NSEC3 Issue: Remote Denial of Service via DNSSEC Responses
CVE-2023-50868

Currently unrated

Key Information:

Vendor: DNS protocol
Vendor: CVE Published:; 14 February 2024

Badges

👾 Exploit Exists🟣 EPSS 56%📰 News Worthy

Summary

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

News Articles

CVE-2023-50868 CVE-2023-50387

Microsoft Late to the Game on Dangerous DNSSEC Zero-Day Flaw

Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.

thmubnail image

CVE-2023-50868 CVE-2024-30080

June 2024 Patch Tuesday - Spiceworks

Only one of the 51 patches released by Microsoft on June Patch Tuesday for a publicly known zero-day exploit.

thmubnail image

CybersecurityNews

Microsoft Security Update : RCE, Privilege Escalation Flaws Patched

The June 2024 Patch Tuesday update from Microsoft addressed almost 49 vulnerabilities in its products and 9 vulnerabilities in non-Microsoft

thmubnail image

References

https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-rele...

https://docs.powerdns.com/recursor/security-advisories/po...

https://www.isc.org/blogs/2024-bind-security-release/

EPSS Score

56% chance of being exploited in the next 30 days.

Timeline

👾
Exploit known to exist
Jun 12, 2024
📰
First article discovered by CrowdStrike
Jun 12, 2024
Vulnerability published
Feb 14, 2024
Vulnerability Reserved
Dec 14, 2023

.