February 14, 2024 at 08:03AM
A new DNS vulnerability, named KeyTrap or CVE-2023-50387, has been discovered by researchers. The flaw in DNSSEC could potentially allow attackers to disrupt large parts of the internet using a single specially crafted DNS packet. While patches are being released, prevention may require changes to the underlying DNSSEC design. The impact is significant for widely used DNS implementations and services.
Based on the meeting notes, here are the key takeaways:
– A new DNS-related vulnerability, named KeyTrap (CVE-2023-50387), has been disclosed by a team of researchers at the ATHENE National Research Center for Applied Cybersecurity.
– KeyTrap is a critical flaw in the design of Domain Name System Security Extensions (DNSSEC) and can be exploited to disable large parts of the internet by causing CPU resource exhaustion with a single specially crafted DNS packet.
– Systems using a DNSSEC-validating DNS resolver are impacted, with more than 31% of web clients using such resolvers as of December 2023.
– The attack could have severe consequences for applications using the internet, leading to the unavailability of technologies such as web-browsing, e-mail, and instant messaging.
– KeyTrap impacts widely used DNS implementations and DNS service providers, including vendors like Google and Cloudflare. Patches have been released, with the last patch available on February 13.
– Completely preventing KeyTrap attacks requires changing the underlying design philosophy of DNSSEC.
– The underlying weakness has existed for more than two decades, but there is no indication that it has been exploited in the wild.
– Security advisories for CVE-2023-50387 have been published by Microsoft, BIND, PowerDNS, and NLnet (Unbound).
– In the case of BIND, the researchers claimed that “it can be stalled for as long as 16 hours”.
Let me know if you need any further details or if there are additional actions to take based on these takeaways.