun's BIND server is installed and if the version is affected:

Solaris 9 Systems:

    # pkginfo SUNWinamd || echo "BIND server not installed"
    # /usr/lib/dns/named -v

Solaris 10 Systems and OpenSolaris:

    # pkginfo SUNWbind || echo "BIND server not installed"
    # /usr/sbin/named -v

2. Determine if BIND is configured and enabled by checking for the following process:

    # ps -e | grep named && echo "BIND is running"

3. Determine if BIND is configured to use DNSSEC:

    # grep -i "dnssec-enable.*yes" /etc/named.conf

4. Determine that BIND is accepting DSA-only signed responses:

    # grep -i "disable-algorithms.*dsa" /etc/named.conf

Note: Points 3 and 4 above should be confirmed by carefully checking the configuration file as it is possible that the lines are actually commented out.

3. Symptoms

There are no predictable symptoms that would indicate the described issue has occurred.

4. Workaround

To workaround the described issue, disable the compromised algorithm in named.conf by adding the following line:

    disable-algorithms . { DSA; };

This will cause answers from zones signed only with DSA (3) to be treated as insecure.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 9 with patch 112837-17 or later
  
• Solaris 10 with patch 119783-09 or later
  
• OpenSolaris based upon builds snv_107 or later
  

x86 Platform

• Solaris 9 with patch 114265-16 or later
• Solaris 10 with patch 119784-09 or later
  
• OpenSolaris based upon builds snv_107 or later

For more information on Security Sun Alerts, see Technical Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.


Modification History

11-Feb-2009: Updated the Contributing Factors and Resolution sections.
13-Mar-2009: Updated the Contributing Factors and Resolution sections. Resolved.

Attachments

This solution has no attachment