DNSSEC vulnerability puts big chunk of the internet at risk The Register

A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine.
Yes, a single DNS packet can take out a remote DNSSEC server.
DNS servers are used by web browsers and other software to turn human-friendly host names like theregister.com into machine-friendly IP addresses to connect to.
Those servers are run by all sorts of organizations, from home ISPs to the likes of Google, Cloudflare, and AdGuard.
DNS is insecure because it sends queries and responses over networks in plain text, allowing that data to be potentially altered by snoops to direct people's connections to malicious systems.
Domain Name System Security Extensions, or DNSSEC, is an upgrade for DNS in that it uses cryptography to ensure the results of queries aren't tampered with in transit, though it doesn't encrypt the data so queries and responses are not private to network eavesdroppers.
For privacy, you'll want something like DNS-over-HTTPS or DNS-over-TLS. Identified by Professor Dr Haya Schulmann and Niklas Vogel of the Goethe University Frankfurt, Elias Heftrig from Fraunhofer SIT, and Professor Dr Michael Waidner from Technical University of Darmstadt and Fraunhofer SIT, the security hole has been named KeyTrap, designated CVE-2023-50387 and assigned a CVSS severity rating of 7.5 out of 10.
This requirement, to ensure availability, means that the CPU can be forced to do a lot of work if presented with colliding key-tags and colliding keys that must be validated.
INTERNAL domain to do the same job as 192.168.x.x. The ATHENE boffins say they worked with all relevant vendors and major public DNS providers prior to privately disclose the vulnerability so a coordinated patch release would be possible.
Network research lab NLnet Labs published a patch for its Upbound DNS software, addressing two vulnerabilities, one of which is KeyTrap.
The other bug fixed, CVE-2023-50868, referred to as the NSEC3 vulnerability, also allows denial of service through CPU exhaustion.
The fix for CVE-2023-50387 is just one of six vulnerabilities addressed in Internet Systems Consortium's BIND 9 DNS software.
The requirements for the KeyTrap vulnerability date all the way back to 1999 from the now obsolete RFC 2535, according to the research team that identified it.
By 2012, these elements appeared in RFC 6781 and RFC 6840, the implementation requirements for DNSSEC validation.
Since at least August 2000 - more than 23 years ago - KeyTrap has been present in the BIND 9 DNS resolver, and it surfaced seven years later in the Unbound DNS resolver.
Dr Haya Shulman, professor for computer science at Goethe-Universität Frankfurt, told The Register in a phone interview the attack is simple and can be carried out by encoding it in a zone file.
Shulman said the patches that have been issued by various vendors break the standard.
The ATHENE team observes that while the flaw remained undetected for decades, its obscurity isn't surprising because DNSSEC validation requirements are so complicated.
So too is mitigating the vulnerability and completely eliminating it will require a revision of the DNSSEC standard.


This Cyber News was published on go.theregister.com. Publication date: Tue, 13 Feb 2024 23:43:05 +0000


Cyber News related to DNSSEC vulnerability puts big chunk of the internet at risk The Register

DNSSEC vulnerability puts big chunk of the internet at risk The Register - A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine. Yes, a single DNS ...
10 months ago Go.theregister.com
Master Security by Building on Compliance with A Risk-Centric Approach - In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. That's why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet ...
11 months ago Cyberdefensemagazine.com
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
11 months ago Techtarget.com
KeyTrap attack: Internet access disrupted with one DNS packet - A serious vulnerability named KeyTrap in the Domain Name System Security Extensions feature could be exploited to deny internet access to applications for an extended period. Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC and impacts ...
10 months ago Bleepingcomputer.com
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
10 months ago Darkreading.com
CVE-2024-26616 - In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned [BUG] There is a bug report that, on a ext4-converted btrfs, scrub leads to various problems, including: - ...
9 months ago Tenable.com
Key elements for a successful cyber risk management strategy - In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. Nathaniel ...
11 months ago Helpnetsecurity.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Key Takeaways from the Gartner® Market Guide for Insider Risk Management - Insider risk incidents are on the rise and becoming more costly to contain. As a result, earlier this year, Gartner predicted that 50% of all medium to large enterprises would adopt insider risk programs. The report reveals several key findings about ...
1 year ago Securityboulevard.com
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
6 months ago Cisa.gov
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
10 months ago Cyberdefensemagazine.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
How to Complete an IT Risk Assessment - An effective security strategy needs to put managing risk at the heart of its approach. An IT risk assessment process is used by organizations to identify and prioritize the most pressing risks to their IT environment. Naturally, it focuses on IT ...
1 year ago Heimdalsecurity.com
Critical Start Implements Cyber Risk Assessments With Peer Benchmarking and Prioritization Engine - PRESS RELEASE. PLANO, Texas, Jan. 11, 2024 /PRNewswire/ - Today, Critical Start, a leading provider of Managed Detection and Response cybersecurity solutions and pioneer of Managed Cyber Risk Reduction, announced general availability of Critical ...
11 months ago Darkreading.com
Third-Party Security Assessments: Vendor Risk Management - As businesses rely more heavily on external vendors to provide critical services and support, the importance of effective vendor risk management strategies becomes paramount. This article explores the significance of third-party security assessments, ...
10 months ago Securityzap.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
CVE-2024-35853 - In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the ...
7 months ago Tenable.com
CVE-2023-38697 - protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunk extension. The value of Content-Length header should be a string of 0-9 digits, the chunk size ...
1 year ago
What Are the 6 Types of Risk Assessment and How Do They Work? - Risk assessment is a tool used to help quantify potential risks in a certain situation. It can be used in many different scenarios, including business operations, financial decisions, and also cybersecurity. A risk assessment helps you identify areas ...
1 year ago Thehackernews.com
F5 Developing Fix for BIG-IP Vulnerability That Could Cause Denial of Service and Allow for Code Execution - F5 has warned of a serious format string vulnerability in BIG-IP that could allow an authenticated attacker to cause a denial-of-service and potentially execute malicious code. This security issue, tracked as CVE-2023-22374, affects iControl SOAP, an ...
1 year ago Securityweek.com
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
7 months ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
2 months ago Tenable.com
'KeyTrap' DNS Bug Threatens Widespread Internet Outages - Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System security extension, which under certain circumstances could be exploited to take down wide expanses of the ...
10 months ago Darkreading.com
How to Do a Risk Analysis Service in a Software Project - Software projects are vulnerable to countless attacks, from the leak of confidential data to exposure to computer viruses, so any development team must work on an effective risk analysis that exposes any vulnerabilities in the software product. A ...
1 year ago Feeds.dzone.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)