One bad packet can DoS a DNSSEC server

This may not effect IPFire.

Versions affected:
BIND * 9.0.0 -> 9.16.46

newest Core 183 has 9.16.45

I can confirm Shaun’s statement because already a year ago Unbound would give you a foam finger for doing that

[SERVFAIL exceeded the maximum number of sends

1 Like

@cuphi
you might be onto something
Unbound might need an update to 1.19+

Two DNSSEC validation vulnerabilities have been discovered in Unbound:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).

== Summary
=== CVE-2023-50387
Unbound prior to 1.19.1, could be lead down a very CPU intensive and time
costly DNSSEC validation path. This could lead to Denial of Service in
trivially orchestrated attacks while validating DNSSEC responses.

=== CVE-2023-50868
Unbound prior to 1.19.1, could be lead down a very CPU intensive and time
costly NSEC3 hash calculation path. This could lead to Denial of Service in
trivially orchestrated attacks while validating DNSSEC responses.

== Affected products
Unbound up to and including 1.19.0

https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt

unbound-1.19.1 is currently in testing for core184

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=4fb7b188434b69a7dc6c5e40e827f6a8f389a86f

5 Likes