CVE-2023-50387

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions BIND versions prior to the fixed version

Description The issue is related to the DNSSEC implementation in the DNS protocol, which can be exploited by remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses. This is known as the "KeyTrap" issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records, which can lead to CPU exhaustion when there is a zone with many DNSKEY and RRSIG records. The estimated number of potentially affected devices worldwide is not specified. However, it is mentioned that this issue can potentially cause extended Internet outages by sending a single malicious packet that sends DNS servers into an unresolvable loop.

Recommendations To resolve the issue, users should upgrade to a version of BIND that contains the fix for this vulnerability. As a temporary workaround, consider using a non-validating resolver to remove the vulnerability, although this is not recommended. Restrict access to the vulnerable DNSSEC validation module to minimize the risk of exploitation. Avoid using the ValidatingResolver for DNSSEC validation until the issue is resolved.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2022_6763

ALSA-2022_6778

ALSA-2022_6781

ALSA-2022_7633

ALSA-2022_8070

ALSA-2023_2261

ALSA-2023_2792

ALSA-2023_3002

ALSA-2023_4099

ALSA-2023_4100

ALSA-2023_4102

ALSA-2023_5460

ALSA-2023_5474

ALSA-2023_5689

ALSA-2023_6524

ALSA-2023_7046

ALSA-2024:0965

ALSA-2024:0977

ALSA-2024:1334

ALSA-2024:1335

ALSA-2024:1781

ALSA-2024:1782

ALSA-2024:1789

ALSA-2024:2551

ALSA-2024:3271

ALSA-2024_0965

ALSA-2024_0977

ALSA-2024_1334

ALSA-2024_1335

ALSA-2024_1781

ALSA-2024_1782

ALSA-2024_1789

ALSA-2024_2463

ALSA-2024_2551

ALSA-2024_3203

ALSA-2024_3271

ALT-PU-2024-13229

ALT-PU-2024-2451

ALT-PU-2024-2453

ALT-PU-2024-2455

ALT-PU-2024-2605

ALT-PU-2024-2607

ALT-PU-2024-2610

ALT-PU-2024-2612

ALT-PU-2024-2663

ALT-PU-2024-3086

ALT-PU-2024-3156

ALT-PU-2024-9772

ALT-PU-2024-9774

AZL-34350

AZL-34419

AZL-34440

AZL-34559

AZL-35328

BDU:2024-01359

CESA-2024_0965

CESA-2024_1335

CESA-2024_1781

CESA-2024_1782

CESA-2024_3271

CVE-2023-50387

DLA-3736-1

DLA-3816-1

DLA-3859-1

DLA-3974-1

DSA-5620-1

DSA-5621-1

DSA-5626-1

DSA-5626-2

DSA-5633-1

ELSA-2024-0965

ELSA-2024-0977

ELSA-2024-11003

ELSA-2024-1334

ELSA-2024-1335

ELSA-2024-1781

ELSA-2024-1782

ELSA-2024-1789

ELSA-2024-2551

ELSA-2024-3271

ELSA-2024-3741

FREEBSD-SA-24_03

GHSA-CRJG-W57M-RQQF

INFSA-2024_2551

INFSA-2024_3271

MGASA-2024-0038

MGASA-2024-0039

MGASA-2024-0041

OESA-2024-1210

OESA-2024-1323

OESA-2024-1324

OESA-2024-1325

OESA-2024-1326

OESA-2024-1489

OESA-2025-2609

OPENSUSE-SU-2024:0048-1

OPENSUSE-SU-2024:13680-1

OPENSUSE-SU-2024:13687-1

OPENSUSE-SU-2024:13707-1

OPENSUSE-SU-2024:13742-1

OPENSUSE-SU-2024_0574-1

OPENSUSE-SU-2024_0590-1

OPENSUSE-SU-2024_1982-1

OPENSUSE-SU-2025_0071-1

RHSA-2024:0965

RHSA-2024:0977

RHSA-2024:0981

RHSA-2024:0982

RHSA-2024:11003

RHSA-2024:1334

RHSA-2024:1335

RHSA-2024:1522

RHSA-2024:1543

RHSA-2024:1544

RHSA-2024:1545

RHSA-2024:1647

RHSA-2024:1648

RHSA-2024:1781

RHSA-2024:1782

RHSA-2024:1789

RHSA-2024:1800

RHSA-2024:1801

RHSA-2024:1803

RHSA-2024:1804

RHSA-2024:2551

RHSA-2024:2587

RHSA-2024:2696

RHSA-2024:2720

RHSA-2024:2721

RHSA-2024:2821

RHSA-2024:2890

RHSA-2024:3271

RHSA-2024:3741

RHSA-2024:3877

RHSA-2024:3929

RHSA-2024_0965

RHSA-2024_0977

RHSA-2024_1334

RHSA-2024_1335

RHSA-2024_1781

RHSA-2024_1782

RHSA-2024_1789

RHSA-2024_2551

RHSA-2024_3271

RHSA-2024_3741

RHSA-2025:0039

RLSA-2024:1335

RLSA-2024:1781

RLSA-2024:1782

RLSA-2024:2551

RLSA-2024:3271

RLSA-2024_1335

RLSA-2024_1781

RLSA-2024_1782

RLSA-2024_2551

RLSA-2024_3271

ROSA-SA-2024-2489

ROSA-SA-2024-2490

ROSA-SA-2024-2491

ROSA-SA-2025-2568

SUSE-SU-2024:0574-1

SUSE-SU-2024:0590-1

SUSE-SU-2024:1894-1

SUSE-SU-2024:1923-1

SUSE-SU-2024:1982-1

SUSE-SU-2024:1991-1

SUSE-SU-2024:1991-2

SUSE-SU-2024:2033-1

SUSE-SU-2024_0574-1

SUSE-SU-2024_0590-1

SUSE-SU-2024_1894-1

SUSE-SU-2024_1923-1

SUSE-SU-2024_1982-1

SUSE-SU-2024_1991-1

SUSE-SU-2024_2033-1

SUSE-SU-2025:0071-1

SUSE-SU-2025:0130-1

SUSE-SU-2025:20024-1

SUSE-SU-2025:20118-1

SUSE-SU-2025_0071-1

SUSE-SU-2025_0130-1

USN-6633-1

USN-6642-1

USN-6657-1

USN-6657-2

USN-6665-1

USN-6723-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Bind

Bind Server

Centos

Debian

Freebsd

Ibm Aix

Linuxmint

Powerdns Recursor

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Windows

CVE-2023-50387

Weakness Enumeration

Related Identifiers

Affected Products

References · 336