A severe flaw in DNSSEC has been exposed, allowing hackers to disrupt web browsing, email, and instant messaging services. Termed “KeyTrap” by researchers, this new class of attacks has the potential to disable large parts of the global internet infrastructure, affecting not only DNS but also the applications that rely on it. The severity of these attacks is yet to be categorized, but they have been assigned with CVE-2023-50387.
The vulnerability stems from the processing of responses from specially crafted DNSSEC-signed zones, leading to CPU exhaustion on a DNSSEC-validating resolver. The successful exploitation of this vulnerability could have a significant impact on the resolver’s performance, disrupting DNS resolution services.
As a temporary workaround, DNSSEC validation can be disabled entirely, but this is not a recommended solution. Surprisingly, there is no evidence of active exploitation of this vulnerability by threat actors at this time. To address this vulnerability, it is advised to upgrade to specific versions of BIND 9 and BIND Supported Preview Edition.
Furthermore, researchers have highlighted that this flaw is not a recent discovery, dating back to the obsolete internet standard RFC 2535 from 1999. Subsequent implementation flaws were also identified in 2012, with standards RFC 6781 and RFC 6840. Despite the long-standing nature of this vulnerability, it remained unnoticed due to the complex requirements of DNSSEC validation.
Had it been exploited, this vulnerability could have not only resulted in the unavailability of DNS but also posed potential risks of disabling critical security mechanisms such as anti-spam defenses, Public Key Infrastructure (PKI), and inter-domain routing security like RPKI (Resource Public Key Infrastructure). A comprehensive report about this vulnerability has been published by ATHENE researchers, providing detailed information about the impact, attack types, vectors, and other pertinent details.
The widespread usage of DNSSEC-validating DNS resolvers makes this vulnerability particularly concerning, with around 31.47% of web clients using such resolvers globally as of December 2023.
To ensure the security and reliability of the DNS infrastructure, it is crucial for organizations and individuals to stay updated on cybersecurity news and updates. It is important to follow reputable sources for information, such as The Cybersecurity News on LinkedIn and Twitter, to remain informed about the latest developments and best practices in the field. This proactive approach can help mitigate the risks associated with vulnerabilities such as KeyTrap and contribute to a more secure internet ecosystem for all users.