Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2023-50387

Disclosure Date: February 14, 2024
CVE-2023-50387 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the “KeyTrap” issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • fedoraproject,
  • isc,
  • microsoft,
  • nic,
  • nlnetlabs,
  • powerdns,
  • redhat,
  • thekelleys

Products

  • bind,
  • dnsmasq,
  • enterprise linux 6.0,
  • enterprise linux 7.0,
  • enterprise linux 8.0,
  • enterprise linux 9.0,
  • fedora 39,
  • knot resolver,
  • recursor,
  • unbound,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2019 -,
  • windows server 2022 -,
  • windows server 2022 23h2 -

References

Canonical
CVE-2023-50387 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387)
Advisory
[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities (http://www.openwall.com/lists/oss-security/2024/02/16/2)
[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities (http://www.openwall.com/lists/oss-security/2024/02/16/3)
FEDORA-2024-2e26eccfcb (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/)
FEDORA-2024-e24211eff0 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/)
FEDORA-2024-21310568fa (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/)
[debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update (https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html)
FEDORA-2024-b0f9656a76 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/)
FEDORA-2024-4e36df9dfd (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/)
FEDORA-2024-499b9be35f (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/)
FEDORA-2024-c36c448396 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/)
FEDORA-2024-c967c7d287 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/)
FEDORA-2024-e00eceb11c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/)
FEDORA-2024-fae88b73eb (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/)
https://security.netapp.com/advisory/ntap-20240307-0007/
[debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update (https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html)
Exploit
POC (https://github.com/knqyf263/CVE-2023-50387)
Miscellaneous
https://datatracker.ietf.org/doc/html/rfc4035
https://www.athene-center.de/aktuelles/key-trap
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://kb.isc.org/docs/cve-2023-50387
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
https://news.ycombinator.com/item?id=39367411
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
https://www.isc.org/blogs/2024-bind-security-release/
https://news.ycombinator.com/item?id=39372384
https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
https://access.redhat.com/security/cve/CVE-2023-50387
https://bugzilla.suse.com/show_bug.cgi?id=1219823
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis