Vulnerability Description
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Enterprise Linux | 6.0 |
| Microsoft | Windows Server 2008 | r2 |
| Microsoft | Windows Server 2012 | - |
| Microsoft | Windows Server 2016 | - |
| Microsoft | Windows Server 2019 | - |
| Microsoft | Windows Server 2022 | - |
| Microsoft | Windows Server 2022 23H2 | - |
| Fedoraproject | Fedora | 39 |
| Thekelleys | Dnsmasq | < 2.90 |
| Nic | Knot Resolver | < 5.71 |
| Powerdns | Recursor | >= 4.8.0, < 4.8.6 |
| Isc | Bind | >= 9.0.0, <= 9.16.46 |
| Nlnetlabs | Unbound | < 1.19.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2024/02/16/2Mailing List
- http://www.openwall.com/lists/oss-security/2024/02/16/3Mailing List
- https://access.redhat.com/security/cve/CVE-2023-50387Third Party Advisory
- https://bugzilla.suse.com/show_bug.cgi?id=1219823Issue Tracking
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01Third Party Advisory
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1Patch
- https://kb.isc.org/docs/cve-2023-50387Third Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
- https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2023-50387?
CVE-2023-50387 is a vulnerability with a CVSS score of 7.5 (HIGH). Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka...
How severe is CVE-2023-50387?
CVE-2023-50387 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-50387?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Enterprise Linux, Microsoft Windows Server 2008, Microsoft Windows Server 2012, Microsoft Windows Server 2016, Microsoft Windows Server 2019.