Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-50387

Published: 14/02/2024 Updated: 07/03/2024
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Enterprise Linux

Vulnerability Summary

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote malicious users to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

redhat enterprise linux 7.0

redhat enterprise linux 6.0

redhat enterprise linux 8.0

redhat enterprise linux 9.0

microsoft windows server 2008 r2

microsoft windows server 2012 r2

microsoft windows server 2016 -

microsoft windows server 2012 -

microsoft windows server 2019 -

microsoft windows server 2022 -

microsoft windows server 2022 23h2 -

fedoraproject fedora 39

thekelleys dnsmasq

nic knot resolver

powerdns recursor

isc bind

nlnetlabs unbound

Vendor Advisories

Debian CVElist Bug Report Logs: unbound: Package 1.19.1 to fix CVE-2023-50387 and CVE-2023-50868
Debian Bug report logs - #1063845 unbound: Package 1191 to fix CVE-2023-50387 and CVE-2023-50868 Package: src:unbound; Maintainer for src:unbound is unbound packagers <unbound@packagesdebianorg>; Reported by: Diederik de Haas <dididebian@cknoworg> Date: Tue, 13 Feb 2024 14:48:02 UTC Severity: grave Tags: securi ...
Amazon Linux 2: ALAS-2024-2481
Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue The protocol specification implies that an algorithm must evaluate all combinations of DNSK ...
Amazon Linux 2: ALASDNSMASQ-2024-002
Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue The protocol specification implies that an algorithm must evaluate all combinations of DNSK ...

Mailing Lists

Full Disclosure: Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities <!--X-Subject-Header-End--> <!- ...
Full Disclosure: Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities <!--X-Subject-Header-End--> <!- ...
Full Disclosure: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities <!--X-Subject-Header-End--> <!--X-H ...
Full Disclosure: PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor <!--X-Subject ...

Github Repositories

https://github.com/hackingyseguridad/dnssec

test dnssec ( hackingyseguridad.com )

dnssec Simple script para hacer consultas DNS DNSSEC dig nistgov @8888 +dnssec kdig nistgov @9999 +tls-ca +tls-host=dnsquad9net wwwknot-dnscz/docs/26/html/man_kdightml Instalar kdig; $apt-get install knot-dnsutils dnslookuporg/hackingyseguridadcom/ DNS Seguros: DNS sobre TLS (DoT) RFC7858 especificó DNS-over-TLS como un protocolo de seguim

https://github.com/knqyf263/CVE-2023-50387

KeyTrap (DNSSEC)

CVE-2023-50387 KeyTrap in DNS (CVE-2023-50387) This repository is for educational purposes The number of keys and signatures has been intentionally kept low to prevent their use in actual attacks, and a script for generating colliding keys are not included Test Setting up the PoC environment $ docker compose up --build Confirming DNSSE

Recent Articles

Row breaks out over true severity of two DNSSEC flaws
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Some of us would be happy being rated 7.5 out of 10, just sayin'

Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. One, named KeyTrap (CVE-2023-50387) by Germany’s National Research Centre for applied cybersecurity (ATHENE), was described as "one of the worst ever discovered," by Akamai exec Sven Dummer, because it could be used to disable large portions of the internet. KeyTrap allowed a single DNS packet to deny service by exhausting the CPU resources of machines ru...

Read more...
Just one bad DNS packet can bring down a public DNSSEC server
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources 'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge

A 20-plus-year-old security vulnerability in the design of DNSSEC (Domain Name System Security Extensions) could allow a single DNS packet to exhaust the processing capacity of any server using the system for domain name resolution, effectively disabling the machine. Yes, a single DNS packet could take out a remote DNSSEC server. The researchers who found the flaw – from the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – said DNS vendors briefed about the v...

Read more...

References

CWE-770https://www.athene-center.de/aktuelles/key-traphttps://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/https://kb.isc.org/docs/cve-2023-50387https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.htmlhttps://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/https://news.ycombinator.com/item?id=39367411https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/https://www.isc.org/blogs/2024-bind-security-release/https://news.ycombinator.com/item?id=39372384https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.htmlhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387https://access.redhat.com/security/cve/CVE-2023-50387https://bugzilla.suse.com/show_bug.cgi?id=1219823https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdfhttp://www.openwall.com/lists/oss-security/2024/02/16/2http://www.openwall.com/lists/oss-security/2024/02/16/3https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/https://lists.debian.org/debian-lts-announce/2024/02/msg00006.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/https://security.netapp.com/advisory/ntap-20240307-0007/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845https://nvd.nist.govhttps://github.com/hackingyseguridad/dnssechttps://alas.aws.amazon.com/AL2/ALAS-2024-2481.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-21111CVE-2024-32884IDORCVE-2023-1000CVE-2024-33260CVE-2024-3682reflected XSSrace conditionCVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook