Уязвимость CVE-2023-50387: Информация

Описание

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Важность: HIGH (7,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Опубликовано: 14 февраля 2024 г.
Изменено: 7 марта 2024 г.
Идентификатор типа ошибки: CWE-770

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
bindsisyphus_riscv649.18.24-alt19.18.27-alt1ALT-PU-2024-3529-1-Исправлено
bindp10_e2k9.16.48-alt19.16.48-alt1ALT-PU-2024-2785-1-Исправлено
bindc10f19.16.48-alt0.c10f2.19.16.48-alt0.c10f2.1ALT-PU-2024-3086-3341499Исправлено
dnsmasqsisyphus2.90-alt12.90-alt1ALT-PU-2024-2610-1341076Исправлено
dnsmasqsisyphus_e2k2.90-alt12.90-alt1ALT-PU-2024-2783-1-Исправлено
dnsmasqsisyphus_riscv642.90-alt12.90-alt1ALT-PU-2024-3586-1-Исправлено
dnsmasqsisyphus_loongarch642.90-alt12.90-alt1ALT-PU-2024-2725-1-Исправлено
dnsmasqp102.90-alt12.90-alt1ALT-PU-2024-2612-3341077Исправлено
dnsmasqp10_e2k2.90-alt12.90-alt1ALT-PU-2024-3133-1-Исправлено
dnsmasqc10f12.90-alt12.90-alt1ALT-PU-2024-3156-3341618Исправлено
dnsmasqc9f22.90-alt12.90-alt1ALT-PU-2024-2663-3341115Исправлено
unboundsisyphus1.19.1-alt11.20.0-alt1ALT-PU-2024-2451-1340809Исправлено
unboundsisyphus_e2k1.19.1-alt11.20.0-alt1ALT-PU-2024-2533-1-Исправлено
unboundsisyphus_riscv641.19.1-alt11.20.0-alt1ALT-PU-2024-3536-1-Исправлено
unboundsisyphus_loongarch641.19.1-alt11.20.0-alt1ALT-PU-2024-2503-1-Исправлено
unboundp101.19.1-alt11.20.0-alt1ALT-PU-2024-2453-2340810Исправлено
unboundp10_e2k1.19.1-alt11.19.3-alt1ALT-PU-2024-2787-1-Исправлено
unboundp91.19.1-alt11.19.3-alt1ALT-PU-2024-2605-2340811Исправлено
unboundc10f11.19.1-alt11.20.0-alt1ALT-PU-2024-2607-2340813Исправлено
unboundc9f21.19.1-alt11.20.0-alt1ALT-PU-2024-2455-2340812Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://www.athene-center.de/aktuelles/key-trap
  • Third Party Advisory
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
  • Vendor Advisory
https://kb.isc.org/docs/cve-2023-50387
  • Third Party Advisory
  • VDB Entry
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
  • Third Party Advisory
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
  • Patch
  • Third Party Advisory
https://news.ycombinator.com/item?id=39367411
  • Third Party Advisory
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
  • Press/Media Coverage
  • Third Party Advisory
https://www.isc.org/blogs/2024-bind-security-release/
  • Third Party Advisory
https://news.ycombinator.com/item?id=39372384
  • Issue Tracking
https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
  • Patch
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
  • Mailing List
  • Third Party Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
  • Patch
  • Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-50387
  • Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1219823
  • Issue Tracking
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
  • Technical Description
  • Third Party Advisory
[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
  • Mailing List
[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
  • Mailing List
FEDORA-2024-2e26eccfcb
  • Mailing List
FEDORA-2024-e24211eff0
  • Mailing List
FEDORA-2024-21310568fa
  • Mailing List
[debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
    FEDORA-2024-b0f9656a76
      FEDORA-2024-4e36df9dfd
        FEDORA-2024-499b9be35f
          FEDORA-2024-c36c448396
            FEDORA-2024-c967c7d287
              FEDORA-2024-e00eceb11c
                FEDORA-2024-fae88b73eb
                  https://security.netapp.com/advisory/ntap-20240307-0007/
                      1. Конфигурация 1

                        cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

                        cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

                        cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

                        cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

                        Конфигурация 2

                        cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*

                        cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*

                        cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*

                        cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*

                        cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*

                        cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*

                        cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*

                        Конфигурация 3

                        cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

                        Конфигурация 4

                        cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*
                        End excliding
                        2.90

                        Конфигурация 5

                        cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*
                        End excliding
                        5.71

                        Конфигурация 6

                        cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
                        Start including
                        5.0.0
                        End excliding
                        5.0.2

                        cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
                        Start including
                        4.9.0
                        End excliding
                        4.9.3

                        cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
                        Start including
                        4.8.0
                        End excliding
                        4.8.6

                        Конфигурация 7

                        cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
                        Start including
                        9.19.0
                        End including
                        9.19.20

                        cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
                        Start including
                        9.18.0
                        End including
                        9.18.22

                        cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
                        Start including
                        9.0.0
                        End including
                        9.16.46

                        Конфигурация 8

                        cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
                        End excliding
                        1.19.1