KeyTrap: Denial of Service Vulnerability in DNSSEC
CVE-2023-50387
Key Information:
- Vendor
- DNSSEC
- Status
- Enterprise Linux
- Vendor
- CVE Published:
- 14 February 2024
Badges
What is CVE-2023-50387?
CVE-2023-50387 is a critical vulnerability affecting the DNSSEC protocol, a vital component of the Domain Name System (DNS) used to enhance its security. This vulnerability, referred to as the "KeyTrap" issue, allows remote attackers to exploit certain aspects of DNSSEC to induce a denial of service (DoS). The significance of this flaw lies in its potential to increase CPU consumption on affected systems, disrupting crucial DNS resolution processes for organizations that depend on reliable web connectivity and domain resolution.
Technical Details
The vulnerability stems from how DNSSEC handles responses involving multiple DNSKEY and RRSIG records as specified in several RFCs (4033, 4034, 4035, 6840, and related). When a DNS zone contains numerous DNSKEY and RRSIG records, the protocol requires an evaluation of their various combinations. This process can lead to excessive CPU resource consumption, effectively crippling DNS resolution services. Attackers can leverage this flaw by sending specially crafted DNSSEC responses, making it feasible to launch targeted DoS attacks against an organizationโs DNS infrastructure.
Impact of the Vulnerability
-
Denial of Service: The primary impact of CVE-2023-50387 is the potential for a significant denial of service. Organizations may experience prolonged outages in their DNS services, leading to inaccessibility of web resources and applications that rely on domain name resolution, severely affecting business operations.
-
Operational Disruption: Due to the nature of the attack, if exploited successfully, it may incapacitate large sections of the internet connected to vulnerable DNS servers, leading to widespread operational disruptions in various sectors reliant on those systems, potentially affecting users globally.
-
Resource Strain: Organizations could face increased operational costs since the exploited servers would be subjected to heightened resource strain, necessitating upgrades or additional hardware to manage the unreasonable CPU load generated by such attacks, all while risking reputational damage and customer trust.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Microsoft Late to the Game on Dangerous DNSSEC Zero-Day Flaw
Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.
7 months ago
BNN BreakingCVE-2023-50387New DNSSEC Vulnerability CVE-2023-50387: Threatening System Stability and Security
The recently discovered CVE-2023-50387 targets DNSSEC validator KeyTrap, leading to extreme CPU consumption and threatening system stability. Learn about its implications and the path forward in securing affected systems.
10 months ago
KasperskyCVE-2023-50387KeyTrap attack can take out a DNS server
The KeyTrap attack can disable DNS servers by sending a single malicious packet that exploits a vulnerability in DNSSEC (CVE-2023-50387).
11 months ago
References
EPSS Score
6% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by BNN Breaking
- ๐
Vulnerability started trending
Vulnerability published
Vulnerability Reserved