WARNING: MULTIPLE DNSSEC PROTOCOL FLAWS COULD RESULT IN DOS, PATCH IMMEDIATELY!
CVE-2023-50387: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2023-50868: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Sources
Researcher: https://www.athene-center.de/en/keytrap
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50387
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50868
Risks
Both CVE-2023-50387 ("KeyTrap") and CVE-2023-50868 target design flaws in the DNSSEC protocol. The processing of responses coming from crafted DNSSEC-signed zones can cause CPU usage spikes on a DNSSEC-validating resolver. By flooding the target resolver with queries exploiting these flaws an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. This results in a loss of availability. Confidentiality and integrity, the two other components of the CIA-triad, are not impacted.
Description
DNS by itself is not secure. DNS Security Extensions (DNSSEC) strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data. Turning on DNSSEC validation in recursive resolvers involves changing just a few lines in the resolver's configuration file. From that point forward, when a user asks the resolver for DNS information that comes from zones that are signed, and that data has been tampered with, the user will purposely get no data back. DNSSEC protects the user from getting bad data from a signed zone by detecting the attack and preventing the user from receiving the tampered data. NSEC and NSEC3 are the mechanisms within DNSSEC used to provide proof of non-existence of names. This is achieved by a DNSSEC-signed assurance that between two signed names, no other names exist.
Both CVE-2023-50387 and CVE-2023-50868 target design flaws in the DNSSEC protocol. To initiate the attacks an adversary causes the victim resolver to look up a record in its malicious domain. The attacker’s nameserver responds to the DNS queries with malicious record sets (RRsets).
- For CVE-2023-50387 these malicious RRsets have been crafted to require a high number of validations resulting in high CPU usage on the victim resolver. Different variants of the KeyTrap resource exhaustion attack exist: KeySigTrap, SigJam, LockCram, and HashTrap.
- In case of CVE-2023-50868 the responses use multiple NSEC3 RRsets triggering a high number of NSEC3 hash iterations. This results in high CPU usage on the victim resolver.
By flooding a victim DNSSEC-validating resolver with these DNS queries, an attacker can lead to a full Denial of Service of the targeted resolver while the attack is running. The actual impact of an unresponsive DNS server depends on the victims DNS architecture.
Both vulnerabilities do not impact servers where DNSSEC-validation is disabled. Non-recursive DNS servers are also not affected by these vulnerabilities.
Both vulnerabilities were identified by security researchers. Based on vendor bulletins on these vulnerabilities no exploitation in the wild has been observed.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends users and system administrators to take the following actions to mitigate the impact of these vulnerabilities in the most efficient way.
Implement Best Current Practices
Please implement the guidance from Best Current Practice documents (BCPs). While RFC9364 provides general guidance for DNSSEC, RFC9276 provides guidance on setting NSEC3 parameters based on recent operational deployment experience.
Patch
All popular DNS implementations and services are vulnerable. Please note this also includes products which include a DNS server under the hood. If uncertain, please consult the product data sheet and/or reach out to the vendor.
Most vendors released new software versions in which an exceptionally complex DNSSEC validation will no longer impede other server workload. Consult the vendor security bulletin and patch after thorough testing.
Monitor/Detect
Should your organization have a DNSSEC-validating resolver, the CCB recommends organizations to upscale monitoring and detection capabilities, ensuring a fast response in case of a DoS attempt.
Please report incidents via: https://cert.be/en/report-incident
References
ICAN: https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019- 03-05-en
BCP index: https://www.ietf.org/rfc/bcp-index.txt