Monday, January 13, 2025
HomeCyber Security NewsDNS Server Vulnerability: Single DNS Packet can Bring Down the System

DNS Server Vulnerability: Single DNS Packet can Bring Down the System

Published on

A new flaw has been discovered in DNSSEC, which, when exploited by threat actors, could result in the unavailability of technologies such as web browsing, email, and instant messaging. This new class of attacks has been termed “KeyTrap” by researchers. 

Moreover, a threat actor could completely disable large parts of the worldwide internet. KeyTrap attacks affect not only DNS but also the applications using it. The “KeyTrap” class of attacks has been assigned with CVE-2023-50387, and the severity is yet to be categorized.  As of December 2023, 31.47% of the web clients used DNSSEC-validating DNS resolvers worldwide. 

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

Technical Analysis

CVE-2023-50387: DNSSEC validator

This particular vulnerability exists due to the processing of responses from specially crafted DNSSEC-signed zones, which causes CPU exhaustion on a DNSSEC-validating resolver.

Successful exploitation of this vulnerability could significantly affect the resolver’s performance, disrupting the DNS resolution service.

As a workaround, DNSSEC validation can be disabled entirely, preventing this vulnerability. However, this was not a recommended resolution. Additionally, there is no evidence of active exploitation of this vulnerability by threat actors.

To fix this vulnerability, it is advised to upgrade to the following versions of BIND 9 and BIND Supported Preview Edition:

Nevertheless, researchers also stated that “The flaws are not recent,” describing an obsolete internet standard, RFC 2535, from 1999. Fast forwarding to 2012, there was another implementation flaw for DNSSEC validation in standards RFC 6781 and RFC 6840. 

Although this vulnerability has existed for the past 25 years, it went unnoticed by the community due to the complexity of the DNSSEC validation requirements. 

If this vulnerability had been exploited, it would not only result in the unavailability of DNS but also could have potential risks of disabling security mechanisms such as anti-spam defenses, Public Key Infrastructure (PKI), or even inter-domain routing security like RPKI (Resource Public Key Infrastructure).

Furthermore, a complete report about this vulnerability has been published by ATHENE researchers, which provides detailed information about the impact, attack types, vectors, and other information.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...