[Sec-cert] [Sun] UPDATE: Schwachstelle im BIND Nameserver - Sun Alert 273169

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Mo Jan 25 12:33:41 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Bitte beachten Sie, dass dies ein Update des Advisories ist, das die
folgenden Aenderungen betrifft:

  Mit diesem Update gibt Sun die Verfuegbarkeit korrigierter OpenSolaris
  Versionen bekannt.


CVE-2009-4022 / Sun Bug ID 6902912 - Schwachstelle in BIND erlaubt Cache
Poisoning

  Im BIND Nameserver werden unter bestimmten Umstaenden Daten aus der
  Additional Section einer DNS Response in den Cache des Nameservers
  uebernommen ohne das diese Daten einer DNSSEC Ueberpruefung unterzogen
  werden, obwohl diese aktiviert ist. Dies ist der Fall, wenn eine
  rekursive Client Anfrage mit Checking Disabled (CD) Flag zur selben
  Zeit verarbeitet wird wie eine Anfrage und Ueberpruefung von DNSSEC
  Records (DO) fuer die Clients. Ein entfernter Angreifer kann diese
  Schwachstelle zu Cache Poisoning Angriffen gegen den Nameserver ausnutzen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Programm named(1M)

  SPARC Plattform
  * Solaris 9 ohne Interim-Fix IDR143418-01
  * Solaris 10 ohne Interim-Fix IDR143416-01
  * OpenSolaris vor Build snv_131
  
  x86 Plattform
  * Solaris 9 ohne Interim-Fix IDR143417-01
  * Solaris 10 ohne Interim-Fix IDR143415-01
  * OpenSolaris vor Build snv_131

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-273169-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

17. DFN Workshop    "Sicherheit in vernetzten Systemen"    09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html

Alert URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-273169-1
Sun Security Alert: 273169

   Security Vulnerability in BIND DNS Software Shipped With Solaris May
   Allow DNS Cache Poisoning
    __________________________________________________________________

   Category : Security
   Release Phase : Workaround
   Bug Id : 6902912
   Product : Solaris 9 Operating System
   Solaris 10 Operating System
   OpenSolaris
   Date of Workaround Release : 24-Nov-2009
A security vulnerability in the BIND DNS software shipped with Solaris:

   1. Impact
   A security vulnerability in the BIND DNS software shipped with Solaris
   may allow a remote user who is able to perform recursive queries to
   cause a server that is configured to support DNSSEC validation and
   recursive client queries to return incorrect addresses for Internet
   hosts, thereby redirecting end users to unintended hosts or services.
   This issue is also mentioned in the following documents:
     * https://www.isc.org/node/504
     * CVE-2009-4022 at:
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
     * CERT VU#418861 at: http://www.kb.cert.org/vuls/id/418861

   2. Contributing Factors
   This issue can occur in the following releases:
   SPARC Platform
     * Solaris 9
     * Solaris 10
     * OpenSolaris based upon builds snv_01 through snv_130

   x86 Platform
     * Solaris 9
     * Solaris 10
     * OpenSolaris based upon builds snv_01 through snv_130

   Note 1: BIND shipped with Solaris 8 does not support DNSSEC and is
   therefore not impacted by this issue.
   Note 2: Only systems with the BIND named(1M) service enabled are
   impacted by this issue. To verify if BIND is running on a system, the
   following command can be used:
   $ pgrep named && echo "BIND is running"

   Note 3: OpenSolaris distributions may include additional bug fixes
   above and beyond the build from which it was derived. To determine the
   base build of  OpenSolaris, the following command can be used:
    $ uname -v
    snv_86


   3. Symptoms
   There are no predictable symptoms that would indicate the described
   issue has occurred.
   4. Workaround
   As recursive queries are required to exploit this issue, it is possible
   to reduce the likelihood of exploitation by using the "allow-recursion"
   option in the "/etc/named.conf" file to restrict the list of hosts that
   can perform these queries.
   In addition, this issue can be prevented by disabling DNSSEC
   functionality. This can be done by setting "dnssec-enable" to "no" in
   "/etc/named.conf". Note this may affect the security of DNS
   transactions as the facilities provided by DNSSEC will no longer be
   available.
   For Solaris 10 and OpenSolaris, once the configuration file has been
   altered, the DNS service must be restarted by running the svcadm(1)
   command as follows:
    # svcadm -v enable svc:/network/dns/server:default
    svc:/network/dns/server:default enabled

   followed by:
    # svcadm -v restart svc:/network/dns/server:default
    Action restart set for svc:/network/dns/server:default

   In addition, Interim Security Relief (ISR) is available from
   http://sunsolve.sun.com/tpatches for the following releases:
   SPARC Platform
     * Solaris 9 IDR143418-01
     * Solaris 10 IDR143416-01

   x86 Platform
     * Solaris 9 IDR143417-01
     * Solaris 10 IDR143415-01

   Note: This document refers to one or more Interim Security Relief
   (ISRs) which are designed to address the concerns identified herein.
   Sun has limited experience with these (ISRs) due to their interim
   nature. As such, you should only install the ISRs on systems meeting
   the configurations described above. Sun may release full patches at a
   later date, however, Sun is under no obligation whatsoever to create,
   release, or distribute any such patch.
   5. Resolution
   This issue is addressed in the following releases:
   SPARC Platform
     * OpenSolaris based upon builds snv_131 or later

   x86 Platform
     * OpenSolaris based upon builds snv_131 or later

   A final resolution is pending completion.
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
   ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
   OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
   Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   Modification History
22-Jan-2010: Updated Contributing Factors and Resolution sections.

   Attachments
This solution has no attachment



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLXYGVWmhIvjFb90URAhkyAJ9rIUOuGOtPBnsmP8st6FkKCZps/ACgj23v
uzfprbmdvHhDoKyYjEmgffM=
=J3kw
-----END PGP SIGNATURE-----



Mehr Informationen über die Mailingliste Sec-cert