/

CVE-2023-50387 Report - Details, Severity, & Advisorie...

CVE-2023-50387 Report - Details, Severity, & Advisories

Twingate Team

May 13, 2024

CVE-2023-50387 is a high-severity vulnerability affecting the DNSSEC aspects of the DNS protocol, specifically when there is a zone with many DNSKEY and RRSIG records. This vulnerability can lead to a denial of service CPU consumption in various software configurations, including popular DNS server software like unbound, pdns, bind, and dnsmasq. To protect against this vulnerability, it is recommended to update the affected packages to the version containing the fix.

How do I know if I'm affected?

If you're concerned about the CVE-2023-50387 vulnerability, also known as the "KeyTrap" issue, it affects various DNS server software like unbound, pdns, bind, and dnsmasq. Some of the impacted versions include Red Hat Enterprise Linux 6.0, 7.0, 8.0, and 9.0, Microsoft Windows Server 2008 R2 SP1 to 2022 23H2, Fedora Project Fedora 39, TheKelleys Dnsmasq up to 2.90, NIC Knot Resolver up to 5.71, PowerDNS Recursor 4.8.0 to 5.0.2, ISC BIND 9.0.0 to 9.19.20, and NLnet Labs Unbound up to 1.19.1. To determine if you're affected, check if you're using any of these software versions.

What should I do if I'm affected?

If you're affected by the CVE-2023-50387 vulnerability, it's crucial to update your DNS server software to the latest version containing the fix. This will help protect your system from denial of service attacks caused by this issue. Keep your software up-to-date and monitor for any signs of unusual CPU consumption, which could indicate an exploitation attempt.

Is CVE-2023-50387 in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-50387 vulnerability, also known as the "KeyTrap" issue, is not listed in CISA's Known Exploited Vulnerabilities Catalog. This high-severity vulnerability affects the DNSSEC aspects of the DNS protocol and can lead to denial of service attacks. To protect against this vulnerability, it is crucial to update the affected software to the latest version containing the fix.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-770 section highlights a resource allocation issue in DNSSEC validation, which can cause denial of service attacks in certain DNS server software. Mitigation strategies and additional resources are available to address this vulnerability.

For more details

CVE-2023-50387, a high-severity vulnerability affecting DNSSEC aspects of the DNS protocol, can lead to denial of service attacks in various software configurations. For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2023-50387 Report - Details, Severity, & Advisorie...

CVE-2023-50387 Report - Details, Severity, & Advisories

Twingate Team

May 13, 2024

CVE-2023-50387 is a high-severity vulnerability affecting the DNSSEC aspects of the DNS protocol, specifically when there is a zone with many DNSKEY and RRSIG records. This vulnerability can lead to a denial of service CPU consumption in various software configurations, including popular DNS server software like unbound, pdns, bind, and dnsmasq. To protect against this vulnerability, it is recommended to update the affected packages to the version containing the fix.

How do I know if I'm affected?

If you're concerned about the CVE-2023-50387 vulnerability, also known as the "KeyTrap" issue, it affects various DNS server software like unbound, pdns, bind, and dnsmasq. Some of the impacted versions include Red Hat Enterprise Linux 6.0, 7.0, 8.0, and 9.0, Microsoft Windows Server 2008 R2 SP1 to 2022 23H2, Fedora Project Fedora 39, TheKelleys Dnsmasq up to 2.90, NIC Knot Resolver up to 5.71, PowerDNS Recursor 4.8.0 to 5.0.2, ISC BIND 9.0.0 to 9.19.20, and NLnet Labs Unbound up to 1.19.1. To determine if you're affected, check if you're using any of these software versions.

What should I do if I'm affected?

If you're affected by the CVE-2023-50387 vulnerability, it's crucial to update your DNS server software to the latest version containing the fix. This will help protect your system from denial of service attacks caused by this issue. Keep your software up-to-date and monitor for any signs of unusual CPU consumption, which could indicate an exploitation attempt.

Is CVE-2023-50387 in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-50387 vulnerability, also known as the "KeyTrap" issue, is not listed in CISA's Known Exploited Vulnerabilities Catalog. This high-severity vulnerability affects the DNSSEC aspects of the DNS protocol and can lead to denial of service attacks. To protect against this vulnerability, it is crucial to update the affected software to the latest version containing the fix.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-770 section highlights a resource allocation issue in DNSSEC validation, which can cause denial of service attacks in certain DNS server software. Mitigation strategies and additional resources are available to address this vulnerability.

For more details

CVE-2023-50387, a high-severity vulnerability affecting DNSSEC aspects of the DNS protocol, can lead to denial of service attacks in various software configurations. For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2023-50387 Report - Details, Severity, & Advisories

Twingate Team

May 13, 2024

CVE-2023-50387 is a high-severity vulnerability affecting the DNSSEC aspects of the DNS protocol, specifically when there is a zone with many DNSKEY and RRSIG records. This vulnerability can lead to a denial of service CPU consumption in various software configurations, including popular DNS server software like unbound, pdns, bind, and dnsmasq. To protect against this vulnerability, it is recommended to update the affected packages to the version containing the fix.

How do I know if I'm affected?

If you're concerned about the CVE-2023-50387 vulnerability, also known as the "KeyTrap" issue, it affects various DNS server software like unbound, pdns, bind, and dnsmasq. Some of the impacted versions include Red Hat Enterprise Linux 6.0, 7.0, 8.0, and 9.0, Microsoft Windows Server 2008 R2 SP1 to 2022 23H2, Fedora Project Fedora 39, TheKelleys Dnsmasq up to 2.90, NIC Knot Resolver up to 5.71, PowerDNS Recursor 4.8.0 to 5.0.2, ISC BIND 9.0.0 to 9.19.20, and NLnet Labs Unbound up to 1.19.1. To determine if you're affected, check if you're using any of these software versions.

What should I do if I'm affected?

If you're affected by the CVE-2023-50387 vulnerability, it's crucial to update your DNS server software to the latest version containing the fix. This will help protect your system from denial of service attacks caused by this issue. Keep your software up-to-date and monitor for any signs of unusual CPU consumption, which could indicate an exploitation attempt.

Is CVE-2023-50387 in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-50387 vulnerability, also known as the "KeyTrap" issue, is not listed in CISA's Known Exploited Vulnerabilities Catalog. This high-severity vulnerability affects the DNSSEC aspects of the DNS protocol and can lead to denial of service attacks. To protect against this vulnerability, it is crucial to update the affected software to the latest version containing the fix.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-770 section highlights a resource allocation issue in DNSSEC validation, which can cause denial of service attacks in certain DNS server software. Mitigation strategies and additional resources are available to address this vulnerability.

For more details

CVE-2023-50387, a high-severity vulnerability affecting DNSSEC aspects of the DNS protocol, can lead to denial of service attacks in various software configurations. For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.