NSEC3 Issue: Remote Denial of Service via DNSSEC Responses
CVE-2023-50868

7.5HIGH

Key Information:

Vendor

DNS protocol

Status
DNS Products
Vendor
CVE Published:
14 February 2024

Badges

👾 Exploit Exists🟣 EPSS 41%📰 News Worthy

What is CVE-2023-50868?

A vulnerability in the DNS protocol allows remote attackers to significantly consume CPU resources by exploiting the Closest Encloser Proof aspect of DNSSEC responses. This can trigger excessive SHA-1 computations during a random subdomain attack, leading to denial of service conditions. The issue arises when the RFC 5155 specifications are misapplied, demanding thousands of hash iterations in certain scenarios, thereby creating a potential service disruption.

News Articles

Microsoft Late to the Game on Dangerous DNSSEC Zero-Day Flaw

Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.

favicon imageSpiceworks

June 2024 Patch Tuesday - Spiceworks

Only one of the 51 patches released by Microsoft on June Patch Tuesday for a publicly known zero-day exploit.

favicon imageCybersecurityNews

Microsoft Security Update : RCE, Privilege Escalation Flaws Patched

The June 2024 Patch Tuesday update from Microsoft addressed almost 49 vulnerabilities in its products and 9 vulnerabilities in non-Microsoft

References

https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-rele...
https://docs.powerdns.com/recursor/security-advisories/po...
https://www.isc.org/blogs/2024-bind-security-release/

EPSS Score

41% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CrowdStrike

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-50868 : NSEC3 Issue: Remote Denial of Service via DNSSEC Responses