CVE-2023-50387

Published: 13 February 2024

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Notes

Author	Note
alexmurray	As of isc-dhcp-4.4.3-1, isc-dhcp vendors bind9 libs
mdeslaur	This is unlikely to affect isc-dhcp's use of bind9-libs and the vendored bind9 libs, marking as negligible

Priority

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package	Release	Status
bind9 Launchpad, Ubuntu, Debian	bionic	Released (1:9.11.3+dfsg-1ubuntu1.19+esm3) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	focal	Released (1:9.16.48-0ubuntu0.20.04.1)
	jammy	Released (1:9.18.18-0ubuntu0.22.04.2)
	mantic	Released (1:9.18.18-0ubuntu2.1)
	trusty	Released (1:9.9.5.dfsg-3ubuntu0.19+esm12) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Released (9.16.48,9.18.24,9.19.21)
	xenial	Released (1:9.10.3.dfsg.P4-8ubuntu1.19+esm8) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	Patches: upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67 upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718 upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614
bind9-libs Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Needs triage
	jammy	Needs triage
	mantic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
dnsmasq Launchpad, Ubuntu, Debian	bionic	Released (2.90-0ubuntu0.18.04.1+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	focal	Released (2.90-0ubuntu0.20.04.1)
	jammy	Released (2.90-0ubuntu0.22.04.1)
	mantic	Released (2.90-0ubuntu0.23.10.1)
	trusty	Needs triage
	upstream	Released (2.90)
	xenial	Released (2.90-0ubuntu0.16.04.1+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
isc-dhcp Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	mantic	Needs triage
	trusty	Not vulnerable (code not present)
	upstream	Needs triage
	xenial	Not vulnerable (code not present)
knot-resolver Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	mantic	Needs triage
	trusty	Does not exist
	upstream	Released (5.7.1-1)
	xenial	Needs triage
pdns-recursor Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	mantic	Needs triage
	trusty	Ignored (end of standard support)
	upstream	Released (4.9.3-1)
	xenial	Needs triage
unbound Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Released (1.9.4-2ubuntu1.5)
	jammy	Released (1.13.1-1ubuntu5.4)
	mantic	Released (1.17.1-2ubuntu0.1)
	trusty	Needs triage
	upstream	Released (1.19.1-1)
	xenial	Needs triage
	Patches: upstream: https://github.com/NLnetLabs/unbound/commit/882903f2fa800c4cb6f5e225b728e2887bb7b9ae

Severity score breakdown

Parameter	Value
Base score	7.5
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›