oss-sec mailing list archives
Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
From: Yorgos Thessalonikefs <yorgos () nlnetlabs nl>
Date: Tue, 13 Feb 2024 15:07:38 +0100
Hi there, (The official announcement and more information can be found at: https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/) DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. There are two known vulnerabilities: CVE-2023-50387 (referred here as the KeyTrap vulnerability) and CVE-2023-50868 (referred here as the NSEC3 vulnerability). We are categorizing the vulnerabilities with a HIGH severity for Unbound. We are releasing 1.19.1 on the 13th of February including the relevant fixes. == Summary Both vulnerabilities, via specially crafted DNSSEC answers, can lead DNSSEC validators down a very CPU intensive and time costly validation/NSEC3 hash calculation path. This results in degraded performance and denial of service in trivially orchestrated attacks. Unbound 1.19.1 includes fixes for better performance under such DNSSEC validation attacks. == Affected products Unbound up to and including 1.19.0. == Solution Install Unbound 1.19.1.Or apply the following patch to the latest Unbound versions (1.18.0 - 1.19.0):
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff Apply the patch using: patch -p1 < patch_CVE-2023-50387_CVE-2023-50868.diff == AcknowledgmentsWe would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for discovering and responsibly disclosing the KeyTrap vulnerability.
We would like to thank Petr Špaček from ISC for discovering and responsibly disclosing the NSEC3 vulnerability. * This email is signed. Keys of the NLnet Labs people are published on https://www.nlnetlabs.nl/people/ * Best regards, -- Yorgos
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Yorgos Thessalonikefs (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 16)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 16)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 13)