CVE-2023-50387 – bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator
https://notcve.org/view.php?id=CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de una o más respuestas DNSSEC cuando hay una zona con muchos registros DNSKEY y RRSIG, también conocido como "KeyTrap". " asunto. La especificación del protocolo implica que un algoritmo debe evaluar todas las combinaciones de registros DNSKEY y RRSIG. Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side. This vulnerability applies only for systems where DNSSEC validation is enabled. • https://github.com/knqyf263/CVE-2023-50387 http://www.openwall.com/lists/oss-security/2024/02/16/2 http://www.openwall.com/lists/oss-security/2024/02/16/3 https://access.redhat.com/security/cve/CVE-2023-50387 https://bugzilla.suse.com/show_bug.cgi?id=1219823 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 https://kb.isc.org/docs/cve-2023-50387 https://lists • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-46317
https://notcve.org/view.php?id=CVE-2023-46317
Knot Resolver before 5.7.0 performs many TCP reconnections upon receiving certain nonsensical responses from servers. Knot Resolver anterior a 5.7.0 realiza muchas reconexiones TCP al recibir ciertas respuestas sin sentido de los servidores. • https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1448 https://www.knot-resolver.cz/2023-08-22-knot-resolver-5.7.0.html •
CVE-2023-26249
https://notcve.org/view.php?id=CVE-2023-26249
Knot Resolver before 5.6.0 enables attackers to consume its resources, launching amplification attacks and potentially causing a denial of service. Specifically, a single client query may lead to a hundred TCP connection attempts if a DNS server closes connections without providing a response. • https://www.knot-resolver.cz/2023-01-26-knot-resolver-5.6.0.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-40188
https://notcve.org/view.php?id=CVE-2022-40188
Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets. Knot Resolver versiones anteriores a 5.5.3, permite a atacantes remotos causar una denegación de servicio (consumo de CPU) debido a una complejidad del algoritmo. Durante un ataque, un servidor autoritativo debe devolver grandes conjuntos de NS o conjuntos de direcciones. • https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1343#note_262558 https://lists.debian.org/debian-lts-announce/2022/10/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMDNIUI7GTUEKIBBYYW7OCTJQFPDNXL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S2VE5K3VDUHJOIA2IGT3G5R76IBADMNE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO6LIVQS62MI5GG4OVYB5RHVZMYNHAHG • CWE-407: Inefficient Algorithmic Complexity •
CVE-2022-32983
https://notcve.org/view.php?id=CVE-2022-32983
Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters. Knot Resolver versiones hasta 5.5.1, puede permitir el envenenamiento de la caché DNS cuando intenta limitar las acciones de reenvío mediante filtros • https://github.com/CZ-NIC/knot-resolver/commit/ccb9d9794db5eb757c33becf65cb1cf48ecfd968 https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#forwarding • CWE-290: Authentication Bypass by Spoofing •