CVE-2023-50387

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Published: Feb 14, 2024
Updated: Feb 21, 2024
CVE: CVE-2023-50387
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	6.0	6.0.x
redhat / enterprise_linux	8.0	8.0.x
redhat / enterprise_linux	9.0	9.0.x
microsoft / windows_server_2008	r2-sp1	r2-sp1.x
microsoft / windows_server_2012	r2	r2.x
fedoraproject / fedora	39	39.x
thekelleys / dnsmasq	-	2.90
nic / knot_resolver	-	5.71
powerdns / recursor	5.0.0	5.0.2
powerdns / recursor	4.9.0	4.9.3
powerdns / recursor	4.8.0	4.8.6
isc / bind	9.19.0	9.19.20.x
isc / bind	9.18.0	9.18.22.x
isc / bind	9.0.0	9.16.46.x
nlnetlabs / unbound	-	1.19.1

Vulnerability Database

289,599

CVE-2023-50387