PatchSiren cyber security CVE debrief
CVE-2023-50387 Siemens CVE debrief
CVE-2023-50387, also known as the KeyTrap issue, is a HIGH severity vulnerability (CVSS 7.5) affecting DNSSEC implementations. The vulnerability stems from protocol specifications in RFC 4033, 4034, 4035, 6840, and related RFCs that require validation of all combinations of DNSKEY and RRSIG records when processing DNSSEC responses. Attackers can exploit this by sending crafted DNSSEC responses containing zones with numerous DNSKEY and RRSIG records, forcing the target system to perform computationally expensive validation operations that consume excessive CPU resources, resulting in denial of service. Siemens SINEC INS is confirmed affected by this vulnerability. The issue was published on November 12, 2024, and Siemens has released a vendor fix.
- Vendor
- Siemens
- Product
- SINEC INS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations operating Siemens SINEC INS industrial network management systems, DNS infrastructure administrators running DNSSEC validation, industrial control system operators with DNS-dependent architectures, and security teams responsible for availability of critical DNS services should prioritize assessment and remediation.
Technical summary
The KeyTrap vulnerability (CVE-2023-50387) exploits a fundamental design characteristic in DNSSEC protocol specifications. When a DNSSEC-validating resolver receives a response containing a zone with multiple DNSKEY and RRSIG records, the protocol mandates cryptographic validation of all possible combinations of these records. An attacker can craft malicious DNSSEC responses with artificially inflated numbers of DNSKEY and RRSIG records, triggering exponential computational overhead in the validation algorithm. This CPU exhaustion affects availability without requiring authentication or user interaction. The attack is network-based with low complexity, making it practical for widespread exploitation against vulnerable DNSSEC implementations.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor fix: Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version
- Monitor DNS traffic for anomalous DNSSEC response patterns with excessive DNSKEY and RRSIG records
- Implement network segmentation to limit exposure of DNSSEC-validating systems
- Review DNSSEC validation configurations for resource limits where supported
- Apply defense-in-depth practices for industrial control systems per CISA guidance
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-24-319-08, which references Siemens security advisory SSA-915275. The affected product is Siemens SINEC INS with confirmed vendor fix available. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact.
Official resources
-
CVE-2023-50387 CVE record
CVE.org
-
CVE-2023-50387 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12