Bug 924455 (CVE-2023-50387, CVE-2023-50868)

Summary:	[Tracker] "KeyTrap" DNS DoS vulnerability
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	normal	CC:	bertrand, himbeere
Priority:	Normal	Keywords:	Tracker
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	924442, 924447, 924448, 924457, 924459
Bug Blocks:

Description Hans de Graaff gentoo-dev

2024-02-14 07:13:26 UTC

CVE-2023-50387

Description:

The processing of responses coming from specially crafted DNSSEC-signed zones can cause CPU exhaustion on a DNSSEC-validating resolver.

Impact:

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.


CVE-2023-50868

Description:

The processing of responses coming from DNSSEC-signed zones using NSEC3 can cause CPU exhaustion on a DNSSEC-validating resolver.

Impact:

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.