修复新的 DNSSEC 资源耗尽漏洞
2024-02-29
Cloudflare 最近修复了两个严重的 DNSSEC 漏洞:CVE-2023-50387 和 CVE-2023-50868。这两个漏洞都会耗尽验证 DNS 解析器的计算资源。这些漏洞不会影响我们的权威 DNS 或 DNS 防火墙产品...
\n \n
在这两个漏洞披露之前,所有 Cloudflare DNS 基础设施都已受到保护,目前是安全的。这些漏洞不会影响我们的权威 DNS 或 DNS 防火墙产品。
所有主要的 DNS 软件供应商都发布了其软件的新版本。所有其他主要的 DNS 解析器提供商也都采取了适当的缓解措施。如果您尚未更新 DNS 解析器软件,请立即更新。
\n域名系统 (DNS) 安全扩展(通常称为 DNSSEC)是 DNS 协议的扩展,它添加了身份验证和完整性功能。DNSSEC 使用密钥和签名来验证 DNS 响应的真实性。DNSSEC 协议规范具有某些要求,这些要求优先考虑可用性,但代价是增加了验证 DNS 解析器的复杂性和计算成本。本博客中讨论的漏洞缓解措施要求应用本地策略来放宽这些要求,以避免耗尽验证器的资源。
DNS 和 DNSSEC 协议的设计遵循稳健性原则:“做事要谨慎,接受他人的东西要宽容”。过去有许多漏洞利用了遵循此原则的协议要求。恶意行为者可以利用这些漏洞攻击 DNS 基础设施,在这种情况下,他们会通过制作具有复杂配置的 DNSSEC 响应来增加 DNS 解析器的工作量。通常情况下,我们必须在允许协议适应和发展的灵活性与维护我们所运营之服务的稳定性和安全性之间建立务实的平衡。
Cloudflare 的公共解析器 1.1.1.1 是一项以隐私为中心的公共解析器服务。我们一直在使用更严格的验证和限制,旨在保护我们自己的基础设施,以及保护在我们网络之外运营的权威 DNS 服务器。因此,我们经常收到有关解析失败的投诉。经验告诉我们,严格的验证和限制可能会在某些极端情况下影响可用性,尤其是在 DNS 域配置不当的情况下。但是,这些严格的验证和限制对于提高 DNS 基础设施的整体可靠性和弹性是必不可少的。
下文将介绍这些漏洞并说明我们如何缓解这些漏洞。
\nDNSSEC 签名区域可以包含多个密钥 (DNSKEY),用于对 DNS 区域的内容进行签名,DNS 响应中的资源记录集 (RRSET) 可以有多个签名 (RRSIG)。需要多个密钥和签名来支持密钥轮换、算法轮换和多签名者 DNSSEC 等功能。DNSSEC 协议规范要求验证 DNS 解析器在验证 DNS 响应时尝试所有可能的密钥和签名组合。
在验证期间,解析器会查看每个签名的密钥标签,并尝试找到用于签名的关联密钥。密钥标签是一个无符号的 16 位数,它是密钥资源数据 (RDATA) 的校验和。密钥标签旨在允许将签名与据称创建该签名的密钥高效配对。但是,密钥标签不是唯一的,多个密钥可能具有相同的密钥标签。恶意行为者可以轻松制作 DNS 响应,其中包含多个具有相同密钥标签的密钥以及多个签名,但这些签名都无法通过验证。验证解析器在尝试验证此响应时必须尝试每种组合(密钥数量乘以签名数量)。这会使验证解析器的计算成本增加很多倍,从而降低所有用户的性能。这被称为 Keytrap 漏洞。
此漏洞的变体包括使用多个签名和一个密钥、使用一个签名和具有冲突密钥标签的多个密钥,以及使用多个密钥并将相应的哈希值添加到父委托签名者记录中。
\n我们已经限制了在区域切割时可以接受的最大密钥数量。区域切割是指父区域委托给子区域,例如 .com 区域将 cloudflare.com 委托给 Cloudflare 名称服务器。即使已经实施了此限制并为我们的平台构建了各种其他保护措施,我们仍然发现,处理来自权威 DNS 服务器的恶意 DNS 答案仍然需要耗费大量计算资源。
为了解决并进一步缓解此漏洞,我们为每个 RRSET 添加了签名验证限制,并为每个解析任务添加了总签名验证限制。一个解析任务可能包括对外部权威 DNS 服务器的多次递归查询,以回答单个 DNS 问题。超出这些限制的客户端查询将无法解析,并将收到带有扩展 DNS 错误 (EDE) 代码 0 的响应。此外,我们添加了指标,使我们能够检测试图利用此漏洞的攻击。
\nNSEC3 是用于验证拒绝存在的另一种方法。您可以在此处了解有关验证拒绝存在的更多信息。NSEC3 使用从 DNS 名称派生的哈希值(而不是直接使用 DNS 名称)来尝试防止区域枚举,并且该标准支持哈希计算的多次迭代。但是,由于完整的 DNS 名称用作哈希计算的输入,因此增加超出初始值的哈希迭代不会提供任何附加值,并且在 RFC9276 中不建议这样做。在查找 closest enclosure proof 时,这种复杂性会进一步加剧。来自权威 DNS 服务器的恶意 DNS 响应可以设置较高的 NSEC3 迭代次数和具有多个 DNS 标签的长 DNS 名称,从而通过使其执行不必要的哈希计算来耗尽验证解析器的计算资源。
\n对于此漏洞,我们采用了与 Keytrap 类似的缓解技术。我们为每个解析任务添加一个总哈希计算限制,以回答单个 DNS 问题。同样,超过此限制的客户端查询将无法解析,并将收到带有 EDE 代码 27 的响应。我们还添加了指标来跟踪哈希计算,以便尽早发现试图利用此漏洞的攻击。
\nUTC 日期和时间
\n\t\t\t Date and time in UTC \n\t\t\t | \n\t\t\t\n\t\t\t Event \n\t\t\t | \n\t\t
\n\t\t\t 2023-11-03 16:05 \n\t\t\t | \n\t\t\t\n\t\t\t John Todd from Quad9 invites Cloudflare to participate in a joint task force to discuss a new DNS vulnerability. \n\t\t\t | \n\t\t
\n\t\t\t 2023-11-07 14:30 \n\t\t\t | \n\t\t\t\n\t\t\t A group of DNS vendors and service providers meet to discuss the vulnerability during IETF 118. Discussions and collaboration continues in a closed chat group hosted at DNS-OARC \n\t\t\t | \n\t\t
\n\t\t\t 2023-12-08 20:20 \n\t\t\t | \n\t\t\t\n\t\t\t Cloudflare public resolver 1.1.1.1 is fully patched to mitigate Keytrap vulnerability (CVE-2023-50387) \n\t\t\t | \n\t\t
\n\t\t\t 2024-01-17 22:39 \n\t\t\t | \n\t\t\t\n\t\t\t Cloudflare public resolver 1.1.1.1 is fully patched to mitigate NSEC3 iteration count and closest encloser vulnerability (CVE-2023-50868) \n\t\t\t | \n\t\t
\n\t\t\t 2024-02-13 13:04 \n\t\t\t | \n\t\t\t\n\t\t\t Unbound package is released \n\t\t\t | \n\t\t
\n\t\t\t 2024-02-13 23:00 \n\t\t\t | \n\t\t\t\n\t\t\t Cloudflare internal CDN resolver is fully patched to mitigate both CVE-2023-50387 and CVE-2023-50868 \n\t\t\t | \n\t\t
事件
2023-11-03 16:05
Quad9 的 John Todd 邀请 Cloudflare 参加联合工作组,讨论新的 DNS 漏洞
2023-11-07 14:30
一组 DNS 供应商和服务提供商在 IETF 118 期间开会讨论该漏洞。讨论和协作仍在 DNS-OARC 托管的封闭聊天组中进行
2023-12-08 20:20
Cloudflare 公共解析器 1.1.1.1 已完全修补,可缓解 Keytrap 漏洞 (CVE-2023-50387)
2024-01-17 22:39
Cloudflare 公共解析器 1.1.1.1 已完全修补,可缓解 NSEC3 iteration count and closest encloser 漏洞 (CVE-2023-50868)
2024-02-13 13:04
Unbound 包发布
2024-02-13 23:00
Cloudflare 内部 CDN 解析器已完全修补,可缓解 CVE-2023-50387 和 CVE-2023-50868
\n我们要感谢德国国家应用网络安全研究中心 ATHENE 的 Elias Heftrig、Haya Schulmann、Niklas Vogel 和 Michael Waidner 发现 Keytrap 漏洞并进行负责任的披露。
我们要感谢互联网系统联盟 (ISC) 的 Petr Špaček 发现 NSEC3 iteration and closest encloser proof 漏洞并进行负责任的披露。
我们要感谢 Quad9 的 John Todd 以及 DNS 操作分析和研究中心 (DNS-OARC) 促进各利益相关者之间的协调。
最后,我们要感谢代表各种 DNS 供应商和服务提供商的 DNS-OARC 社区成员,他们齐心协力,不懈努力地修复这些漏洞,朝着使互联网具有弹性和安全性的共同目标而努力。
"],"published_at":[0,"2024-02-29T14:00:57.000+00:00"],"updated_at":[0,"2024-11-20T18:53:53.912Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/54NNtPYp8ZpTe9A6TYntTD/1b3f18d154695687b244ef4bf77e5450/remediating-new-dnssec-resource-exhaustion-vulnerabilities.png"],"tags":[1,[[0,{"id":[0,"5GwDZZTEDK1ZYAHNV31ygs"],"name":[0,"DNSSEC"],"slug":[0,"dnssec"]}],[0,{"id":[0,"5fZHv2k9HnJ7phOPmYexHw"],"name":[0,"DNS"],"slug":[0,"dns"]}],[0,{"id":[0,"2erOhyZHpwsORouNTuWZfJ"],"name":[0,"Resolver"],"slug":[0,"resolver"]}],[0,{"id":[0,"2FQK880QI5lKEUCjVHBber"],"name":[0,"1.1.1.1"],"slug":[0,"1-1-1-1"]}],[0,{"id":[0,"2pFyOCtANFB5qS6nbtQbVp"],"name":[0,"漏洞"],"slug":[0,"vulnerabilities"]}],[0,{"id":[0,"MFWILgt1w2rHynXR3NX1g"],"name":[0,"KeyTrap"],"slug":[0,"keytrap"]}],[0,{"id":[0,"65AiwFWIkJhEkGHTLjg94p"],"name":[0,"NSEC3"],"slug":[0,"nsec3"]}],[0,{"id":[0,"3EXOIMuUWaL6qPpU9mZ6yR"],"name":[0,"CVE-2023-50387"],"slug":[0,"cve-2023-50387"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Vicky Shrestha"],"slug":[0,"vicky"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4RvgQSpjYreEXaLPL0stwq/7df86de7712505d3a2af6ae50a39c00b/vicky.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Anbang Wen"],"slug":[0,"anbang"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1UnHNut5bS2QrDbBCSJKjI/37fe591337660f0766f80ce9f7ff2f8a/anbang.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Cloudflare recently fixed two critical DNSSEC vulnerabilities: CVE-2023-50387 and CVE-2023-50868. Both of these vulnerabilities can exhaust computational resources of validating DNS resolvers, thereby degrading performance of legitimate DNS queries, which is vital to all Internet users. These vulnerabilities do not affect our Authoritative DNS or DNS firewall products."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Remediating new DNSSEC resource exhaustion vulnerabilities Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/remediating-new-dnssec-resource-exhaustion-vulnerabilities"],"metadata":[0,{"title":[0,"修复新的 DNSSEC 资源耗尽漏洞"],"description":[0,"Cloudflare recently fixed two critical DNSSEC vulnerabilities: CVE-2023-50387 and CVE-2023-50868. Both of these vulnerabilities can exhaust computational resources of validating DNS resolvers, thereby degrading performance of legitimate DNS queries, which is vital to all Internet users. These vulnerabilities do not affect our Authoritative DNS or DNS firewall products."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3OaQWcv9jcO9vPC3r8QV75/652ffc2c0097f1062aa8989956626c41/remediating-new-dnssec-resource-exhaustion-vulnerabilities-VhkOo4.png"]}]}],"locale":[0,"zh-cn"],"translations":[0,{"posts.by":[0,"作者"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"这篇博文也有 {lang1} 版本。"],"lang_blurb2":[0,"这篇博文也有 {lang1} 和{lang2}版本。"],"lang_blurb3":[0,"这篇博文也有 {lang1}、{lang2} 和{lang3}版本。"],"footer.press":[0,"新闻"],"header.title":[0,"Cloudflare 博客"],"search.clear":[0,"清除"],"search.filter":[0,"过滤"],"search.source":[0,"来源"],"footer.careers":[0,"招聘"],"footer.company":[0,"公司"],"footer.support":[0,"支持"],"footer.the_net":[0,"theNet"],"search.filters":[0,"过滤器"],"footer.our_team":[0,"我们的团队"],"footer.webinars":[0,"网络研讨会"],"page.more_posts":[0,"更多帖子"],"posts.time_read":[0,"{time} 分钟阅读时间"],"search.language":[0,"语言"],"footer.community":[0,"社区"],"footer.resources":[0,"资源"],"footer.solutions":[0,"解决方案"],"footer.trademark":[0,"商标"],"header.subscribe":[0,"订阅"],"footer.compliance":[0,"合规性"],"footer.free_plans":[0,"Free 计划"],"footer.impact_ESG":[0,"影响/ESG"],"posts.follow_on_X":[0,"在 X 上关注"],"footer.help_center":[0,"帮助中心"],"footer.network_map":[0,"网络地图"],"header.please_wait":[0,"请稍候"],"page.related_posts":[0,"相关帖子"],"search.result_stat":[0,"针对 {search_keyword} 的第 {search_range} 个搜索结果(共 {search_total} 个结果)"],"footer.case_studies":[0,"案例研究"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"服务条款"],"footer.white_papers":[0,"白皮书"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"社区中心"],"footer.compare_plans":[0,"比较各项计划"],"footer.contact_sales":[0,"联系销售"],"header.contact_sales":[0,"联系销售团队"],"header.email_address":[0,"电子邮件地址"],"page.error.not_found":[0,"未找到页面"],"footer.developer_docs":[0,"开发人员文档"],"footer.privacy_policy":[0,"隐私政策"],"footer.request_a_demo":[0,"请求演示"],"page.continue_reading":[0,"继续阅读"],"footer.analysts_report":[0,"分析报告"],"footer.for_enterprises":[0,"企业级服务"],"footer.getting_started":[0,"开始使用"],"footer.learning_center":[0,"学习中心"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"较新的帖子"],"pagination.older_posts":[0,"较旧的帖子"],"posts.social_buttons.x":[0,"在 X 上讨论"],"search.icon_aria_label":[0,"搜索"],"search.source_location":[0,"来源/位置"],"footer.about_cloudflare":[0,"关于 Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"成为合作伙伴"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"网络服务"],"footer.trust_and_safety":[0,"信任与安全"],"header.get_started_free":[0,"免费开始使用"],"page.search.placeholder":[0,"搜索 Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare 状态"],"footer.cookie_preference":[0,"Cookie 首选项"],"header.valid_email_error":[0,"必须是有效的电子邮件地址。"],"search.result_stat_empty":[0,"显示第 {search_range} 个结果(共 {search_total} 个结果)"],"footer.connectivity_cloud":[0,"全球连通云"],"footer.developer_services":[0,"开发人员服务"],"footer.investor_relations":[0,"投资者关系"],"page.not_found.error_code":[0,"错误代码:404"],"search.autocomplete_title":[0,"请输入查询内容。按回车键发送"],"footer.logos_and_press_kit":[0,"标识与媒体资料包"],"footer.application_services":[0,"应用程序服务"],"footer.get_a_recommendation":[0,"获得推荐"],"posts.social_buttons.reddit":[0,"在 Reddit 上讨论"],"footer.sse_and_sase_services":[0,"SSE 和 SASE 服务"],"page.not_found.outdated_link":[0,"您可能使用了过期的链接,或者输入了错误的地址。"],"footer.report_security_issues":[0,"报告安全问题"],"page.error.error_message_page":[0,"抱歉,我们找不到您要打开的页面。"],"header.subscribe_notifications":[0,"订阅以接收新文章的通知:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"订阅已确认。感谢订阅!"],"posts.social_buttons.hackernews":[0,"在 Hacker News 上讨论"],"footer.diversity_equity_inclusion":[0,"多元、公平与包容"],"footer.critical_infrastructure_defense_project":[0,"关键基础设施防护项目"]}]}" ssr="" client="load" opts="{"name":"PostCard","value":true}" await-children="">2024-02-29
Cloudflare 最近修复了两个严重的 DNSSEC 漏洞:CVE-2023-50387 和 CVE-2023-50868。这两个漏洞都会耗尽验证 DNS 解析器的计算资源。这些漏洞不会影响我们的权威 DNS 或 DNS 防火墙产品...