CVE-2023-50387: Uncovering the "KeyTrap" issue in DNSSEC leading to denial of service and CPU consumption

The CVE-2023-50387 vulnerability involves a critical issue in the DNSSEC protocol, specifically in RFC 4033, 4034, 4035, 684, and related RFCs. This vulnerability, dubbed as the "KeyTrap" issue, allows remote attackers to cause a denial of service (DoS) attack through high CPU consumption by means of one or more DNSSEC responses.

Background

The Domain Name System Security Extensions (DNSSEC) is a suite of technologies designed to ensure the security and integrity of DNS data. DNSSEC protects against data tampering, hijacking, and man-in-the-middle (MITM) attacks by providing authentication and integrity protection to DNS data using digital signatures.

The Problem

The "KeyTrap" issue lies in the DNSSEC mechanism when processing DNSKEY and RRSIG records. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records when a zone contains numerous records. This, in turn, can potentially lead to high CPU consumption and cause a denial of service (DoS) attack, as the server becomes unable to process legitimate requests effectively.

Exploit details

The exploit involves a remote attacker sending one or more DNSSEC responses to a vulnerable server, which causes it to exhaust its resources by evaluating all combinations of DNSKEY and RRSIG records.

A code snippet illustrating the issue

import dns.message
import dns.query

def send_dnssec_query(target_ip, target_port, domain):
    query = dns.message.make_query(domain, dns.rdatatype.ANY, want_dnssec=True)
    response = dns.query.udp(query, target_ip, port=target_port)
    
    for rrset in response.answer:
        if rrset.rdtype == dns.rdatatype.DNSKEY or rrset.rdtype == dns.rdatatype.RRSIG:
            print(rrset)

# (The following line is for testing purposes)
# send_dnssec_query("8.8.8.8", 53, "vulnerable-zone.example")

Mitigation

While the definitive solution to the "KeyTrap" issue is a major update to the DNSSEC protocol itself, some workarounds can be implemented in the meantime:

Original references

- RFC 4033 - DNS Security Introduction and Requirements
- RFC 4034 - Resource Records for the DNS Security Extensions
- RFC 4035 - Protocol Modifications for the DNS Security Extensions
- RFC 684 - Clarifications and Implementation Notes for DNS Security

Conclusion

CVE-2023-50387, also known as the "KeyTrap" issue, is a significant vulnerability in the DNSSEC protocol. It allows remote attackers to exhaust a vulnerable server's resources, causing CPU consumption and a subsequent denial of service (DoS) attack. Administrators are advised to be vigilant and apply any available workarounds until a definitive solution is implemented in the DNSSEC protocol.

Timeline

Published on: 02/14/2024 16:15:45 UTC
Last modified on: 02/21/2024 13:15:07 UTC