A vulnerability tracked as CVE-2023-50387, and named KeyTrap, is a critical flaw in the design of Domain Name System Security Extensions (DNSSEC), a Domain Name System (DNS) that authenticates responses to domain name lookups.
Some DNS vendors have reportedly described KeyTrap as the worst attack method ever discovered.
That’s because of what DNSSEC does.
What is DNS?
When anyone goes to input a domain or website name into a web browser, those web browsers rely on DNS servers to communicate those domain or website names into computer-recognized IP address to connect to on the back end. DNS servers are run by many different types of organizations, including IT departments as well as everyday internet service providers. DNS can be insecure because it sends the query and response over a network in plain text, which leaves it vulnerable to the data to potentially be altered using this flaw, and could send route a user to malicious systems.
This vulnerability could have devastating effects that are wide ranging. The vulnerability would threaten popular DNS resolvers in the immediate (CloudFlare, Google, Microsoft, etc.) but there are several users and organizations that host public facing name servers or that provide some form of public DNS services that may want to update cybersecurity services or monitor any suspicious DNSSEC usage and traffic sources or resources until a patch can be released and applied.
Flaw not yet exploited
It’s important to note at the time this is being published that there DOES NOT appear to be any publicly available exploit kits for vulnerability, however, it takes a low level of skill to execute this type of attack. Cyber criminals have the resources available to take advantage of, so it could only be a matter of time.
It appears that there are no publicly available Proofs-of-Concept or similar that could be used to detect this exploit, though that could change.
DNSSEC usage
It’s believed that approximately 31% of web clients worldwide are using DNSSEC-validating DNS resolvers as recently as December 2023. Those clients would be vulnerable to the flaw and be hit the hardest of a KeyTrap attack. Any client relying on those DNS servers would not be able to connect a domain or website name to the proper IP address and would disrupt connectivity to the domain.
KeyTrap vulnerability notes
Here are some additional key items to be aware of about this flaw:
- It carries a rating as a 7.5/10 severity on the CVSS rating system,
- There currently are patches are available for a handful of popular DNS applications to prevent this exploit – Microsoft, BIND, PowerDNS, and Unbound (NLNet)
- The underlying protocol standard contains the vulnerability, so fully mitigating this would require revising the standard
Recommendations
Applying the patch as it is immediately available is critical. CloudFlare has already patched their systems and Google has also rolled out a fix in coordination as well.
Any users that host any DNS resolvers, forwarders, or nameservers or provide some form of public DNS services may want to update their cybersecurity services and consider including a focus of continuous attack surface monitoring of DNSSEC usage and resource consumption in the event a patch has not yet been released or applied.
Contact SecuLore to discuss monitoring DNSSEC usage and resources if you believe your servers could be impacted and do not have a patch available at this time, or to learn more about attack surface management.
Other Resources
- National Change Your Password Day: Do More Than Just Change Your Password
- Protect What Matters Most: Make Data Privacy Day Count
- Don’t Let Cyber Threats Disrupt Your Networks During the Holidays
- Cyber Insights and Lessons Learned from 2024 Cyber Attacks
- CJIS Security Policy Updates: Changes for Public Safety & Law Enforcement