The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Sun Alert 250846 Security Vulnerability in Solaris BIND named(1M) due to Incorrect DNSSEC Signature Verification

Guest Author
Product: Solaris 9 Operating System Solaris 10 Operating System OpenSolaris

An insufficient validation vulnerability in named(1m) due to incorrectly processing the return value of OpenSSL library functions "EVP_VerifyFinal()" and "DSA_do_verify()" may allow a remote unprivileged user to trick named(1m) into believing DNSSEC signatures that should not have passed validation, and subsequently forge DNS responses and redirect Internet services.

Sun acknowledges with thanks, Google Security Team (for the original OpenSSL issue),  Florian Weimer for spotting that BIND was vulnerable and the ISC for for bringing this issue to our attention.

This issue is also referenced in the following documents:
State: Resolved
First released: 27-Jan-2009

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.