Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALASDNSMASQ-2024-002

Related Vulnerabilities: CVE-2023-50387   CVE-2023-50868  

Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. (CVE-2023-50387) The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

Source

ALASDNSMASQ-2024-002

Amazon Linux 2 Security Advisory: ALASDNSMASQ-2024-002
Advisory Release Date: 2024-04-10 22:27 Pacific
Advisory Updated Date: 2024-04-15 12:00 Pacific
Severity: Important
Issue Overview:

Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. (CVE-2023-50387)

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)


Affected Packages:

dnsmasq


Note:

This advisory is applicable to Amazon Linux 2 - Dnsmasq Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update dnsmasq to update your system.

New Packages:
aarch64:
    dnsmasq-2.90-1.amzn2.0.1.aarch64
    dnsmasq-utils-2.90-1.amzn2.0.1.aarch64
    dnsmasq-debuginfo-2.90-1.amzn2.0.1.aarch64

src:
    dnsmasq-2.90-1.amzn2.0.1.src

x86_64:
    dnsmasq-2.90-1.amzn2.0.1.x86_64
    dnsmasq-utils-2.90-1.amzn2.0.1.x86_64
    dnsmasq-debuginfo-2.90-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2023-50387, CVE-2023-50868

Mitre: CVE-2023-50387, CVE-2023-50868

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started