CVE-2023-50387
7.5 HIGH
📋 TL;DR
CVE-2023-50387 (KeyTrap) is a DNSSEC protocol vulnerability that allows remote attackers to cause denial of service by exhausting CPU resources through specially crafted DNSSEC responses. The vulnerability affects DNS resolvers that validate DNSSEC signatures, particularly when processing zones with many DNSKEY and RRSIG records. This impacts organizations running DNSSEC-validating DNS resolvers like PowerDNS Recursor, BIND, Unbound, and Knot Resolver.
💻 Affected Systems
Products:
- PowerDNS Recursor
- BIND
- Unbound
- Knot Resolver
- Microsoft DNS Server
- dnsmasq with DNSSEC
- Other DNSSEC-validating resolvers
Versions: All versions prior to patches released in early 2024
Operating Systems: Linux, Windows Server, BSD variants, All OS running affected DNS software
Default Config Vulnerable:
⚠️ Yes
Notes: Only affects systems with DNSSEC validation enabled. Systems without DNSSEC validation are not vulnerable.
📦 What is this software?
Dnsmasq by Thekelleys
Fedora by Fedoraproject
Recursor by Powerdns
Recursor by Powerdns
Recursor by Powerdns
Unbound by Nlnetlabs
⚠️ Risk & Real-World Impact
Worst Case
Complete DNS resolution service outage for extended periods, making all DNS-dependent services unavailable to users
Likely Case
Significant performance degradation of DNS resolvers leading to intermittent service disruptions and increased latency
If Mitigated
Minimal impact with proper rate limiting, query filtering, and updated software
🌐 Internet-Facing: HIGH - DNS resolvers are inherently internet-facing and directly exposed to malicious traffic
🏢 Internal Only: LOW - Only affects systems that process external DNS queries with DNSSEC validation
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploitation requires sending malicious DNSSEC responses to vulnerable resolvers. The attack can be performed remotely without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by vendor: PowerDNS Recursor 4.8.6/4.9.4, BIND 9.16.48/9.18.24/9.19.22, Unbound 1.18.0, Knot Resolver 5.7.2
Vendor Advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
Restart Required: Yes
Instructions:
1. Identify affected DNS resolver software and version. 2. Check vendor advisory for specific patch version. 3. Apply vendor-recommended update. 4. Restart DNS service. 5. Verify DNSSEC validation is functioning correctly.
🔧 Temporary Workarounds
Disable DNSSEC validation
allTemporarily disable DNSSEC validation to prevent exploitation while patching
# For PowerDNS Recursor: set dnssec=off in recursor.conf
# For BIND: comment out 'dnssec-validation auto;' in named.conf
# For Unbound: set 'val-permissive-mode: yes' in unbound.conf
Implement rate limiting
allLimit queries per client to reduce impact of DoS attacks
# For PowerDNS Recursor: max-cache-entries-ratio=0.1
# For BIND: rate-limit { responses-per-second 10; };
# For Unbound: ratelimit: 1000
🧯 If You Can't Patch
- Implement network-level filtering to block malicious DNS traffic using IDS/IPS
- Deploy redundant DNS resolvers with load balancing to maintain service during attacks
🔍 How to Verify
Check if Vulnerable:
Check DNS resolver version against patched versions. Test with DNSSEC validation enabled using tools like dig to verify resolver behavior.Check Version:
# PowerDNS: pdns_recursor --version
# BIND: named -v
# Unbound: unbound -V
# Knot Resolver: kresd --versionVerify Fix Applied:
Verify updated version is running and test DNSSEC validation with known good signed domains. Monitor CPU usage during DNSSEC validation.📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage on DNS servers
- Increased query timeouts
- DNSSEC validation failures
- Excessive cache misses
Network Indicators:
- Spike in DNS query volume
- Unusual DNSSEC response patterns
- Traffic from unexpected sources to port 53
SIEM Query:
source="dns_server" (cpu_usage>90% AND process="named" OR process="pdns_recursor") | stats count by host🔗 References
- http://www.openwall.com/lists/oss-security/2024/02/16/2
- http://www.openwall.com/lists/oss-security/2024/02/16/3
- https://access.redhat.com/security/cve/CVE-2023-50387
- https://bugzilla.suse.com/show_bug.cgi?id=1219823
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://kb.isc.org/docs/cve-2023-50387
- https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
- https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
- https://news.ycombinator.com/item?id=39367411
- https://news.ycombinator.com/item?id=39372384
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://security.netapp.com/advisory/ntap-20240307-0007/
- https://www.athene-center.de/aktuelles/key-trap
- https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
- https://www.isc.org/blogs/2024-bind-security-release/
- https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
- https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
- http://www.openwall.com/lists/oss-security/2024/02/16/2
- http://www.openwall.com/lists/oss-security/2024/02/16/3
- https://access.redhat.com/security/cve/CVE-2023-50387
- https://bugzilla.suse.com/show_bug.cgi?id=1219823
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://kb.isc.org/docs/cve-2023-50387
- https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
- https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00001.html
- https://lists.debian.org/debian-lts-announce/2024/11/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
- https://news.ycombinator.com/item?id=39367411
- https://news.ycombinator.com/item?id=39372384
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://security.netapp.com/advisory/ntap-20240307-0007/
- https://www.athene-center.de/aktuelles/key-trap
- https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
- https://www.isc.org/blogs/2024-bind-security-release/
- https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
- https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
