1. Home
  2. Vulnerabilities
  3. CVE-2023-50387

CVE-2023-50387 (KeyTrap)

CVSS v3.1 7.5 (High)
75% Progress
EPSS 5.00 % (93th)
5.00% Progress
Affected Products 13
Advisories 71
NVD Status Modified
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Weaknesses
CWE-770
Allocation of Resources Without Limits or Throttling
Alias
CVE Status
PUBLISHED
NVD Status
Modified
CNA
MITRE
Published Date
2024-02-14 16:15:45
(6 months ago)
Updated Date
2024-06-10 17:16:15
(2 months ago)

Affected Products

Fedoraproject

Isc

Microsoft

Nic

Nlnetlabs

Powerdns

Redhat

Thekelleys

Configuration #1

    CPE23 From Up To
  Redhat Enterprise Linux 6.0 cpe:2.3:o:redhat:enterprise_linux:6.0
  Redhat Enterprise Linux 7.0 cpe:2.3:o:redhat:enterprise_linux:7.0
  Redhat Enterprise Linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0
  Redhat Enterprise Linux 9.0 cpe:2.3:o:redhat:enterprise_linux:9.0

Configuration #2

    CPE23 From Up To
  Microsoft Windows Server 2008 R2 SP1 on X64 cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64
  Microsoft Windows Server 2012 cpe:2.3:o:microsoft:windows_server_2012:-
  Microsoft Windows Server 2012 R2 cpe:2.3:o:microsoft:windows_server_2012:r2
  Microsoft Windows Server 2016 cpe:2.3:o:microsoft:windows_server_2016:-
  Microsoft Windows Server 2019 cpe:2.3:o:microsoft:windows_server_2019:-
  Microsoft Windows Server 2022 cpe:2.3:o:microsoft:windows_server_2022:-
  Microsoft Windows Server 2022 23h2 cpe:2.3:o:microsoft:windows_server_2022_23h2:-

Configuration #3

    CPE23 From Up To
  Fedoraproject Fedora 39 cpe:2.3:o:fedoraproject:fedora:39

Configuration #4

    CPE23 From Up To
  Thekelleys Dnsmasq prior 2.90 version cpe:2.3:a:thekelleys:dnsmasq < 2.90

Configuration #5

    CPE23 From Up To
  Nic Knot Resolver prior 5.71 version cpe:2.3:a:nic:knot_resolver < 5.71

Configuration #6

    CPE23 From Up To
  Powerdns Recursor from 4.8.0 version and prior 4.8.6 version cpe:2.3:a:powerdns:recursor >= 4.8.0 < 4.8.6
  Powerdns Recursor from 4.9.0 version and prior 4.9.3 version cpe:2.3:a:powerdns:recursor >= 4.9.0 < 4.9.3
  Powerdns Recursor from 5.0.0 version and prior 5.0.2 version cpe:2.3:a:powerdns:recursor >= 5.0.0 < 5.0.2

Configuration #7

    CPE23 From Up To
  Isc Bind from 9.0.0 version and 9.16.46 and prior versions cpe:2.3:a:isc:bind::*:*:*:- >= 9.0.0 <= 9.16.46
  Isc Bind from 9.18.0 version and 9.18.22 and prior versions cpe:2.3:a:isc:bind::*:*:*:- >= 9.18.0 <= 9.18.22
  Isc Bind from 9.19.0 version and 9.19.20 and prior versions cpe:2.3:a:isc:bind::*:*:*:- >= 9.19.0 <= 9.19.20

Configuration #8

    CPE23 From Up To
  Nlnetlabs Unbound prior 1.19.1 version cpe:2.3:a:nlnetlabs:unbound < 1.19.1