A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine.
Yes, a single DNS packet can take out a remote DNSSEC server.
DNS servers are used by web browsers and other software to turn human-friendly host names like theregister.com into machine-friendly IP addresses to connect to.
Those servers are run by all sorts of organizations, from home ISPs to the likes of Google, Cloudflare, and AdGuard.
DNS is insecure because it sends queries and responses over networks in plain text, allowing that data to be potentially altered by snoops to direct people's connections to malicious systems.
Domain Name System Security Extensions, or DNSSEC, is an upgrade for DNS in that it uses cryptography to ensure the results of queries aren't tampered with in transit, though it doesn't encrypt the data so queries and responses are not private to network eavesdroppers.
For privacy, you'll want something like DNS-over-HTTPS or DNS-over-TLS. Identified by Professor Dr Haya Schulmann and Niklas Vogel of the Goethe University Frankfurt, Elias Heftrig from Fraunhofer SIT, and Professor Dr Michael Waidner from Technical University of Darmstadt and Fraunhofer SIT, the security hole has been named KeyTrap, designated CVE-2023-50387 and assigned a CVSS severity rating of 7.5 out of 10.
This requirement, to ensure availability, means that the CPU can be forced to do a lot of work if presented with colliding key-tags and colliding keys that must be validated.
INTERNAL domain to do the same job as 192.168.x.x. The ATHENE boffins say they worked with all relevant vendors and major public DNS providers prior to privately disclose the vulnerability so a coordinated patch release would be possible.
Network research lab NLnet Labs published a patch for its Upbound DNS software, addressing two vulnerabilities, one of which is KeyTrap.
The other bug fixed, CVE-2023-50868, referred to as the NSEC3 vulnerability, also allows denial of service through CPU exhaustion.
The fix for CVE-2023-50387 is just one of six vulnerabilities addressed in Internet Systems Consortium's BIND 9 DNS software.
The requirements for the KeyTrap vulnerability date all the way back to 1999 from the now obsolete RFC 2535, according to the research team that identified it.
By 2012, these elements appeared in RFC 6781 and RFC 6840, the implementation requirements for DNSSEC validation.
Since at least August 2000 - more than 23 years ago - KeyTrap has been present in the BIND 9 DNS resolver, and it surfaced seven years later in the Unbound DNS resolver.
Dr Haya Shulman, professor for computer science at Goethe-Universität Frankfurt, told The Register in a phone interview the attack is simple and can be carried out by encoding it in a zone file.
Shulman said the patches that have been issued by various vendors break the standard.
The ATHENE team observes that while the flaw remained undetected for decades, its obscurity isn't surprising because DNSSEC validation requirements are so complicated.
So too is mitigating the vulnerability and completely eliminating it will require a revision of the DNSSEC standard.
This Cyber News was published on go.theregister.com. Publication date: Tue, 13 Feb 2024 23:43:05 +0000