NSEC3 Issue: Remote Denial of Service via DNSSEC Responses
CVE-2023-50868

Currently unrated

Key Information:

Vendor
DNS protocol
Vendor
CVE Published:
14 February 2024

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸฃ EPSS 56%๐Ÿ“ฐ News Worthy

Summary

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

News Articles

Microsoft Late to the Game on Dangerous DNSSEC Zero-Day Flaw

Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.

June 2024 Patch Tuesday - Spiceworks

Only one of the 51 patches released by Microsoft on June Patch Tuesday for a publicly known zero-day exploit.

Microsoft Security Update : RCE, Privilege Escalation Flaws Patched

The June 2024 Patch Tuesday update from Microsoft addressed almost 49 vulnerabilities in its products and 9 vulnerabilities in non-Microsoft

References

EPSS Score

56% chance of being exploited in the next 30 days.

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by CrowdStrike

  • Vulnerability published

  • Vulnerability Reserved

.