Royce WilliamsLooks like @sans_isc picked up on an exploit for KeyTrap - I haven't tested it yet, and it is explicitly documented as being defanged, but looks legit on the surface:
https://github.com/knqyf263/CVE-2023-50387
Added to my roll-up post.
I have two posts about the new multi-implementation DNSSEC validation DoS vulnerabilities CVE-2023-50387 ("KeyTrap") and CVE-2023-50868 (the NSEC3 vuln):
- The big summary post (more editing - your client may notify you about each edit, which may be a feature):
https://infosec.exchange/@tychotithonus/111924626712765292
- The post you're reading (low editing, minimal noise, but you might want to check the big post occasionally for updates).
#keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
#dns #dnssec
Royce Williams (@[email protected])
Content warning: New multi-implementation DNSSEC validation DoS vulnerabilities - CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)
(living doc, updated regularly - if you prefer a low-edit post to boost, use https://infosec.exchange/@tychotithonus/111926621712441626)
Looks like DNS-OARC coordinated fixes in advance, but no centralized analysis at first other than the announcement from the team who discovered KeyTrap:
Press release: https://www.athene-center.de/en/news/press/key-trap
Technical paper (released 2/15): https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
DNS-OARC dns-ops announcement: https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html
RIPE blog post by one of the authors: https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/
Apparently builds on this 2019 vulnerability (h/t letoams @defcon.social):
https://
essay.utwente.nl/78777/
Details may be still partially embargoed until patching ramps up.
Analysis:
DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.
"In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)
Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).
Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)
Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.
Details:
Two DNSSEC DoS CVEs:
CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
https://seclists.org/oss-sec/2024/q1/125
(KeyTrap was discovered by ATHENE - their press release here has very important detail:
https://www.athene-center.de/en/news/press/key-trap)
CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MITRE links (now populated):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868
Vulmon queries:
https://vulmon.com/searchpage?q=CVE-2023-50387
https://vulmon.com/searchpage?q=CVE-2023-50868
VulDB:
https://vuldb.com/?id.253829
Resolver status:
BIND (patched - vuln since 2000?):
https://fosstodon.org/@iscdotorg/111924416653890048
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
https://seclists.org/oss-sec/2024/q1/125
https://www.isc.org/blogs/2024-bind-security-release/
(note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)
BIND tools:
dig: no validation
kdig: no validation
delv: affected, patched
dnsmasq (patched - 2.90 has fix):
https://thekelleys.org.uk/dnsmasq/CHANGELOG
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
Knot (patched in 5.7.1):
https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
(kzonecheck also affected, patched?)
ldns-verify-zone:
affected per ATHENE paper
OPNsense (patched):
https://forum.opnsense.org/index.php?topic=38939.msg190655#
pfSense:
(Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package)
https://forum.netgate.com/topic/186145/unbound-cve-2023-50387-and-cve-2023-50868/1
https://redmine.pfsense.org/issues/15256
Pi-Hole (uses dnsmasq - patch available)
https://www.patreon.com/posts/dnssec-fix-98498055
https://pi-hole.net/blog/2024/02/13/fixing-two-new-dnssec-vulnerabilities/
PowerDNS (patched - all versions affected):
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
https://github.com/PowerDNS/pdns/pull/13781
https://github.com/PowerDNS/pdns/pull/13784
https://seclists.org/oss-sec/2024/q1/130
Stubby:
[?]
https://github.com/getdnsapi/stubby
systemd.resolved:
[?]
Ubiquiti
[?]
Unbound (patched - vuln since Aug 2007):
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
https://seclists.org/oss-sec/2024/q1/126
Library status:*
dnspython (GitHub patched):
affected per ATHENE paper
https://github.com/rthalley/dnspython/commit/a1a998938b7370dae41784f8bc0a841dc2addba9
getdns (used by stubby - no patched release?):
affected per ATHENE paper
https://getdnsapi.net/releases/
ldns (not yet patched?):
affected per ATHENE paper
https://github.com/NLnetLabs/ldns
libunbound (used by Unbound):
affected per ATHENE paper
no recent patches?
https://github.com/NLnetLabs/unbound/tree/master/libunbound
Cloud status:
Akamai:
https://www.akamai.com/blog/security/dns-exploit-keytrap-posed-major-internet-threat
Cloudflare:
https://blog.cloudflare.com/remediating-new-dnssec-resource-exhaustion-vulnerabilities
Google DNS:
(stated as patched in Register and SecurityWeek articles)
[?]
NextDNS (patched per forum reply):
https://help.nextdns.io/t/h7yxwc5/does-dnssec-security-hole-keytrap-cve-2023-50387-affect-nextdns
OS status:
Debian:
BIND:
https://lists.debian.org/debian-security-announce/2024/msg00028.html
pdns-recursor:
https://lists.debian.org/debian-security-announce/2024/msg00033.html
Unbound:
https://lists.debian.org/debian-security-announce/2024/msg00027.html
Fedora:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-e24211eff0
FreeBSD:
https://cgit.freebsd.org/ports/commit/?id=58e048cad653819eebf91af5840e4b00f155bb1b
Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2023-50387
Mageia:
https://bugs.mageia.org/show_bug.cgi?id=32846
OpenBSD (unwind):
Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-50387
https://access.redhat.com/security/cve/CVE-2023-50387
https://access.redhat.com/security/cve/CVE-2023-50868
SUSE:
https://www.suse.com/security/cve/CVE-2023-50387.html
https://bugzilla.suse.com/show_bug.cgi?id=1219823
Ubuntu:
https://ubuntu.com/security/CVE-2023-50387
https://ubuntu.com/security/CVE-2023-50868
https://ubuntu.com/security/notices/USN-6633-1
Windows (Server, DNS Role):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
Package status:
BIND:
https://repology.org/project/bind/versions
dnsmasq:
https://repology.org/project/dnsmasq/versions
Unbound:
https://repology.org/project/unbound/versions
GitHub:
https://github.com/advisories/GHSA-8459-gg55-8qjj
Go (Knot module?)
https://github.com/golang/vulndb/issues/2552
Non-coverage: (no mentions known yet)
AWS :
[?]
Azure (Microsoft Server DNS?):
[?]
Cisco Umbrella:
https://umbrella.cisco.com/blog [?]
CoreDNS:
https://coredns.io/blog/ [?]
Infoblox:
https://blogs.infoblox.com/ [?]
Quad9 DNS:
https://www.quad9.net/news/blog/ [?]
News/Press/Forums
https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plain-words/
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
https://news.ycombinator.com/item?id=39372384
https://www.darkreading.com/cloud-security/keytrap-dns-bug-threatens-widespread-internet-outages
Detection/Validation:
Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):
# zone signed, server DNSSEC-enabled:
$ delv example.net @8.8.8.8
; fully validated
example.net. 4437 IN A 93.184.216.34
example.net. 4437 IN RRSIG A 13 2 86400 20240225232039 20240204162038 18113 example.net. 94G2PRXins1G9ntfklvCq2mvcgqjB0z9FqQXp77lD/wXR4J3D67ceih1 yNgsYYqlIAOoWKXUekux6Zq9aIwszQ==
# zone unsigned, server DNSSEC-enabled:
$ delv google.com @8.8.8.8
; unsigned answer
google.com. 100 IN A 142.250.69.206
Tenable:
https://www.tenable.com/plugins/pipeline/issues/165587
Snyk:
https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245755
Exploits:
(multiple sources describe as "trivial")
https://github.com/knqyf263/CVE-2023-50387 (not tested)
#keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
#dns #dnssec
Royce Williams (@[email protected])
I have *two* posts about the new multi-implementation DNSSEC validation DoS vulnerabilities CVE-2023-50387 ("KeyTrap") and CVE-2023-50868 (the NSEC3 vuln): * The big summary post (more editing - your client may notify you about each edit, which may be a feature): https://infosec.exchange/@tychotithonus/111924626712765292 * The post you're reading (low editing, minimal noise, but you might want to check the big post occasionally for updates). #keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868 #dns #dnssec