A team of researchers has disclosed a new DNS-related vulnerability that can allegedly be exploited to disable large parts of the internet.
The vulnerability, named KeyTrap and officially tracked as CVE-2023-50387, has been described as a critical flaw in the design of Domain Name System Security Extensions (DNSSEC), a DNS feature that authenticates responses to domain name lookups.
The goal of DNSSEC is to prevent attackers from manipulating or poisoning responses to DNS requests. However, researchers at the Germany-based ATHENE National Research Center for Applied Cybersecurity found that a design flaw could allow malicious actors to cause significant internet disruption using a single specially crafted DNS packet that causes CPU resource exhaustion.
Systems using a DNSSEC-validating DNS resolver are impacted, and the researchers claimed more than 31% of web clients had used such resolvers as of December 2023.
“Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging. With KeyTrap, an attacker could completely disable large parts of the worldwide Internet,” the researchers said in a press release.
KeyTrap has allegedly been described by some DNS vendors as the worst attack method ever discovered.
The KeyTrap attack impacts widely used DNS implementations, as well as DNS services providers such as Google and Cloudflare. However, impacted vendors were notified several months ago and they have been releasing patches, the last of which became available on February 13, according to the researchers.
On the other hand, the researchers noted that completely preventing KeyTrap attacks requires changing the “underlying design philosophy of DNSSEC”.
The underlying weakness has existed for more than two decades, but there is no indication that it has been exploited in the wild.
Security advisories for CVE-2023-50387 have been published by Microsoft, BIND, PowerDNS, and NLnet (Unbound).
In the case of BIND, the researchers claimed that “it can be stalled for as long as 16 hours”.
UPDATE: Google has provided the following statement to SecurityWeek:
“We are aware of this vulnerability and rolled out a fix in coordination with the reporting researchers. There is no evidence of exploitation and no action required by users at this time.”
Cloudflare told SecurityWeek, “Cloudflare was made aware of the KeyTrap vulnerability as part of coordinated disclosure and our systems were promptly patched.”
Related: Cyberespionage Implant Delivered via Targeted Government DNS Hijacking
Related: Dangling DNS Used to Hijack Subdomains of Major Organizations
Related: In Other News: Fake Lockdown Mode, New Linux RAT, AI Jailbreak, Country’s DNS Hijacked
