Did you know your DNS security could accidentally leak your entire subdomain structure? Enter DNSSEC with NSEC/NSEC3 records, which is great for ensuring integrity and authentication but can also be a sneaky way for attackers to ‘zone walk’ and enumerate your domains...

Darrell Hall breaks it down in our latest blog post: https://www.pentestpartners.com/security-blog/dnssec-nsec-the-accidental-treasure-map-to-your-subdomains/

What's covered:
• How NSEC/NSEC3 can inadvertently expose DNS data
• The difference between zone transfers and zone walking
• How to crack NSEC3 records (and why you should care)
• Real-world examples and mitigation strategies

#DNSSEC #CyberSecurity #Infosec #DNS #NSEC #NSEC3 #ZoneWalking #ThreatIntel

Great coverage by Jan Doskočil of NSEC3 hash enumeration, and cracking with hashcat. Also good info about the limits of making that harder (some resolvers cap the work factor they will resolve!)

https://infosec.exchange/@jpmens@mastodon.social/114019491327504188

Via @jpmens

#DNS #NSEC3 #hashcat

Looks like @sans_isc picked up on an exploit for KeyTrap - I haven't tested it yet, and it is explicitly documented as being defanged, but looks legit on the surface:

https://github.com/knqyf263/CVE-2023-50387

Added to my roll-up post.

#keytrap #nsec3 #CVE202350387 #CVE_2023_50387
#dns #dnssec

I have two posts about the new multi-implementation DNSSEC validation DoS vulnerabilities CVE-2023-50387 ("KeyTrap") and CVE-2023-50868 (the NSEC3 vuln):

• The big summary post (more editing - your client may notify you about each edit, which may be a feature):

https://infosec.exchange/@tychotithonus/111924626712765292

• The post you're reading (low editing, minimal noise, but you might want to check the big post occasionally for updates).

#keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
#dns #dnssec

(living doc, updated regularly - if you prefer a low-edit post to boost, use https://infosec.exchange/@tychotithonus/111926621712441626)

Looks like DNS-OARC coordinated fixes in advance, but no centralized analysis at first other than the announcement from the team who discovered KeyTrap:

• Press release: https://www.athene-center.de/en/news/press/key-trap

• Technical paper (released 2/15): https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

• DNS-OARC dns-ops announcement: https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html

• RIPE blog post by one of the authors: https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/

• Apparently builds on this 2019 vulnerability (h/t letoams @defcon.social):
  https://
  essay.utwente.nl/78777/

Details may be still partially embargoed until patching ramps up.

Analysis:

DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.

"In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)

Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).

Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)

Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.

Details:

Two DNSSEC DoS CVEs:

CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
https://seclists.org/oss-sec/2024/q1/125

(KeyTrap was discovered by ATHENE - their press release here has very important detail:
https://www.athene-center.de/en/news/press/key-trap)

CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

MITRE links (now populated):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868

Vulmon queries:
https://vulmon.com/searchpage?q=CVE-2023-50387
https://vulmon.com/searchpage?q=CVE-2023-50868

VulDB:
https://vuldb.com/?id.253829

Resolver status:

BIND (patched - vuln since 2000?):
https://fosstodon.org/@iscdotorg/111924416653890048
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
https://seclists.org/oss-sec/2024/q1/125
https://www.isc.org/blogs/2024-bind-security-release/
(note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)

BIND tools:
dig: no validation
kdig: no validation
delv: affected, patched

dnsmasq (patched - 2.90 has fix):
https://thekelleys.org.uk/dnsmasq/CHANGELOG
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

Knot (patched in 5.7.1):
https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
(kzonecheck also affected, patched?)

ldns-verify-zone:
affected per ATHENE paper

OPNsense (patched):
https://forum.opnsense.org/index.php?topic=38939.msg190655#

pfSense:
(Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package)
https://forum.netgate.com/topic/186145/unbound-cve-2023-50387-and-cve-2023-50868/1
https://redmine.pfsense.org/issues/15256

Pi-Hole (uses dnsmasq - patch available)
https://www.patreon.com/posts/dnssec-fix-98498055
https://pi-hole.net/blog/2024/02/13/fixing-two-new-dnssec-vulnerabilities/

PowerDNS (patched - all versions affected):
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
https://github.com/PowerDNS/pdns/pull/13781
https://github.com/PowerDNS/pdns/pull/13784
https://seclists.org/oss-sec/2024/q1/130

Stubby:
[?]
https://github.com/getdnsapi/stubby

systemd.resolved:
[?]

Ubiquiti
[?]

Unbound (patched - vuln since Aug 2007):
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
https://seclists.org/oss-sec/2024/q1/126

Library status:*
dnspython (GitHub patched):
affected per ATHENE paper
https://github.com/rthalley/dnspython/commit/a1a998938b7370dae41784f8bc0a841dc2addba9

getdns (used by stubby - no patched release?):
affected per ATHENE paper
https://getdnsapi.net/releases/

ldns (not yet patched?):
affected per ATHENE paper
https://github.com/NLnetLabs/ldns

libunbound (used by Unbound):
affected per ATHENE paper
no recent patches?
https://github.com/NLnetLabs/unbound/tree/master/libunbound

Cloud status:

Akamai:
https://www.akamai.com/blog/security/dns-exploit-keytrap-posed-major-internet-threat

Cloudflare:
https://blog.cloudflare.com/remediating-new-dnssec-resource-exhaustion-vulnerabilities

Google DNS:
(stated as patched in Register and SecurityWeek articles)
[?]

NextDNS (patched per forum reply):
https://help.nextdns.io/t/h7yxwc5/does-dnssec-security-hole-keytrap-cve-2023-50387-affect-nextdns

OS status:

Debian:
BIND:
https://lists.debian.org/debian-security-announce/2024/msg00028.html
pdns-recursor:
https://lists.debian.org/debian-security-announce/2024/msg00033.html
Unbound:
https://lists.debian.org/debian-security-announce/2024/msg00027.html

Fedora:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-e24211eff0

FreeBSD:
https://cgit.freebsd.org/ports/commit/?id=58e048cad653819eebf91af5840e4b00f155bb1b

Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2023-50387

Mageia:
https://bugs.mageia.org/show_bug.cgi?id=32846

OpenBSD (unwind):

Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-50387
https://access.redhat.com/security/cve/CVE-2023-50387
https://access.redhat.com/security/cve/CVE-2023-50868

SUSE:
https://www.suse.com/security/cve/CVE-2023-50387.html
https://bugzilla.suse.com/show_bug.cgi?id=1219823

Ubuntu:
https://ubuntu.com/security/CVE-2023-50387
https://ubuntu.com/security/CVE-2023-50868
https://ubuntu.com/security/notices/USN-6633-1

Windows (Server, DNS Role):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387

Package status:

BIND:
https://repology.org/project/bind/versions

dnsmasq:
https://repology.org/project/dnsmasq/versions

Unbound:
https://repology.org/project/unbound/versions

GitHub:
https://github.com/advisories/GHSA-8459-gg55-8qjj

Go (Knot module?)
https://github.com/golang/vulndb/issues/2552

Non-coverage: (no mentions known yet)

AWS :
[?]

Azure (Microsoft Server DNS?):
[?]

Cisco Umbrella:
https://umbrella.cisco.com/blog [?]

CoreDNS:
https://coredns.io/blog/ [?]

Infoblox:
https://blogs.infoblox.com/ [?]

Quad9 DNS:
https://www.quad9.net/news/blog/ [?]

News/Press/Forums

https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plain-words/

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/

https://www.bleepingcomputer.com/news/security/keytrap-attack-internet-access-disrupted-with-one-dns-packet/

https://news.ycombinator.com/item?id=39372384

https://www.darkreading.com/cloud-security/keytrap-dns-bug-threatens-widespread-internet-outages

Detection/Validation:

Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):

Tenable:
https://www.tenable.com/plugins/pipeline/issues/165587

Snyk:
https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245755

Exploits:

(multiple sources describe as "trivial")

https://github.com/knqyf263/CVE-2023-50387 (not tested)

#keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
#dns #dnssec

#dnspython 2.5 released

Among the changes, still no options to generate #NSEC3 signatures when using the zone signing function, but it seems it's coming : "[t]he NSEC3 class now has a next_name() method for retrieving the next name as a dns.name.Name"

#DNS #Python #DNSSEC

https://dnspython.readthedocs.io/en/stable/whatsnew.html#id1

Your random #DNS and #DNSSEC facts of the day.

As of today (2023-09-24):
- 1465 TLDs in the root zone
- 1354 are signed. That's 92.4% of all TLDs
- 1311 are using NSEC3. That's 89.5% of all TLDs and 96.8% of all signed TLDs
- 644 are following RFC 9276's recommended #NSEC3 parameters. That's 43.9% of all TLDs, 47.5% of all signed TLDs and 49.1% of all signed TLDs using NSEC3

I’ve received on my postmaster@ address a message from some security researchers warning me of the “insecure” #DNSSEC configuration of my domain, so for the record:

My domain (incenp.org) is configured to use #NSEC, and not #NSEC3, on purpose. This is not a misconfiguration. I weighed the pros and cons of NSEC3, and decided it was just not worth it.

Yes, people could use NSEC records to enumerate all the DNS records of my zone. So what?

Usually I am not a fan (and that’s an euphemism) of the “if you have nothing to hide, you have nothing to fear” argument, but in this case, there is really nothing to hide in my DNS zone. I would happily give a list of all the records (or even the original master zone file) to anyone who asks for it.

Actually last time I checked, one of the slave DNS servers I use was even configured to allow #AXFR requests from anywhere, and I never bothered to contact the admin of that server to ask him to do anything about it. So if you want the entirety of my zone’s records, don’t waste your time mounting a NSEC enumeration attack, just ask the right server.

His plan was perfect... And then he realized he forgot about #NSEC3 🤦‍♂️

Ok, NSEC3 hash is predictable.

How about, taking a signed zone file, changing one NSEC3 record and recreate the corresponding RRSIG? 😏