Skip to content

Instantly share code, notes, and snippets.

@roycewilliams

roycewilliams/keytrap.md

Last active February 15, 2024 23:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save roycewilliams/69a8cfcee2faa705abf5f7000cc46cc2 to your computer and use it in GitHub Desktop.
Save roycewilliams/69a8cfcee2faa705abf5f7000cc46cc2 to your computer and use it in GitHub Desktop.
Download ZIP
keytrap.md
Raw
keytrap.md

(mirror snapshot of: https://infosec.exchange/@tychotithonus/111924626712765292)

summary: new DNSSEC validation DoS vulnerabilities CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)

(living doc, updated regularly - if you prefer a low-edit post to boost, use https://infosec.exchange/@tychotithonus/111926621712441626)

Looks like DNS-OARC coordinated fixes in advance, but I don't see a centralized analysis, other than this announcement from the team who discovered KeyTrap: https://www.athene-center.de/en/news/press/key-trap ... and their technical paper: https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf (Details may be still partially embargoed until patching ramps up)?

Analysis:

DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.

"In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)

Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).

Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)

Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.

Details:

Two DNSSEC DoS CVEs:

CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H https://seclists.org/oss-sec/2024/q1/125

(KeyTrap was discovered by ATHENE - their press release here has very important detail: https://www.athene-center.de/en/news/press/key-trap)

CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

MITRE links (now populated): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868

Vulmon queries: https://vulmon.com/searchpage?q=CVE-2023-50387 https://vulmon.com/searchpage?q=CVE-2023-50868

VulDB: https://vuldb.com/?id.253829

Patch status:

ISC BIND (patched - vuln since 2000?): https://fosstodon.org/@iscdotorg/111924416653890048 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://seclists.org/oss-sec/2024/q1/125 https://www.isc.org/blogs/2024-bind-security-release/ (note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)

Unbound (patched - vuln since Aug 2007): https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt https://seclists.org/oss-sec/2024/q1/126

dnsmasq (patched - 2.90 has fix): https://thekelleys.org.uk/dnsmasq/CHANGELOG https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

Knot (patched in 5.7.1): https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html

pfSense: (Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package) https://forum.netgate.com/topic/186145/unbound-cve-2023-50387-and-cve-2023-50868/1 https://redmine.pfsense.org/issues/15256

Pi-Hole (uses dnsmasq - patch available) https://www.patreon.com/posts/dnssec-fix-98498055 https://pi-hole.net/blog/2024/02/13/fixing-two-new-dnssec-vulnerabilities/

PowerDNS (patched - all versions affected): https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released PowerDNS/pdns#13781 PowerDNS/pdns#13784 https://seclists.org/oss-sec/2024/q1/130

systemd.resolved: [?]

OS status:

Fedora: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e24211eff0

FreeBSD: https://cgit.freebsd.org/ports/commit/?id=58e048cad653819eebf91af5840e4b00f155bb1b

Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2023-50387

Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-50387 https://access.redhat.com/security/security-updates/cve [?]

SUSE: https://bugzilla.suse.com/show_bug.cgi?id=1219823

Ubuntu: https://ubuntu.com/security/CVE-2023-50387 https://ubuntu.com/security/CVE-2023-50868 https://ubuntu.com/security/notices/USN-6633-1

Windows (Server, DNS Role): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387

Package status:

BIND: https://repology.org/project/bind/versions

dnsmasq: https://repology.org/project/dnsmasq/versions

Unbound: https://repology.org/project/unbound/versions

GitHub: https://github.com/advisories/GHSA-8459-gg55-8qjj

Go (Knot module?) golang/vulndb#2552

Non-coverage: (no mentions known yet)

Akamai https://www.akamai.com/blog [?]

AWS [?]

Azure (Microsoft Server DNS?) [?]

Cisco Umbrella: https://umbrella.cisco.com/blog [?]

Cloudflare https://blog.cloudflare.com/ [?]

CoreDNS https://coredns.io/blog/ [?]

Google DNS [?] (The Register article (see below) says Google is aware)

Infoblox https://blogs.infoblox.com/ [?]

Quad9 DNS https://www.quad9.net/news/blog/ [?]

News/Press

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/

Detection/Validation:

Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):

# zone signed, server DNSSEC-enabled:
$ delv example.net @8.8.8.8
; fully validated
example.net.            4437    IN      A       93.184.216.34
example.net.            4437    IN      RRSIG   A 13 2 86400 20240225232039 20240204162038 18113 example.net. 94G2PRXins1G9ntfklvCq2mvcgqjB0z9FqQXp77lD/wXR4J3D67ceih1 yNgsYYqlIAOoWKXUekux6Zq9aIwszQ==

# zone unsigned, server DNSSEC-enabled:
$ delv google.com @8.8.8.8
; unsigned answer
google.com.             100     IN      A       142.250.69.206

Tenable: https://www.tenable.com/plugins/pipeline/issues/165587

Exploits:

(none yet known / public, but multiple sources describe as "trivial")

#keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868 #dns #dnssec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment