DNS resolvers inherited specification bug

A protocol error in the venerable Domain Name System Security Extensions (DNSSEC) specification, dubbed Key Trap, exposes DNS resolvers worldwide to denial-of-service attacks.

While CVE-2023-50387 only rates a CVSS score of 7.5, its ease of exploitation makes patching an urgent matter.

A team of researchers from Germany’s ATHENE cyber security research centre found the Key Trap error in the DNSSEC protocol, after they invented a class of attack they called Algorithmic Complexity Attacks.

“They demonstrated that just with a single DNS packet, the attack can exhaust the CPU and stall all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare,” the researchers wrote.

“In fact, the popular Bind9 DNS implementation can be stalled for as long as 16 hours.”

The researchers say more than 31 percent of web clients use DNSSEC-validating resolvers, so the attacks affect not only DNS but also any application using it.

“An unavailability of DNS may not only prevent access to content but risks also disabling security mechanisms, like anti-spam defences, Public Key Infrastructures (PKI), or even inter-domain routing security like RPKI (Resource Public Key Infrastructure).”

The researchers did not provide technical detail on KeyTrap, but they say the protocol bug has existed for a long time.

The bug was inherited by the current specifications, RFC 6781 and RFC 6840 from the obsolete RFC 2535.

The ATHENE researchers say the bug has existed in the wild since at least August 2000 in the de facto standard Bind9 DNS resolver, and since August 2007 in the Unbound DNS resolver.

The Internet Systems Consortium, which maintains Bind9, has issued a patch, as has NLNetLabs, which maintains Unbound.

Microsoft patched the bug as part of Patch Tuesday, in Windows Server versions dating back as far as 2012.

Linux distributions inherit the bug in their DNSSEC-capable servers and will be patched as upstream patches become available.

Key Trap also affected public resolvers like Google Public DNS and Cloudflare, the researchers said.

While the ATHENE team said it’s been working with all major vendors to mitigate the attacks, a complete fix will require a redesign of the DNSSEC protocol.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts