In various implementations of the DNSSEC protocol identified two vulnerabilitiesaffecting DNS servers BIND, PowerDNS, dnsmasq And Unbound. The vulnerabilities allow denial of service for DNS resolvers that perform DNSSEC validation by creating a high CPU load that interferes with the processing of other requests. To carry out an attack, it is enough to send a request to a DNS resolver using DNSSEC, which leads to a call to a specially designed DNS zone on the attacker’s server.
Issues identified:
Advertisement
- CVE-2023-50387 (codename KeyTrap) – when accessing specially designed DNS zones, it leads to a denial of service due to the creation of a significant load on the CPU and a long execution of DNSSEC checks. To carry out an attack, it is necessary to place a domain zone with malicious settings on a DNS server controlled by the attacker, and also to ensure that this zone is accessed by a recursive DNS server, the denial of service of which the attacker seeks.
Malicious settings involve using a combination of conflicting keys, RRSET records, and digital signatures for a zone. Attempting to verify using these keys results in time-consuming, resource-intensive operations that can completely load the CPU and block the processing of other requests (for example, it is claimed that in an attack on BIND it was possible to stop the processing of other requests for 16 hours).
- CVE-2023-50868 (codename NSEC3) – denial of service due to heavy computation performed when calculating hashes on records NSEC3 (Next Secure v3) when processing specially formatted DNSSEC responses. The attack method is similar to the first vulnerability, except that a specially designed set of NSEC3 RRSET records is created on the attacker's DNS server.
It is noted that the appearance of the above-mentioned vulnerabilities is caused by the definition in the specification DNSSEC the ability for the DNS server to send all available cryptographic keys, but resolvers must process any keys received until the check succeeds or all keys received have been verified.
As measures to block vulnerabilities, resolvers limit the maximum number of DNSSEC keys involved in the chain of trust process and the maximum number of hash calculations for NSEC3, and also limit verification retries for each RRSET (key-signature combination) and each server response.
Vulnerabilities are fixed in updates Unbound (1.19.1), PowerDNS Recursor (4.8.6, 4.9.3, 5.0.2), Knot Resolver 5.7.1, dnsmasq (2.90) and BIND (9.16.48, 9.18.24 and 9.19.21). The status of eliminating vulnerabilities in distributions can be assessed on these pages: Debian, Ubuntu, SUSE, RHEL, Fedora, Arch Linux, Gentoo, Slackware, NetBSD, FreeBSD.
BIND DNS server versions 9.16.48, 9.18.24 and 9.19.21 additionally fixed several more vulnerabilities:
Advertisement
- CVE-2023-4408 – parsing large DNS messages can create a high CPU load.
- CVE-2023-5517 – a request for a specially designed reverse zone can lead to an abnormal termination due to the triggering of an assert check. The problem only appears in configurations with the “nxdomain-redirect” setting enabled.
- CVE-2023-5679 – recursive host determination can lead to an abnormal termination due to the triggering of an assert check on systems with DNS64 support and “serve-stale” enabled (settings, stale-cache-enable and stale-answer-enable).
- CVE-2023-6516 – specially designed recursive queries can lead to exhaustion of memory available to the process.
Thanks for reading: