A team of researchers has uncovered a new DNS-related vulnerability dubbed KeyTrap (CVE-2023-50387), which they claim could potentially disable large portions of the internet. This critical flaw affects the Domain Name System Security Extensions (DNSSEC), designed to authenticate responses to DNS queries. Despite DNSSEC’s aim to prevent DNS manipulation, the KeyTrap vulnerability allows attackers to exhaust CPU resources with a single maliciously crafted DNS packet, impacting systems using DNSSEC-validating DNS resolvers. The researchers assert that more than 31% of web clients were utilizing such resolvers as of December 2023. Exploitation of KeyTrap could lead to severe consequences, including the unavailability of essential internet services like web browsing and email. While patches have been released by affected vendors, completely preventing KeyTrap attacks may necessitate changes to DNSSEC’s underlying design philosophy. The vulnerability has been described by some DNS vendors as one of the worst attack methods ever discovered. Despite existing for over two decades, there’s no evidence of it being exploited in the wild. Security advisories for CVE-2023-50387 have been issued by various organizations, with BIND reportedly vulnerable to being stalled for up to 16 hours.
Read more: https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/