THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2023-50387

Reserved:2023-12-07
Published:2024-02-14
Updated:2024-06-10

Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

References

https://www.athene-center.de/aktuelles/key-trap

https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/

https://kb.isc.org/docs/cve-2023-50387

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

https://news.ycombinator.com/item?id=39367411

https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/

https://www.isc.org/blogs/2024-bind-security-release/

https://news.ycombinator.com/item?id=39372384

https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387

https://access.redhat.com/security/cve/CVE-2023-50387

https://bugzilla.suse.com/show_bug.cgi?id=1219823

https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

http://www.openwall.com/lists/oss-security/2024/02/16/2 ([oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities) mailing-list

http://www.openwall.com/lists/oss-security/2024/02/16/3 ([oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities) mailing-list

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ (FEDORA-2024-2e26eccfcb) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ (FEDORA-2024-e24211eff0) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ (FEDORA-2024-21310568fa) vendor-advisory

https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html ([debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update) mailing-list

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ (FEDORA-2024-b0f9656a76) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ (FEDORA-2024-4e36df9dfd) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/ (FEDORA-2024-499b9be35f) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/ (FEDORA-2024-c36c448396) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/ (FEDORA-2024-c967c7d287) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/ (FEDORA-2024-e00eceb11c) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/ (FEDORA-2024-fae88b73eb) vendor-advisory

https://security.netapp.com/advisory/ntap-20240307-0007/

https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html ([debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update) mailing-list

cve.org CVE-2023-50387

nvd.nist.gov CVE-2023-50387

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-50387