FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities

Affected packages
bind916 < 9.16.48
bind918 < 9.18.24
bind9-devel < 9.19.21
dnsmasq < 2.90
dnsmasq-devel < 2.90
powerdns-recursor < 5.0.2
unbound < 1.19.1
14.0 <= FreeBSD < 14.0_6
13.2 <= FreeBSD < 13.2_11


VuXML ID 21a854cc-cac1-11ee-b7a7-353f1e043d9a
Discovery 2024-02-06
Entry 2024-02-13
Modified 2024-04-01

Simon Kelley reports:

If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.

Stichting NLnet Labs reports:

The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.


CVE Name CVE-2023-50387
CVE Name CVE-2023-50868
FreeBSD Advisory SA-24:03.unbound