Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-50868

Published: 14/02/2024 Updated: 07/03/2024

Vulnerability Summary

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote malicious users to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Vulnerability Trend

Vendor Advisories

Debian CVElist Bug Report Logs: unbound: Package 1.19.1 to fix CVE-2023-50387 and CVE-2023-50868
Debian Bug report logs - #1063845 unbound: Package 1191 to fix CVE-2023-50387 and CVE-2023-50868 Package: src:unbound; Maintainer for src:unbound is unbound packagers <unbound@packagesdebianorg>; Reported by: Diederik de Haas <dididebian@cknoworg> Date: Tue, 13 Feb 2024 14:48:02 UTC Severity: grave Tags: securi ...
Amazon Linux 2: ALAS-2024-2481
Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue The protocol specification implies that an algorithm must evaluate all combinations of DNSK ...
Amazon Linux 2: ALASDNSMASQ-2024-002
Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue The protocol specification implies that an algorithm must evaluate all combinations of DNSK ...
Red Hat:
Description<!---->A flaw was found in bind9 By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted hostA flaw was found in bind9 By flooding a DNSSEC resolver with responses coming from a DNSEC ...

Mailing Lists

Full Disclosure: Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities <!--X-Subject-Header-End--> <!- ...
Full Disclosure: Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities <!--X-Subject-Header-End--> <!- ...
Full Disclosure: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities <!--X-Subject-Header-End--> <!--X-H ...
Full Disclosure: PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor <!--X-Subject ...

Github Repositories

https://github.com/hackingyseguridad/dnssec

test dnssec ( hackingyseguridad.com )

dnssec Simple script para hacer consultas DNS DNSSEC dig nistgov @8888 +dnssec kdig nistgov @9999 +tls-ca +tls-host=dnsquad9net wwwknot-dnscz/docs/26/html/man_kdightml Instalar kdig; $apt-get install knot-dnsutils dnslookuporg/hackingyseguridadcom/ DNS Seguros: DNS sobre TLS (DoT) RFC7858 especificó DNS-over-TLS como un protocolo de seguim

https://github.com/nsec-submission/nsec3-submission

NSEC3-Encloser-Attack Zonefile Generation This project generates DNS zonefiles with custom NSEC3 parameters to reproduce and evaluate the attacks in CVE-2023-50868 Requirements Python3 (tested on Python310) Installed Python dependencies: cryptography 4205 dnspython 261 Components lib: Python utils, including: keyspy: Wrapper functions for loading/storing keys to f

https://github.com/Goethe-Universitat-Cybersecurity/NSEC3-Encloser-Attack

NSEC3-Encloser-Attack Zonefile Generation This project generates DNS zonefiles with custom NSEC3 parameters to reproduce and evaluate the attacks in CVE-2023-50868 Requirements Python3 (tested on Python310) Installed Python dependencies: cryptography 4205 dnspython 261 Components lib: Python utils, including: keyspy: Wrapper functions for loading/storing keys to f

Recent Articles

Row breaks out over true severity of two DNSSEC flaws
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Some of us would be happy being rated 7.5 out of 10, just sayin'

Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. One, named KeyTrap (CVE-2023-50387) by Germany’s National Research Centre for applied cybersecurity (ATHENE), was described as "one of the worst ever discovered," by Akamai exec Sven Dummer, because it could be used to disable large portions of the internet. KeyTrap allowed a single DNS packet to deny service by exhausting the CPU resources of machines ru...

Read more...
Just one bad DNS packet can bring down a public DNSSEC server
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources 'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge

A 20-plus-year-old security vulnerability in the design of DNSSEC (Domain Name System Security Extensions) could allow a single DNS packet to exhaust the processing capacity of any server using the system for domain name resolution, effectively disabling the machine. Yes, a single DNS packet could take out a remote DNSSEC server. The researchers who found the flaw – from the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – said DNS vendors briefed about the v...

Read more...

References

https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.htmlhttps://www.isc.org/blogs/2024-bind-security-release/https://datatracker.ietf.org/doc/html/rfc5155https://kb.isc.org/docs/cve-2023-50868https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.htmlhttps://access.redhat.com/security/cve/CVE-2023-50868https://bugzilla.suse.com/show_bug.cgi?id=1219826http://www.openwall.com/lists/oss-security/2024/02/16/2http://www.openwall.com/lists/oss-security/2024/02/16/3https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/https://lists.debian.org/debian-lts-announce/2024/02/msg00006.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/https://security.netapp.com/advisory/ntap-20240307-0008/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845https://nvd.nist.govhttps://github.com/hackingyseguridad/dnssechttps://alas.aws.amazon.com/AL2/ALAS-2024-2481.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook