DNSSEC Protocol Vulnerabilities Discovered in BIND, Powerdns, dnsmasq, and Unbound Servers
In various implementations of the DNSSEC protocol, two vulnerabilities have been identified, affecting DNS servers including BIND, Powerdns, dnsmasq, and unbound. These vulnerabilities allow for a denial of service attack by causing high CPU load, which interferes with the processing of other requests. The attack involves sending a request to the DNS resolver using DNSSEC, leading to an appeal to a specially designed DNS zone on the attacker’s server.
Identified Problems:
- CVE-2023-50387 (codename KeyTrap): This vulnerability causes a denial of service by placing a domain zone with malicious settings on a controlled DNS server. By achieving this zone of a recursive DNS server, the attacker can overload the CPU and block the processing of other requests. The malicious settings involve using conflicting keys, RRSET records, and digital signatures, which trigger resource-intensive operations. Attackers were able to halt the processing of other requests for up to 16 hours in some cases, such as when attacking BIND.
- CVE-2023-50868 (codename NSEC3): This vulnerability causes a denial of service by performing significant calculations when processing NSEC3 (Next
/Reports, release notes, official announcements.