Описание
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side.
This vulnerability applies only for systems where DNSSEC validation is enabled.
Отчет
This vulnerability in DNSSEC-validating resolvers is of important severity because it can lead to uncontrolled CPU consumption, resulting in a Denial of Service (DoS). By exploiting this flaw, attackers can send specially crafted DNS responses that cause the resolver to enter a state of excessive resource utilization. This can severely impact the availability and performance of DNS services, affecting not only the targeted resolver but potentially cascading to other dependent systems and services.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | dnsmasq | Not affected | ||
| Red Hat Enterprise Linux 9 | dhcp | Not affected | ||
| Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION | bind | Fixed | RHSA-2025:0039 | 06.01.2025 |
| Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION | bind-dyndb-ldap | Fixed | RHSA-2025:0039 | 06.01.2025 |
| Red Hat Enterprise Linux 7 | bind | Fixed | RHSA-2024:3741 | 10.06.2024 |
| Red Hat Enterprise Linux 7 | bind-dyndb-ldap | Fixed | RHSA-2024:3741 | 10.06.2024 |
| Red Hat Enterprise Linux 7 | dhcp | Fixed | RHSA-2024:3741 | 10.06.2024 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | unbound | Fixed | RHSA-2024:11003 | 12.12.2024 |
| Red Hat Enterprise Linux 8 | unbound | Fixed | RHSA-2024:0965 | 26.02.2024 |
| Red Hat Enterprise Linux 8 | dnsmasq | Fixed | RHSA-2024:1335 | 14.03.2024 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
MITRE: CVE-2023-50387 DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6 ...
Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
7.5 High
CVSS3