FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities

Affected packages
bind916 < 9.16.48
bind918 < 9.18.24
bind9-devel < 9.19.21
dnsmasq < 2.90
dnsmasq-devel < 2.90
powerdns-recursor < 5.0.2
unbound < 1.19.1
14.0 <= FreeBSD < 14.0_6
13.2 <= FreeBSD < 13.2_11

Details

VuXML ID 21a854cc-cac1-11ee-b7a7-353f1e043d9a
Discovery 2024-02-06
Entry 2024-02-13
Modified 2024-04-01

Simon Kelley reports:

If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.

[source]

Stichting NLnet Labs reports:

The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.

[source]

References

CVE Name CVE-2023-50387
CVE Name CVE-2023-50868
FreeBSD Advisory SA-24:03.unbound
URL https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
URL https://kb.isc.org/docs/cve-2023-50387
URL https://kb.isc.org/docs/cve-2023-50868
URL https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
URL https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.