Document ID: KM02992241 (c01038033)
Release Date: 2003-08-07
Last Updated: 2007-04-26
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
HP-UX, Tru64 and NonStop hosts that use DNS are subject to a security vulnerability in the form of a remote Denial of Service (DoS). DNS requests could be caused to resolve to an incorrect host.
References: CERT VU#457875
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX, HP Tru64 UNIX HP NonStop Systems may be affected by this vulnerability if it runs a bindv4 name server that is configured to both: support recursive requests and cache the response results to DNS requests made by untrusted systems.
HP-UX 10.0*, 11.0
HP NonStop Server running Domain Name Service (T6021 NAMED) in the TCP/IP subsystem on both G06 and D48 versions of the operating system
HP OpenVMS ( Research continues )
Tru64 V4.0F, V4.0G
For a PGP signed version of this security bulletin please write to: email@example.com
When a bind name server receives a client request to resolve a host name or IP address, and is unable to resolve the request locally, it sends the request to another name server and waits for a response. In BINDv4, multiple client requests for the same domain name generate multiple requests, with multiple responses expected. This increases the probability that an attacker will be able to generate a malicious response that will be accepted as valid, thus compromising the information stored in the name server's cache and potentially causing clients to be misdirected to hostile or compromised hosts.
If you are running a BINDv4 name server configured to respond to recursive requests from untrusted systems, either reconfigure it to disable recursion, or make it inaccessible to untrusted systems.
HP-UX Recommended Workaround
To disable recursion, add the following line to /etc/namedb/named.conf: options no-recursion
Tru64 Recommended Workarounds
To disable recursion, add the following line to /etc/namedb/named.boot: options no-recursion
Note: Because ISC deprecates the use of BINDv4, HP recommends upgrading to a later version of BIND where possible. HP will be providing an updated BIND for HP Tru64 UNIX V4.0x systems at a later date.
To make the system inaccessible to untrusted systems, see traffic filtering recommendations in the CERT publication "Securing an Internet Name Server, available at: http://www.cert.org/archive/pdf/dns.pdf
In order for BIND clients to reference hosts outside of your domain, they must be able to access some name server able to perform recursive requests safely. If your BINDv4 name server is the primary name server for your domain and you do not choose to move the database, HP recommends that you set up a BINDv8 name server as a slave of the BINDv4 name server -- see the bindsetup utility. Use the original name server's IP address for the BINDv8 name server so that no edit is required on clients. The clients will then receive their local information from the BINDv8 server and are able to recursively query through it safely. The BINDv4 system is protected because it is not performing recursion.
HP NonStop Server Recommended Workarounds
If you are running a Domain Name Service (T6021) configured to respond to recursive requests from untrusted systems, make it inaccessible to untrusted systems.
Revision: 0 (rev.0) - 7 August 2003 Initial release
Version: 1 (rev.1) - 19 May 2005 Reformatted
Version: 2 (rev.2) - 26 April 2007 Reformatted
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."