NSEC3 Issue: Remote Denial of Service via DNSSEC Responses
CVE-2023-50868
Key Information:
- Vendor
- DNS protocol
- Vendor
- CVE Published:
- 14 February 2024
Badges
Summary
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
Microsoft Late to the Game on Dangerous DNSSEC Zero-Day Flaw
Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.
June 2024 Patch Tuesday - Spiceworks
Only one of the 51 patches released by Microsoft on June Patch Tuesday for a publicly known zero-day exploit.

Microsoft Security Update : RCE, Privilege Escalation Flaws Patched
The June 2024 Patch Tuesday update from Microsoft addressed almost 49 vulnerabilities in its products and 9 vulnerabilities in non-Microsoft
References
EPSS Score
56% chance of being exploited in the next 30 days.
Timeline
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by CrowdStrike
Vulnerability published
Vulnerability Reserved