Two vulnerabilities have been identified in various implementations of the DNSSEC protocol, affecting the BIND, PowerDNS, dnsmasq, Knot Resolver, and Unbound DNS resolvers. The vulnerabilities could cause a denial of service for DNS resolvers that perform DNSSEC validation by causing a high CPU load that interferes with the processing of other requests. To carry out an attack, it is enough to send a request to a DNS resolver using DNSSEC, which leads to a call to a specially designed DNS zone on the attacker’s server.
Issues identified:
- CVE-2023-50387 (codename KeyTrap) – When accessing specially designed DNS zones, it leads to a denial of service due to the significant CPU load and long execution time of DNSSEC checks. To carry out an attack, it is necessary to place a domain zone with malicious settings on a DNS server controlled by the attacker, and also to ensure that this zone is accessed by a recursive DNS server, the denial of service of which the attacker seeks.
Malicious settings involve using a combination of conflicting keys, RRSET records, and digital signatures for a zone. Attempting to verify using these keys results in time-consuming, resource-intensive operations that can completely load the CPU and block the processing of other requests (for example, it is claimed that in an attack on BIND it was possible to stop the processing of other requests for 16 hours).
- CVE-2023-50868 (codename NSEC3) is a denial of service due to significant computation being performed when calculating hashes in NSEC3 (Next Secure v3) records when processing specially crafted DNSSEC responses. The attack method is similar to the first vulnerability, except that a specially designed set of NSEC3 RRSET records is created on the attacker's DNS server.
It is noted that the appearance of the above-mentioned vulnerabilities is caused by the definition in the DNSSEC specification of the ability for the DNS server to send all available cryptographic keys, while resolvers must process any received keys until the check is completed successfully or all received keys have been verified.
As measures to block vulnerabilities, resolvers limit the maximum number of DNSSEC keys involved in the chain of trust process and the maximum number of hash calculations for NSEC3, and also limit verification retries for each RRSET (key-signature combination) and each server response.
The vulnerabilities are fixed in updates to Unbound (1.19.1), PowerDNS Recursor (4.8.6, 4.9.3, 5.0.2), Knot Resolver (5.7.1), dnsmasq (2.90) and BIND (9.16.48, 9.18.24 and 9.19.21). The status of vulnerabilities in distributions can be assessed on these pages: Debian, Ubuntu, SUSE, RHEL, Fedora, Arch Linux, Gentoo, Slackware, NetBSD, FreeBSD.
BIND DNS server versions 9.16.48, 9.18.24 and 9.19.21 additionally fixed several more vulnerabilities:
- CVE-2023-4408 Parsing large DNS messages can cause high CPU load.
- CVE-2023-5517 - A request for a specially crafted reverse zone can lead to a crash due to an assert check being triggered. The problem only appears in configurations with the “nxdomain-redirect” setting enabled.
- CVE-2023-5679 – Recursive host detection can lead to a crash due to an assert check being triggered on systems with DNS64 support and “serve-stale” enabled (settings, stale-cache-enable and stale-answer-enable).
- CVE-2023-6516 Specially crafted recursive queries may cause the process to exhaust memory available to them.
Source: opennet.ru