CVE-2023-50387

high

Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

References

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/

https://www.isc.org/blogs/2024-bind-security-release/

https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

https://www.athene-center.de/aktuelles/key-trap

https://news.ycombinator.com/item?id=39367411

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/

https://kb.isc.org/docs/cve-2023-50387

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html

https://access.redhat.com/security/cve/CVE-2023-50387

https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-08

https://www.darkreading.com/vulnerabilities-threats/microsoft-late-dangerous-dnssec-zero-day-flaw

https://www.darkreading.com/cloud-security/keytrap-dns-bug-threatens-widespread-internet-outages

https://security.netapp.com/advisory/ntap-20240307-0007/

https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/

https://news.ycombinator.com/item?id=39372384

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387

https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html

https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html

https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1

https://bugzilla.suse.com/show_bug.cgi?id=1219823

http://www.openwall.com/lists/oss-security/2024/02/16/3

http://www.openwall.com/lists/oss-security/2024/02/16/2

Details

Source: Mitre, NVD

Published: 2024-02-14

Updated: 2024-06-10

Named Vulnerability: KeyTrap

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.37707

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored

Detections

Analytics