CVE-2023-50387 : Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and r

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Published 2024-02-14 16:15:45

Updated 2025-05-12 15:15:57

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-50387

Redhat » Enterprise Linux » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 9.0
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2008 » Version: R2 Update SP1 For X64
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
Matching versions
Microsoft » Windows Server 2012 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2012 » Version: R2
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2019 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2022 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2022 23h2 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*
Matching versions
ISC » Bind »
Versions from including (>=) 9.18.0 and up to, including, (<=) 9.18.22
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
Matching versions
ISC » Bind »
Versions from including (>=) 9.19.0 and up to, including, (<=) 9.19.20
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
Matching versions
ISC » Bind »
Versions from including (>=) 9.0.0 and up to, including, (<=) 9.16.46
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
Matching versions
Powerdns » Recursor
Versions from including (>=) 5.0.0 and before (<) 5.0.2
cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
Matching versions
Powerdns » Recursor
Versions from including (>=) 4.9.0 and before (<) 4.9.3
cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
Matching versions
Powerdns » Recursor
Versions from including (>=) 4.8.0 and before (<) 4.8.6
cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 39
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Matching versions
Thekelleys » Dnsmasq
Versions before (<) 2.90
cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*
Matching versions
Nlnetlabs » Unbound
Versions before (<) 1.19.1
cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
Matching versions
NIC » Knot Resolver
Versions before (<) 5.71
cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-50387

EPSS FAQ

40.95%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-50387

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-05-12
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST	2024-02-20
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	RedHat-CVE-2023-50387	2024-02-13
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2023-50387

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-50387

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/

[SECURITY] Fedora 38 Update: pdns-recursor-4.8.6-1.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/

[SECURITY] Fedora 39 Update: pdns-recursor-4.9.3-1.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1

v5.7.1 · Knot projects / Knot Resolver · GitLab
Patch

CVEs referencing this url
https://news.ycombinator.com/item?id=39367411

Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC | Hacker News
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240307-0007/

CVE-2023-50387 ISC BIND Vulnerability in NetApp Products | NetApp Product Security
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/

[SECURITY] Fedora 38 Update: bind9-next-9.19.21-1.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/

NLnet Labs - News - Unbound 1.19.1 released
Vendor Advisory

CVEs referencing this url
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html

PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor — PowerDNS Recursor documentation
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/

[SECURITY] Fedora 39 Update: dnsmasq-2.90-1.fc39 - package-announce - Fedora Mailing-Lists
Mailing List

CVEs referencing this url
https://news.ycombinator.com/item?id=39372384

Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC | Hacker News
Issue Tracking
https://access.redhat.com/security/cve/CVE-2023-50387

CVE-2023-50387- Red Hat Customer Portal
Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/02/16/3

oss-security - Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
Mailing List

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html

[SECURITY] [DLA 3816-1] bind9 security update

CVEs referencing this url
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/

KeyTrap DNS Attack Could Disable Large Parts of Internet: Researchers - SecurityWeek
Press/Media Coverage;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/

[SECURITY] Fedora 38 Update: dnsmasq-2.90-1.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://bugzilla.suse.com/show_bug.cgi?id=1219823

1219823 – (CVE-2023-50387) VUL-0: CVE-2023-50387 : unbound, pdns, bind, dnsmasq: Denial Of Service while trying to validate specially crafted DNSSEC responses
Issue Tracking
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

DNSSEC vulnerability puts big chunk of the internet at risk • The Register
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/

[SECURITY] Fedora 39 Update: bind9-next-9.19.21-1.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://www.isc.org/blogs/2024-bind-security-release/

BIND 9 Security Release and Multi-Vendor Vulnerability Handling - ISC
Third Party Advisory

CVEs referencing this url
https://datatracker.ietf.org/doc/html/rfc4035

RFC 4035 - Protocol Modifications for the DNS Security Extensions
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/

[SECURITY] Fedora 38 Update: bind-dyndb-ldap-11.10-23.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/

[SECURITY] Fedora 39 Update: unbound-1.19.1-2.fc39 - package-announce - Fedora Mailing-Lists
Mailing List

CVEs referencing this url
https://kb.isc.org/docs/cve-2023-50387

CVE-2023-50387
Third Party Advisory;VDB Entry
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387

CVE-2023-50387 - Security Update Guide - Microsoft - MITRE: CVE-2023-50387 DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers
Patch;Vendor Advisory
https://www.athene-center.de/aktuelles/key-trap

Key Trap - ATHENE
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/

[SECURITY] Fedora 38 Update: unbound-1.19.1-1.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

[Dnsmasq-discuss] Announce: dnsmasq-2.90.
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

Technical Description;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html

[SECURITY] [DLA 3736-1] unbound security update

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2024/02/16/2

oss-security - Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
Mailing List

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/

[SECURITY] Fedora 39 Update: bind-dyndb-ldap-11.10-24.fc39 - package-announce - Fedora Mailing-Lists
Mailing List

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-50387

Products affected by CVE-2023-50387

Exploit prediction scoring system (EPSS) score for CVE-2023-50387

CVSS scores for CVE-2023-50387

CWE ids for CVE-2023-50387

References for CVE-2023-50387