CVE-2023-50387

bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de una o más respuestas DNSSEC cuando hay una zona con muchos registros DNSKEY y RRSIG, también conocido como "KeyTrap". " asunto. La especificación del protocolo implica que un algoritmo debe evaluar todas las combinaciones de registros DNSKEY y RRSIG.

Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side.

This vulnerability applies only for systems where DNSSEC validation is enabled.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-07 CVE Reserved
2024-02-13 CVE Published
2024-02-18 First Exploit
2024-06-11 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (32)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/02/16/2	Mailing List
http://www.openwall.com/lists/oss-security/2024/02/16/3	Mailing List
https://bugzilla.suse.com/show_bug.cgi?id=1219823	Issue Tracking
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html	Third Party Advisory
https://kb.isc.org/docs/cve-2023-50387	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html	Mailing List
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html	Mailing List
https://news.ycombinator.com/item?id=39367411	Third Party Advisory
https://news.ycombinator.com/item?id=39372384	Issue Tracking
https://security.netapp.com/advisory/ntap-20240307-0007
https://www.athene-center.de/aktuelles/key-trap	Third Party Advisory
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf	Technical Description
https://www.isc.org/blogs/2024-bind-security-release	Third Party Advisory
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers	Media Coverage

URL	Date	SRC
https://github.com/knqyf263/CVE-2023-50387	2024-02-18

URL	Date	SRC
https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1	2024-06-10
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387	2024-06-10
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet	2024-06-10

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-50387	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7	2024-06-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R	2024-06-10
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released	2024-06-10
https://bugzilla.redhat.com/show_bug.cgi?id=2263914	2024-06-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2008 Search vendor "Microsoft" for product "Windows Server 2008"				r2 Search vendor "Microsoft" for product "Windows Server 2008" and version "r2"		sp1, x64		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				r2 Search vendor "Microsoft" for product "Windows Server 2012" and version "r2"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2022 Search vendor "Microsoft" for product "Windows Server 2022"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2022 23h2 Search vendor "Microsoft" for product "Windows Server 2022 23h2"				-		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Thekelleys Search vendor "Thekelleys"		Dnsmasq Search vendor "Thekelleys" for product "Dnsmasq"				< 2.90 Search vendor "Thekelleys" for product "Dnsmasq" and version " < 2.90"		-		Affected
Nic Search vendor "Nic"		Knot Resolver Search vendor "Nic" for product "Knot Resolver"				< 5.71 Search vendor "Nic" for product "Knot Resolver" and version " < 5.71"		-		Affected
Powerdns Search vendor "Powerdns"		Recursor Search vendor "Powerdns" for product "Recursor"				>= 4.8.0 < 4.8.6 Search vendor "Powerdns" for product "Recursor" and version " >= 4.8.0 < 4.8.6"		-		Affected
Powerdns Search vendor "Powerdns"		Recursor Search vendor "Powerdns" for product "Recursor"				>= 4.9.0 < 4.9.3 Search vendor "Powerdns" for product "Recursor" and version " >= 4.9.0 < 4.9.3"		-		Affected
Powerdns Search vendor "Powerdns"		Recursor Search vendor "Powerdns" for product "Recursor"				>= 5.0.0 < 5.0.2 Search vendor "Powerdns" for product "Recursor" and version " >= 5.0.0 < 5.0.2"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				>= 9.0.0 <= 9.16.46 Search vendor "Isc" for product "Bind" and version " >= 9.0.0 <= 9.16.46"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				>= 9.18.0 <= 9.18.22 Search vendor "Isc" for product "Bind" and version " >= 9.18.0 <= 9.18.22"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				>= 9.19.0 <= 9.19.20 Search vendor "Isc" for product "Bind" and version " >= 9.19.0 <= 9.19.20"		-		Affected
Nlnetlabs Search vendor "Nlnetlabs"		Unbound Search vendor "Nlnetlabs" for product "Unbound"				< 1.19.1 Search vendor "Nlnetlabs" for product "Unbound" and version " < 1.19.1"		-		Affected