Vulnerability CVE-2023-50387: Information

Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-50387
Published: Feb. 14, 2024
Modified: March 7, 2024
Error type identifier: CWE-770

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
bindsisyphus_riscv649.18.24-alt19.18.27-alt1ALT-PU-2024-3529-1-Fixed
bindp10_e2k9.16.48-alt19.16.48-alt1ALT-PU-2024-2785-1-Fixed
bindc10f19.16.48-alt0.c10f2.19.16.48-alt0.c10f2.1ALT-PU-2024-3086-3341499Fixed
dnsmasqsisyphus2.90-alt12.90-alt1ALT-PU-2024-2610-1341076Fixed
dnsmasqsisyphus_e2k2.90-alt12.90-alt1ALT-PU-2024-2783-1-Fixed
dnsmasqsisyphus_riscv642.90-alt12.90-alt1ALT-PU-2024-3586-1-Fixed
dnsmasqsisyphus_loongarch642.90-alt12.90-alt1ALT-PU-2024-2725-1-Fixed
dnsmasqp102.90-alt12.90-alt1ALT-PU-2024-2612-3341077Fixed
dnsmasqp10_e2k2.90-alt12.90-alt1ALT-PU-2024-3133-1-Fixed
dnsmasqc10f12.90-alt12.90-alt1ALT-PU-2024-3156-3341618Fixed
dnsmasqc9f22.90-alt12.90-alt1ALT-PU-2024-2663-3341115Fixed
unboundsisyphus1.19.1-alt11.19.3-alt1ALT-PU-2024-2451-1340809Fixed
unboundsisyphus_e2k1.19.1-alt11.19.3-alt1ALT-PU-2024-2533-1-Fixed
unboundsisyphus_riscv641.19.1-alt11.19.3-alt1ALT-PU-2024-3536-1-Fixed
unboundsisyphus_loongarch641.19.1-alt11.19.3-alt1ALT-PU-2024-2503-1-Fixed
unboundp101.19.1-alt11.19.3-alt1ALT-PU-2024-2453-2340810Fixed
unboundp10_e2k1.19.1-alt11.19.3-alt1ALT-PU-2024-2787-1-Fixed
unboundp91.19.1-alt11.19.3-alt1ALT-PU-2024-2605-2340811Fixed
unboundc10f11.19.1-alt11.19.2-alt1ALT-PU-2024-2607-2340813Fixed
unboundc9f21.19.1-alt11.19.2-alt1ALT-PU-2024-2455-2340812Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.athene-center.de/aktuelles/key-trap
  • Third Party Advisory
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
  • Vendor Advisory
https://kb.isc.org/docs/cve-2023-50387
  • Third Party Advisory
  • VDB Entry
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
  • Third Party Advisory
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
  • Patch
  • Third Party Advisory
https://news.ycombinator.com/item?id=39367411
  • Third Party Advisory
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
  • Press/Media Coverage
  • Third Party Advisory
https://www.isc.org/blogs/2024-bind-security-release/
  • Third Party Advisory
https://news.ycombinator.com/item?id=39372384
  • Issue Tracking
https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
  • Patch
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
  • Mailing List
  • Third Party Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
  • Patch
  • Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-50387
  • Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1219823
  • Issue Tracking
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
  • Technical Description
  • Third Party Advisory
[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
  • Mailing List
[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
  • Mailing List
FEDORA-2024-2e26eccfcb
  • Mailing List
FEDORA-2024-e24211eff0
  • Mailing List
FEDORA-2024-21310568fa
  • Mailing List
[debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
    FEDORA-2024-b0f9656a76
      FEDORA-2024-4e36df9dfd
        FEDORA-2024-499b9be35f
          FEDORA-2024-c36c448396
            FEDORA-2024-c967c7d287
              FEDORA-2024-e00eceb11c
                FEDORA-2024-fae88b73eb
                  https://security.netapp.com/advisory/ntap-20240307-0007/

                      1. Configuration 1

                        cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
                        cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
                        cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
                        cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

                        Configuration 2

                        cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
                        cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
                        cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
                        cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
                        cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
                        cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
                        cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*

                        Configuration 3

                        cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

                        Configuration 4

                        cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*
                        End excliding
                        2.90

                        Configuration 5

                        cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*
                        End excliding
                        5.71

                        Configuration 6

                        cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
                        Start including
                        5.0.0
                        End excliding
                        5.0.2
                        cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
                        Start including
                        4.9.0
                        End excliding
                        4.9.3
                        cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
                        Start including
                        4.8.0
                        End excliding
                        4.8.6

                        Configuration 7

                        cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
                        Start including
                        9.19.0
                        End including
                        9.19.20
                        cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
                        Start including
                        9.18.0
                        End including
                        9.18.22
                        cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
                        Start including
                        9.0.0
                        End including
                        9.16.46

                        Configuration 8

                        cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
                        End excliding
                        1.19.1
                    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                    Version: v24.5.1
                    Back to top