← back
CVE-2023-50387

CVE-2023-50387

CVSS 7.5 HIGHEPSS 100.0%CWE-770
In short

A flaw in DNSSEC (the security system for DNS) allows attackers to overwhelm servers by sending specially crafted DNS responses that force excessive CPU usage. This happens when servers try to verify signatures on zones with many security keys.

Technical detail

CVE-2023-50387 exploits algorithmic complexity in DNSSEC validation by forcing servers to evaluate all combinations of DNSKEY and RRSIG records in zones with numerous entries. Remote attackers can trigger denial of service through malicious DNSSEC responses without authentication; the attack consumes significant CPU resources during cryptographic verification, affecting DNS resolver availability.

Summary generated and translated by AI from the official description.
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/security/cve/CVE-2023-50387https://bugzilla.suse.com/show_bug.cgi?id=1219823https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.htmlhttps://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1https://kb.isc.org/docs/cve-2023-50387https://lists.debian.org/debian-lts-announce/2024/02/msg00006.htmlhttps://lists.debian.org/debian-lts-announce/2024/05/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00001.htmlhttps://lists.debian.org/debian-lts-announce/2024/11/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/