A third-party zero-day vulnerability [4], known as CVE-2023-50868 [4], has been discovered in the Domain Name System Security Extensions (DNSSEC) protocol [4], specifically impacting the Next Secure Hash 3 (NSEC3) mechanism [2].

Description

This vulnerability allows attackers to overwhelm DNS resolvers with excessive resources, leading to a denial-of-service (DoS) attack [3]. The flaw was publicly disclosed on 2024-02-13 by researchers from the German National Research Centre for Applied Cybersecurity [3]. Microsoft has released a patch for all current versions of Windows Server to address this issue [3], which is rated as Important on Microsoft’s severity ranking scale and is not part of Microsoft Patch Tuesday statistics. The prioritization of another DNSSEC flaw (CVE-2023-50387) by the same researchers may have delayed the patching of CVE-2023-50868. Various vendors and projects [2], including Unbound [2], BIND [2] [5], dnsmasq [2], PowerDNS [2] [5], and multiple Linux distributions, had already issued patches for this vulnerability before Microsoft [2]. This vulnerability was considered a zero-day threat until the recent patch was announced. Cross-industry collaboration is crucial in addressing protocol-level vulnerabilities like these [2], as demonstrated with previous vulnerabilities such as Heartbleed in OpenSSL [2]. Efforts have been made to enhance responsiveness and coordination in patching vulnerabilities, but the speed and efficiency of patching still vary significantly [2]. For more information [1], refer to the previous advisory named KeyTrap on the website [1].

Conclusion

The CVE-2023-50868 vulnerability in DNSSEC poses a significant risk to DNS resolvers, potentially leading to DoS attacks. Timely patching and collaboration among vendors and projects are essential in mitigating such threats. The incident highlights the ongoing need for improved coordination and responsiveness in addressing protocol-level vulnerabilities to ensure the security and stability of the internet infrastructure.

References

[1] https://www.cert.be/en/advisory/warning-microsoft-patch-tuesday-june-2024-patches-49-vulnerabilities-1-critical-48
[2] https://www.darkreading.com/vulnerabilities-threats/microsoft-late-dangerous-dnssec-zero-day-flaw
[3] https://itwire.com/business-it-news/security/microsoft-offers-fixes-for-49-cves-in-patch-tuesday-release.html
[4] https://www.computerweekly.com/news/366588458/RCE-flaw-and-DNS-zero-day-top-list-of-Patch-Tuesday-bugs
[5] https://www.infosecurity-magazine.com/news/microsoft-patches-critica-zeroday/